1 /******************************************************************************
2 *
3 * Copyright 1999-2012 Broadcom Corporation
4 *
5 * Licensed under the Apache License, Version 2.0 (the "License");
6 * you may not use this file except in compliance with the License.
7 * You may obtain a copy of the License at:
8 *
9 * http://www.apache.org/licenses/LICENSE-2.0
10 *
11 * Unless required by applicable law or agreed to in writing, software
12 * distributed under the License is distributed on an "AS IS" BASIS,
13 * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
14 * See the License for the specific language governing permissions and
15 * limitations under the License.
16 *
17 ******************************************************************************/
18
19 /******************************************************************************
20 *
21 * This file contains functions for BLE device control utilities, and LE
22 * security functions.
23 *
24 ******************************************************************************/
25
26 #define LOG_TAG "bt_btm_ble"
27
28 #include "bt_target.h"
29
30 #include <base/bind.h>
31 #include <string.h>
32
33 #include "bt_types.h"
34 #include "bt_utils.h"
35 #include "btm_ble_api.h"
36 #include "btm_int.h"
37 #include "btu.h"
38 #include "device/include/controller.h"
39 #include "gap_api.h"
40 #include "gatt_api.h"
41 #include "hcimsgs.h"
42 #include "l2c_int.h"
43 #include "log/log.h"
44 #include "main/shim/btm_api.h"
45 #include "main/shim/shim.h"
46 #include "osi/include/log.h"
47 #include "osi/include/osi.h"
48 #include "stack/crypto_toolbox/crypto_toolbox.h"
49
50 extern void gatt_notify_phy_updated(uint8_t status, uint16_t handle,
51 uint8_t tx_phy, uint8_t rx_phy);
52
53 /******************************************************************************/
54 /* External Function to be called by other modules */
55 /******************************************************************************/
56 /********************************************************
57 *
58 * Function BTM_SecAddBleDevice
59 *
60 * Description Add/modify device. This function will be normally called
61 * during host startup to restore all required information
62 * for a LE device stored in the NVRAM.
63 *
64 * Parameters: bd_addr - BD address of the peer
65 * bd_name - Name of the peer device. NULL if unknown.
66 * dev_type - Remote device's device type.
67 * addr_type - LE device address type.
68 *
69 * Returns true if added OK, else false
70 *
71 ******************************************************************************/
BTM_SecAddBleDevice(const RawAddress & bd_addr,BD_NAME bd_name,tBT_DEVICE_TYPE dev_type,tBLE_ADDR_TYPE addr_type)72 bool BTM_SecAddBleDevice(const RawAddress& bd_addr, BD_NAME bd_name,
73 tBT_DEVICE_TYPE dev_type, tBLE_ADDR_TYPE addr_type) {
74 if (bluetooth::shim::is_gd_shim_enabled()) {
75 return bluetooth::shim::BTM_SecAddBleDevice(bd_addr, bd_name, dev_type,
76 addr_type);
77 }
78
79 BTM_TRACE_DEBUG("%s: dev_type=0x%x", __func__, dev_type);
80
81 tBTM_SEC_DEV_REC* p_dev_rec = btm_find_dev(bd_addr);
82 if (!p_dev_rec) {
83 p_dev_rec = btm_sec_allocate_dev_rec();
84
85 p_dev_rec->bd_addr = bd_addr;
86 p_dev_rec->hci_handle = BTM_GetHCIConnHandle(bd_addr, BT_TRANSPORT_BR_EDR);
87 p_dev_rec->ble_hci_handle = BTM_GetHCIConnHandle(bd_addr, BT_TRANSPORT_LE);
88
89 /* update conn params, use default value for background connection params */
90 p_dev_rec->conn_params.min_conn_int = BTM_BLE_CONN_PARAM_UNDEF;
91 p_dev_rec->conn_params.max_conn_int = BTM_BLE_CONN_PARAM_UNDEF;
92 p_dev_rec->conn_params.supervision_tout = BTM_BLE_CONN_PARAM_UNDEF;
93 p_dev_rec->conn_params.slave_latency = BTM_BLE_CONN_PARAM_UNDEF;
94
95 BTM_TRACE_DEBUG("%s: Device added, handle=0x%x, p_dev_rec=%p, bd_addr=%s",
96 __func__, p_dev_rec->ble_hci_handle, p_dev_rec,
97 bd_addr.ToString().c_str());
98 }
99
100 memset(p_dev_rec->sec_bd_name, 0, sizeof(tBTM_BD_NAME));
101
102 if (bd_name && bd_name[0]) {
103 p_dev_rec->sec_flags |= BTM_SEC_NAME_KNOWN;
104 strlcpy((char*)p_dev_rec->sec_bd_name, (char*)bd_name,
105 BTM_MAX_REM_BD_NAME_LEN);
106 }
107 p_dev_rec->device_type |= dev_type;
108 p_dev_rec->ble.ble_addr_type = addr_type;
109
110 p_dev_rec->ble.pseudo_addr = bd_addr;
111 /* sync up with the Inq Data base*/
112 tBTM_INQ_INFO* p_info = BTM_InqDbRead(bd_addr);
113 if (p_info) {
114 p_info->results.ble_addr_type = p_dev_rec->ble.ble_addr_type;
115 p_info->results.device_type = p_dev_rec->device_type;
116 BTM_TRACE_DEBUG("InqDb device_type =0x%x addr_type=0x%x",
117 p_info->results.device_type, p_info->results.ble_addr_type);
118 }
119
120 return true;
121 }
122
123 /*******************************************************************************
124 *
125 * Function BTM_SecAddBleKey
126 *
127 * Description Add/modify LE device information. This function will be
128 * normally called during host startup to restore all required
129 * information stored in the NVRAM.
130 *
131 * Parameters: bd_addr - BD address of the peer
132 * p_le_key - LE key values.
133 * key_type - LE SMP key type.
134 *
135 * Returns true if added OK, else false
136 *
137 ******************************************************************************/
BTM_SecAddBleKey(const RawAddress & bd_addr,tBTM_LE_KEY_VALUE * p_le_key,tBTM_LE_KEY_TYPE key_type)138 bool BTM_SecAddBleKey(const RawAddress& bd_addr, tBTM_LE_KEY_VALUE* p_le_key,
139 tBTM_LE_KEY_TYPE key_type) {
140 if (bluetooth::shim::is_gd_shim_enabled()) {
141 return bluetooth::shim::BTM_SecAddBleKey(bd_addr, p_le_key, key_type);
142 }
143
144 tBTM_SEC_DEV_REC* p_dev_rec;
145 BTM_TRACE_DEBUG("BTM_SecAddBleKey");
146 p_dev_rec = btm_find_dev(bd_addr);
147 if (!p_dev_rec || !p_le_key ||
148 (key_type != BTM_LE_KEY_PENC && key_type != BTM_LE_KEY_PID &&
149 key_type != BTM_LE_KEY_PCSRK && key_type != BTM_LE_KEY_LENC &&
150 key_type != BTM_LE_KEY_LCSRK && key_type != BTM_LE_KEY_LID)) {
151 LOG(WARNING) << __func__
152 << " Wrong Type, or No Device record for bdaddr: " << bd_addr
153 << ", Type: " << key_type;
154 return (false);
155 }
156
157 VLOG(1) << __func__ << " BDA: " << bd_addr << ", Type: " << key_type;
158
159 btm_sec_save_le_key(bd_addr, key_type, p_le_key, false);
160
161 #if (BLE_PRIVACY_SPT == TRUE)
162 if (key_type == BTM_LE_KEY_PID || key_type == BTM_LE_KEY_LID)
163 btm_ble_resolving_list_load_dev(p_dev_rec);
164 #endif
165
166 return (true);
167 }
168
169 /*******************************************************************************
170 *
171 * Function BTM_BleLoadLocalKeys
172 *
173 * Description Local local identity key, encryption root or sign counter.
174 *
175 * Parameters: key_type: type of key, can be BTM_BLE_KEY_TYPE_ID,
176 * BTM_BLE_KEY_TYPE_ER
177 * or BTM_BLE_KEY_TYPE_COUNTER.
178 * p_key: pointer to the key.
179 *
180 * Returns non2.
181 *
182 ******************************************************************************/
BTM_BleLoadLocalKeys(uint8_t key_type,tBTM_BLE_LOCAL_KEYS * p_key)183 void BTM_BleLoadLocalKeys(uint8_t key_type, tBTM_BLE_LOCAL_KEYS* p_key) {
184 if (bluetooth::shim::is_gd_shim_enabled()) {
185 return bluetooth::shim::BTM_BleLoadLocalKeys(key_type, p_key);
186 }
187
188 tBTM_DEVCB* p_devcb = &btm_cb.devcb;
189 BTM_TRACE_DEBUG("%s", __func__);
190 if (p_key != NULL) {
191 switch (key_type) {
192 case BTM_BLE_KEY_TYPE_ID:
193 memcpy(&p_devcb->id_keys, &p_key->id_keys,
194 sizeof(tBTM_BLE_LOCAL_ID_KEYS));
195 break;
196
197 case BTM_BLE_KEY_TYPE_ER:
198 p_devcb->ble_encryption_key_value = p_key->er;
199 break;
200
201 default:
202 BTM_TRACE_ERROR("unknow local key type: %d", key_type);
203 break;
204 }
205 }
206 }
207
208 /** Returns local device encryption root (ER) */
BTM_GetDeviceEncRoot()209 const Octet16& BTM_GetDeviceEncRoot() {
210 if (bluetooth::shim::is_gd_shim_enabled()) {
211 return bluetooth::shim::BTM_GetDeviceEncRoot();
212 }
213 return btm_cb.devcb.ble_encryption_key_value;
214 }
215
216 /** Returns local device identity root (IR). */
BTM_GetDeviceIDRoot()217 const Octet16& BTM_GetDeviceIDRoot() {
218 if (bluetooth::shim::is_gd_shim_enabled()) {
219 return bluetooth::shim::BTM_GetDeviceIDRoot();
220 }
221 return btm_cb.devcb.id_keys.irk;
222 }
223
224 /** Return local device DHK. */
BTM_GetDeviceDHK()225 const Octet16& BTM_GetDeviceDHK() {
226 if (bluetooth::shim::is_gd_shim_enabled()) {
227 return bluetooth::shim::BTM_GetDeviceDHK();
228 }
229 return btm_cb.devcb.id_keys.dhk;
230 }
231
232 /*******************************************************************************
233 *
234 * Function BTM_ReadConnectionAddr
235 *
236 * Description This function is called to get the local device address
237 * information.
238 *
239 * Returns void
240 *
241 ******************************************************************************/
BTM_ReadConnectionAddr(const RawAddress & remote_bda,RawAddress & local_conn_addr,tBLE_ADDR_TYPE * p_addr_type)242 void BTM_ReadConnectionAddr(const RawAddress& remote_bda,
243 RawAddress& local_conn_addr,
244 tBLE_ADDR_TYPE* p_addr_type) {
245 if (bluetooth::shim::is_gd_shim_enabled()) {
246 return bluetooth::shim::BTM_ReadConnectionAddr(remote_bda, local_conn_addr,
247 p_addr_type);
248 }
249 tACL_CONN* p_acl = btm_bda_to_acl(remote_bda, BT_TRANSPORT_LE);
250
251 if (p_acl == NULL) {
252 BTM_TRACE_ERROR("No connection exist!");
253 return;
254 }
255 local_conn_addr = p_acl->conn_addr;
256 *p_addr_type = p_acl->conn_addr_type;
257
258 BTM_TRACE_DEBUG("BTM_ReadConnectionAddr address type: %d addr: 0x%02x",
259 p_acl->conn_addr_type, p_acl->conn_addr.address[0]);
260 }
261
262 /*******************************************************************************
263 *
264 * Function BTM_IsBleConnection
265 *
266 * Description This function is called to check if the connection handle
267 * for an LE link
268 *
269 * Returns true if connection is LE link, otherwise false.
270 *
271 ******************************************************************************/
BTM_IsBleConnection(uint16_t conn_handle)272 bool BTM_IsBleConnection(uint16_t conn_handle) {
273 if (bluetooth::shim::is_gd_shim_enabled()) {
274 return bluetooth::shim::BTM_IsBleConnection(conn_handle);
275 }
276 uint8_t xx;
277 tACL_CONN* p;
278
279 BTM_TRACE_API("BTM_IsBleConnection: conn_handle: %d", conn_handle);
280
281 xx = btm_handle_to_acl_index(conn_handle);
282 if (xx >= MAX_L2CAP_LINKS) return false;
283
284 p = &btm_cb.acl_db[xx];
285
286 return (p->transport == BT_TRANSPORT_LE);
287 }
288
289 /*******************************************************************************
290 *
291 * Function BTM_ReadRemoteConnectionAddr
292 *
293 * Description This function is read the remote device address currently used
294 *
295 * Parameters pseudo_addr: pseudo random address available
296 * conn_addr:connection address used
297 * p_addr_type : BD Address type, Public or Random of the address
298 * used
299 *
300 * Returns bool, true if connection to remote device exists, else false
301 *
302 ******************************************************************************/
BTM_ReadRemoteConnectionAddr(const RawAddress & pseudo_addr,RawAddress & conn_addr,tBLE_ADDR_TYPE * p_addr_type)303 bool BTM_ReadRemoteConnectionAddr(const RawAddress& pseudo_addr,
304 RawAddress& conn_addr,
305 tBLE_ADDR_TYPE* p_addr_type) {
306 if (bluetooth::shim::is_gd_shim_enabled()) {
307 return bluetooth::shim::BTM_ReadRemoteConnectionAddr(pseudo_addr, conn_addr,
308 p_addr_type);
309 }
310 bool st = true;
311 #if (BLE_PRIVACY_SPT == TRUE)
312 tACL_CONN* p = btm_bda_to_acl(pseudo_addr, BT_TRANSPORT_LE);
313
314 if (p == NULL) {
315 BTM_TRACE_ERROR(
316 "BTM_ReadRemoteConnectionAddr can not find connection"
317 " with matching address");
318 return false;
319 }
320
321 conn_addr = p->active_remote_addr;
322 *p_addr_type = p->active_remote_addr_type;
323 #else
324 tBTM_SEC_DEV_REC* p_dev_rec = btm_find_dev(pseudo_addr);
325
326 conn_addr = pseudo_addr;
327 if (p_dev_rec != NULL) {
328 *p_addr_type = p_dev_rec->ble.ble_addr_type;
329 }
330 #endif
331 return st;
332 }
333 /*******************************************************************************
334 *
335 * Function BTM_SecurityGrant
336 *
337 * Description This function is called to grant security process.
338 *
339 * Parameters bd_addr - peer device bd address.
340 * res - result of the operation BTM_SUCCESS if success.
341 * Otherwise, BTM_REPEATED_ATTEMPTS if too many
342 * attempts.
343 *
344 * Returns None
345 *
346 ******************************************************************************/
BTM_SecurityGrant(const RawAddress & bd_addr,uint8_t res)347 void BTM_SecurityGrant(const RawAddress& bd_addr, uint8_t res) {
348 if (bluetooth::shim::is_gd_shim_enabled()) {
349 return bluetooth::shim::BTM_SecurityGrant(bd_addr, res);
350 }
351 tSMP_STATUS res_smp =
352 (res == BTM_SUCCESS) ? SMP_SUCCESS : SMP_REPEATED_ATTEMPTS;
353 BTM_TRACE_DEBUG("BTM_SecurityGrant");
354 SMP_SecurityGrant(bd_addr, res_smp);
355 }
356
357 /*******************************************************************************
358 *
359 * Function BTM_BlePasskeyReply
360 *
361 * Description This function is called after Security Manager submitted
362 * passkey request to the application.
363 *
364 * Parameters: bd_addr - Address of the device for which passkey was
365 * requested
366 * res - result of the operation BTM_SUCCESS if success
367 * key_len - length in bytes of the Passkey
368 * p_passkey - pointer to array with the passkey
369 * trusted_mask - bitwise OR of trusted services (array of
370 * uint32_t)
371 *
372 ******************************************************************************/
BTM_BlePasskeyReply(const RawAddress & bd_addr,uint8_t res,uint32_t passkey)373 void BTM_BlePasskeyReply(const RawAddress& bd_addr, uint8_t res,
374 uint32_t passkey) {
375 if (bluetooth::shim::is_gd_shim_enabled()) {
376 return bluetooth::shim::BTM_BlePasskeyReply(bd_addr, res, passkey);
377 }
378 tBTM_SEC_DEV_REC* p_dev_rec = btm_find_dev(bd_addr);
379 tSMP_STATUS res_smp =
380 (res == BTM_SUCCESS) ? SMP_SUCCESS : SMP_PASSKEY_ENTRY_FAIL;
381
382 if (p_dev_rec == NULL) {
383 BTM_TRACE_ERROR("Passkey reply to Unknown device");
384 return;
385 }
386
387 p_dev_rec->sec_flags |= BTM_SEC_LE_AUTHENTICATED;
388 BTM_TRACE_DEBUG("BTM_BlePasskeyReply");
389 SMP_PasskeyReply(bd_addr, res_smp, passkey);
390 }
391
392 /*******************************************************************************
393 *
394 * Function BTM_BleConfirmReply
395 *
396 * Description This function is called after Security Manager submitted
397 * numeric comparison request to the application.
398 *
399 * Parameters: bd_addr - Address of the device with which numeric
400 * comparison was requested
401 * res - comparison result BTM_SUCCESS if success
402 *
403 ******************************************************************************/
BTM_BleConfirmReply(const RawAddress & bd_addr,uint8_t res)404 void BTM_BleConfirmReply(const RawAddress& bd_addr, uint8_t res) {
405 if (bluetooth::shim::is_gd_shim_enabled()) {
406 return bluetooth::shim::BTM_BleConfirmReply(bd_addr, res);
407 }
408 tBTM_SEC_DEV_REC* p_dev_rec = btm_find_dev(bd_addr);
409 tSMP_STATUS res_smp =
410 (res == BTM_SUCCESS) ? SMP_SUCCESS : SMP_PASSKEY_ENTRY_FAIL;
411
412 if (p_dev_rec == NULL) {
413 BTM_TRACE_ERROR("Passkey reply to Unknown device");
414 return;
415 }
416
417 p_dev_rec->sec_flags |= BTM_SEC_LE_AUTHENTICATED;
418 BTM_TRACE_DEBUG("%s", __func__);
419 SMP_ConfirmReply(bd_addr, res_smp);
420 }
421
422 /*******************************************************************************
423 *
424 * Function BTM_BleOobDataReply
425 *
426 * Description This function is called to provide the OOB data for
427 * SMP in response to BTM_LE_OOB_REQ_EVT
428 *
429 * Parameters: bd_addr - Address of the peer device
430 * res - result of the operation SMP_SUCCESS if success
431 * p_data - oob data, depending on transport and
432 * capabilities.
433 * Might be "Simple Pairing Randomizer", or
434 * "Security Manager TK Value".
435 *
436 ******************************************************************************/
BTM_BleOobDataReply(const RawAddress & bd_addr,uint8_t res,uint8_t len,uint8_t * p_data)437 void BTM_BleOobDataReply(const RawAddress& bd_addr, uint8_t res, uint8_t len,
438 uint8_t* p_data) {
439 if (bluetooth::shim::is_gd_shim_enabled()) {
440 return bluetooth::shim::BTM_BleOobDataReply(bd_addr, res, len, p_data);
441 }
442 tSMP_STATUS res_smp = (res == BTM_SUCCESS) ? SMP_SUCCESS : SMP_OOB_FAIL;
443 tBTM_SEC_DEV_REC* p_dev_rec = btm_find_dev(bd_addr);
444
445 BTM_TRACE_DEBUG("%s:", __func__);
446
447 if (p_dev_rec == NULL) {
448 BTM_TRACE_ERROR("%s: Unknown device", __func__);
449 return;
450 }
451
452 p_dev_rec->sec_flags |= BTM_SEC_LE_AUTHENTICATED;
453 SMP_OobDataReply(bd_addr, res_smp, len, p_data);
454 }
455
456 /*******************************************************************************
457 *
458 * Function BTM_BleSecureConnectionOobDataReply
459 *
460 * Description This function is called to provide the OOB data for
461 * SMP in response to BTM_LE_OOB_REQ_EVT when secure connection
462 * data is available
463 *
464 * Parameters: bd_addr - Address of the peer device
465 * p_c - pointer to Confirmation.
466 * p_r - pointer to Randomizer
467 *
468 ******************************************************************************/
BTM_BleSecureConnectionOobDataReply(const RawAddress & bd_addr,uint8_t * p_c,uint8_t * p_r)469 void BTM_BleSecureConnectionOobDataReply(const RawAddress& bd_addr,
470 uint8_t* p_c, uint8_t* p_r) {
471 if (bluetooth::shim::is_gd_shim_enabled()) {
472 return bluetooth::shim::BTM_BleSecureConnectionOobDataReply(bd_addr, p_c,
473 p_r);
474 }
475 tBTM_SEC_DEV_REC* p_dev_rec = btm_find_dev(bd_addr);
476
477 BTM_TRACE_DEBUG("%s:", __func__);
478
479 if (p_dev_rec == NULL) {
480 BTM_TRACE_ERROR("%s: Unknown device", __func__);
481 return;
482 }
483
484 p_dev_rec->sec_flags |= BTM_SEC_LE_AUTHENTICATED;
485
486 tSMP_SC_OOB_DATA oob;
487 memset(&oob, 0, sizeof(tSMP_SC_OOB_DATA));
488
489 oob.peer_oob_data.present = true;
490 memcpy(&oob.peer_oob_data.randomizer, p_r, OCTET16_LEN);
491 memcpy(&oob.peer_oob_data.commitment, p_c, OCTET16_LEN);
492 oob.peer_oob_data.addr_rcvd_from.type = p_dev_rec->ble.ble_addr_type;
493 oob.peer_oob_data.addr_rcvd_from.bda = bd_addr;
494
495 SMP_SecureConnectionOobDataReply((uint8_t*)&oob);
496 }
497
498 /******************************************************************************
499 *
500 * Function BTM_BleSetConnScanParams
501 *
502 * Description Set scan parameter used in BLE connection request
503 *
504 * Parameters: scan_interval: scan interval
505 * scan_window: scan window
506 *
507 * Returns void
508 *
509 ******************************************************************************/
BTM_BleSetConnScanParams(uint32_t scan_interval,uint32_t scan_window)510 void BTM_BleSetConnScanParams(uint32_t scan_interval, uint32_t scan_window) {
511 if (bluetooth::shim::is_gd_shim_enabled()) {
512 return bluetooth::shim::BTM_BleSetConnScanParams(scan_interval,
513 scan_window);
514 }
515 tBTM_BLE_CB* p_ble_cb = &btm_cb.ble_ctr_cb;
516 bool new_param = false;
517
518 if (BTM_BLE_ISVALID_PARAM(scan_interval, BTM_BLE_SCAN_INT_MIN,
519 BTM_BLE_SCAN_INT_MAX) &&
520 BTM_BLE_ISVALID_PARAM(scan_window, BTM_BLE_SCAN_WIN_MIN,
521 BTM_BLE_SCAN_WIN_MAX)) {
522 if (p_ble_cb->scan_int != scan_interval) {
523 p_ble_cb->scan_int = scan_interval;
524 new_param = true;
525 }
526
527 if (p_ble_cb->scan_win != scan_window) {
528 p_ble_cb->scan_win = scan_window;
529 new_param = true;
530 }
531
532 if (new_param && btm_ble_get_conn_st() == BLE_CONNECTING) {
533 btm_ble_suspend_bg_conn();
534 }
535 } else {
536 BTM_TRACE_ERROR("Illegal Connection Scan Parameters");
537 }
538 }
539
540 /********************************************************
541 *
542 * Function BTM_BleSetPrefConnParams
543 *
544 * Description Set a peripheral's preferred connection parameters
545 *
546 * Parameters: bd_addr - BD address of the peripheral
547 * scan_interval: scan interval
548 * scan_window: scan window
549 * min_conn_int - minimum preferred connection interval
550 * max_conn_int - maximum preferred connection interval
551 * slave_latency - preferred slave latency
552 * supervision_tout - preferred supervision timeout
553 *
554 * Returns void
555 *
556 ******************************************************************************/
BTM_BleSetPrefConnParams(const RawAddress & bd_addr,uint16_t min_conn_int,uint16_t max_conn_int,uint16_t slave_latency,uint16_t supervision_tout)557 void BTM_BleSetPrefConnParams(const RawAddress& bd_addr, uint16_t min_conn_int,
558 uint16_t max_conn_int, uint16_t slave_latency,
559 uint16_t supervision_tout) {
560 if (bluetooth::shim::is_gd_shim_enabled()) {
561 return bluetooth::shim::BTM_BleSetPrefConnParams(
562 bd_addr, min_conn_int, max_conn_int, slave_latency, supervision_tout);
563 }
564 tBTM_SEC_DEV_REC* p_dev_rec = btm_find_dev(bd_addr);
565
566 BTM_TRACE_API(
567 "BTM_BleSetPrefConnParams min: %u max: %u latency: %u \
568 tout: %u",
569 min_conn_int, max_conn_int, slave_latency, supervision_tout);
570
571 if (BTM_BLE_ISVALID_PARAM(min_conn_int, BTM_BLE_CONN_INT_MIN,
572 BTM_BLE_CONN_INT_MAX) &&
573 BTM_BLE_ISVALID_PARAM(max_conn_int, BTM_BLE_CONN_INT_MIN,
574 BTM_BLE_CONN_INT_MAX) &&
575 BTM_BLE_ISVALID_PARAM(supervision_tout, BTM_BLE_CONN_SUP_TOUT_MIN,
576 BTM_BLE_CONN_SUP_TOUT_MAX) &&
577 (slave_latency <= BTM_BLE_CONN_LATENCY_MAX ||
578 slave_latency == BTM_BLE_CONN_PARAM_UNDEF)) {
579 if (p_dev_rec) {
580 /* expect conn int and stout and slave latency to be updated all together
581 */
582 if (min_conn_int != BTM_BLE_CONN_PARAM_UNDEF ||
583 max_conn_int != BTM_BLE_CONN_PARAM_UNDEF) {
584 if (min_conn_int != BTM_BLE_CONN_PARAM_UNDEF)
585 p_dev_rec->conn_params.min_conn_int = min_conn_int;
586 else
587 p_dev_rec->conn_params.min_conn_int = max_conn_int;
588
589 if (max_conn_int != BTM_BLE_CONN_PARAM_UNDEF)
590 p_dev_rec->conn_params.max_conn_int = max_conn_int;
591 else
592 p_dev_rec->conn_params.max_conn_int = min_conn_int;
593
594 if (slave_latency != BTM_BLE_CONN_PARAM_UNDEF)
595 p_dev_rec->conn_params.slave_latency = slave_latency;
596 else
597 p_dev_rec->conn_params.slave_latency = BTM_BLE_CONN_SLAVE_LATENCY_DEF;
598
599 if (supervision_tout != BTM_BLE_CONN_PARAM_UNDEF)
600 p_dev_rec->conn_params.supervision_tout = supervision_tout;
601 else
602 p_dev_rec->conn_params.supervision_tout = BTM_BLE_CONN_TIMEOUT_DEF;
603 }
604
605 } else {
606 BTM_TRACE_ERROR("Unknown Device, setting rejected");
607 }
608 } else {
609 BTM_TRACE_ERROR("Illegal Connection Parameters");
610 }
611 }
612
613 /*******************************************************************************
614 *
615 * Function BTM_ReadDevInfo
616 *
617 * Description This function is called to read the device/address type
618 * of BD address.
619 *
620 * Parameter remote_bda: remote device address
621 * p_dev_type: output parameter to read the device type.
622 * p_addr_type: output parameter to read the address type.
623 *
624 ******************************************************************************/
BTM_ReadDevInfo(const RawAddress & remote_bda,tBT_DEVICE_TYPE * p_dev_type,tBLE_ADDR_TYPE * p_addr_type)625 void BTM_ReadDevInfo(const RawAddress& remote_bda, tBT_DEVICE_TYPE* p_dev_type,
626 tBLE_ADDR_TYPE* p_addr_type) {
627 tBTM_SEC_DEV_REC* p_dev_rec = btm_find_dev(remote_bda);
628 tBTM_INQ_INFO* p_inq_info = BTM_InqDbRead(remote_bda);
629
630 *p_addr_type = BLE_ADDR_PUBLIC;
631
632 if (!p_dev_rec) {
633 *p_dev_type = BT_DEVICE_TYPE_BREDR;
634 /* Check with the BT manager if details about remote device are known */
635 if (p_inq_info != NULL) {
636 *p_dev_type = p_inq_info->results.device_type;
637 *p_addr_type = p_inq_info->results.ble_addr_type;
638 } else {
639 /* unknown device, assume BR/EDR */
640 BTM_TRACE_DEBUG("btm_find_dev_type - unknown device, BR/EDR assumed");
641 }
642 } else /* there is a security device record exisitng */
643 {
644 /* new inquiry result, overwrite device type in security device record */
645 if (p_inq_info) {
646 p_dev_rec->device_type = p_inq_info->results.device_type;
647 p_dev_rec->ble.ble_addr_type = p_inq_info->results.ble_addr_type;
648 }
649 if (p_dev_rec->bd_addr == remote_bda &&
650 p_dev_rec->ble.pseudo_addr == remote_bda) {
651 *p_dev_type = p_dev_rec->device_type;
652 *p_addr_type = p_dev_rec->ble.ble_addr_type;
653 } else if (p_dev_rec->ble.pseudo_addr == remote_bda) {
654 *p_dev_type = BT_DEVICE_TYPE_BLE;
655 *p_addr_type = p_dev_rec->ble.ble_addr_type;
656 } else /* matching static adddress only */
657 {
658 *p_dev_type = BT_DEVICE_TYPE_BREDR;
659 *p_addr_type = BLE_ADDR_PUBLIC;
660 }
661 }
662
663 BTM_TRACE_DEBUG("btm_find_dev_type - device_type = %d addr_type = %d",
664 *p_dev_type, *p_addr_type);
665 }
666
667 /*******************************************************************************
668 *
669 * Function BTM_ReadConnectedTransportAddress
670 *
671 * Description This function is called to read the paired device/address
672 * type of other device paired corresponding to the BD_address
673 *
674 * Parameter remote_bda: remote device address, carry out the transport
675 * address
676 * transport: active transport
677 *
678 * Return true if an active link is identified; false otherwise
679 *
680 ******************************************************************************/
BTM_ReadConnectedTransportAddress(RawAddress * remote_bda,tBT_TRANSPORT transport)681 bool BTM_ReadConnectedTransportAddress(RawAddress* remote_bda,
682 tBT_TRANSPORT transport) {
683 if (bluetooth::shim::is_gd_shim_enabled()) {
684 return bluetooth::shim::BTM_ReadConnectedTransportAddress(remote_bda,
685 transport);
686 }
687 tBTM_SEC_DEV_REC* p_dev_rec = btm_find_dev(*remote_bda);
688
689 /* if no device can be located, return */
690 if (p_dev_rec == NULL) return false;
691
692 if (transport == BT_TRANSPORT_BR_EDR) {
693 if (btm_bda_to_acl(p_dev_rec->bd_addr, transport) != NULL) {
694 *remote_bda = p_dev_rec->bd_addr;
695 return true;
696 } else if (p_dev_rec->device_type & BT_DEVICE_TYPE_BREDR) {
697 *remote_bda = p_dev_rec->bd_addr;
698 } else
699 *remote_bda = RawAddress::kEmpty;
700 return false;
701 }
702
703 if (transport == BT_TRANSPORT_LE) {
704 *remote_bda = p_dev_rec->ble.pseudo_addr;
705 if (btm_bda_to_acl(p_dev_rec->ble.pseudo_addr, transport) != NULL)
706 return true;
707 else
708 return false;
709 }
710
711 return false;
712 }
713
714 /*******************************************************************************
715 *
716 * Function BTM_BleReceiverTest
717 *
718 * Description This function is called to start the LE Receiver test
719 *
720 * Parameter rx_freq - Frequency Range
721 * p_cmd_cmpl_cback - Command Complete callback
722 *
723 ******************************************************************************/
BTM_BleReceiverTest(uint8_t rx_freq,tBTM_CMPL_CB * p_cmd_cmpl_cback)724 void BTM_BleReceiverTest(uint8_t rx_freq, tBTM_CMPL_CB* p_cmd_cmpl_cback) {
725 if (bluetooth::shim::is_gd_shim_enabled()) {
726 return bluetooth::shim::BTM_BleReceiverTest(rx_freq, p_cmd_cmpl_cback);
727 }
728 btm_cb.devcb.p_le_test_cmd_cmpl_cb = p_cmd_cmpl_cback;
729
730 btsnd_hcic_ble_receiver_test(rx_freq);
731 }
732
733 /*******************************************************************************
734 *
735 * Function BTM_BleTransmitterTest
736 *
737 * Description This function is called to start the LE Transmitter test
738 *
739 * Parameter tx_freq - Frequency Range
740 * test_data_len - Length in bytes of payload data in each
741 * packet
742 * packet_payload - Pattern to use in the payload
743 * p_cmd_cmpl_cback - Command Complete callback
744 *
745 ******************************************************************************/
BTM_BleTransmitterTest(uint8_t tx_freq,uint8_t test_data_len,uint8_t packet_payload,tBTM_CMPL_CB * p_cmd_cmpl_cback)746 void BTM_BleTransmitterTest(uint8_t tx_freq, uint8_t test_data_len,
747 uint8_t packet_payload,
748 tBTM_CMPL_CB* p_cmd_cmpl_cback) {
749 if (bluetooth::shim::is_gd_shim_enabled()) {
750 return bluetooth::shim::BTM_BleTransmitterTest(
751 tx_freq, test_data_len, packet_payload, p_cmd_cmpl_cback);
752 }
753 btm_cb.devcb.p_le_test_cmd_cmpl_cb = p_cmd_cmpl_cback;
754 btsnd_hcic_ble_transmitter_test(tx_freq, test_data_len, packet_payload);
755 }
756
757 /*******************************************************************************
758 *
759 * Function BTM_BleTestEnd
760 *
761 * Description This function is called to stop the in-progress TX or RX
762 * test
763 *
764 * Parameter p_cmd_cmpl_cback - Command complete callback
765 *
766 ******************************************************************************/
BTM_BleTestEnd(tBTM_CMPL_CB * p_cmd_cmpl_cback)767 void BTM_BleTestEnd(tBTM_CMPL_CB* p_cmd_cmpl_cback) {
768 if (bluetooth::shim::is_gd_shim_enabled()) {
769 return bluetooth::shim::BTM_BleTestEnd(p_cmd_cmpl_cback);
770 }
771 btm_cb.devcb.p_le_test_cmd_cmpl_cb = p_cmd_cmpl_cback;
772
773 btsnd_hcic_ble_test_end();
774 }
775
776 /*******************************************************************************
777 * Internal Functions
778 ******************************************************************************/
btm_ble_test_command_complete(uint8_t * p)779 void btm_ble_test_command_complete(uint8_t* p) {
780 tBTM_CMPL_CB* p_cb = btm_cb.devcb.p_le_test_cmd_cmpl_cb;
781
782 btm_cb.devcb.p_le_test_cmd_cmpl_cb = NULL;
783
784 if (p_cb) {
785 (*p_cb)(p);
786 }
787 }
788
789 /*******************************************************************************
790 *
791 * Function BTM_UseLeLink
792 *
793 * Description This function is to select the underlying physical link to
794 * use.
795 *
796 * Returns true to use LE, false use BR/EDR.
797 *
798 ******************************************************************************/
BTM_UseLeLink(const RawAddress & bd_addr)799 bool BTM_UseLeLink(const RawAddress& bd_addr) {
800 if (bluetooth::shim::is_gd_shim_enabled()) {
801 return bluetooth::shim::BTM_UseLeLink(bd_addr);
802 }
803 tACL_CONN* p;
804 tBT_DEVICE_TYPE dev_type;
805 tBLE_ADDR_TYPE addr_type;
806 bool use_le = false;
807
808 p = btm_bda_to_acl(bd_addr, BT_TRANSPORT_BR_EDR);
809 if (p != NULL) {
810 return use_le;
811 } else {
812 p = btm_bda_to_acl(bd_addr, BT_TRANSPORT_LE);
813 if (p != NULL) {
814 use_le = true;
815 } else {
816 BTM_ReadDevInfo(bd_addr, &dev_type, &addr_type);
817 use_le = (dev_type == BT_DEVICE_TYPE_BLE);
818 }
819 }
820 return use_le;
821 }
822
823 /*******************************************************************************
824 *
825 * Function BTM_SetBleDataLength
826 *
827 * Description This function is to set maximum BLE transmission packet size
828 *
829 * Returns BTM_SUCCESS if success; otherwise failed.
830 *
831 ******************************************************************************/
BTM_SetBleDataLength(const RawAddress & bd_addr,uint16_t tx_pdu_length)832 tBTM_STATUS BTM_SetBleDataLength(const RawAddress& bd_addr,
833 uint16_t tx_pdu_length) {
834 if (bluetooth::shim::is_gd_shim_enabled()) {
835 return bluetooth::shim::BTM_SetBleDataLength(bd_addr, tx_pdu_length);
836 }
837 tACL_CONN* p_acl = btm_bda_to_acl(bd_addr, BT_TRANSPORT_LE);
838 uint16_t tx_time = BTM_BLE_DATA_TX_TIME_MAX_LEGACY;
839
840 if (p_acl == NULL) {
841 BTM_TRACE_ERROR("%s: Wrong mode: no LE link exist or LE not supported",
842 __func__);
843 return BTM_WRONG_MODE;
844 }
845
846 BTM_TRACE_DEBUG("%s: tx_pdu_length =%d", __func__, tx_pdu_length);
847
848 if (!controller_get_interface()->supports_ble_packet_extension()) {
849 BTM_TRACE_ERROR("%s failed, request not supported", __func__);
850 return BTM_ILLEGAL_VALUE;
851 }
852
853 if (!HCI_LE_DATA_LEN_EXT_SUPPORTED(p_acl->peer_le_features)) {
854 BTM_TRACE_ERROR("%s failed, peer does not support request", __func__);
855 return BTM_ILLEGAL_VALUE;
856 }
857
858 if (tx_pdu_length > BTM_BLE_DATA_SIZE_MAX)
859 tx_pdu_length = BTM_BLE_DATA_SIZE_MAX;
860 else if (tx_pdu_length < BTM_BLE_DATA_SIZE_MIN)
861 tx_pdu_length = BTM_BLE_DATA_SIZE_MIN;
862
863 if (controller_get_interface()->get_bt_version()->hci_version >= HCI_PROTO_VERSION_5_0)
864 tx_time = BTM_BLE_DATA_TX_TIME_MAX;
865
866 btsnd_hcic_ble_set_data_length(p_acl->hci_handle, tx_pdu_length, tx_time);
867
868 return BTM_SUCCESS;
869 }
870
read_phy_cb(base::Callback<void (uint8_t tx_phy,uint8_t rx_phy,uint8_t status)> cb,uint8_t * data,uint16_t len)871 void read_phy_cb(
872 base::Callback<void(uint8_t tx_phy, uint8_t rx_phy, uint8_t status)> cb,
873 uint8_t* data, uint16_t len) {
874 uint8_t status, tx_phy, rx_phy;
875 uint16_t handle;
876
877 LOG_ASSERT(len == 5) << "Received bad response length: " << len;
878 uint8_t* pp = data;
879 STREAM_TO_UINT8(status, pp);
880 STREAM_TO_UINT16(handle, pp);
881 handle = handle & 0x0FFF;
882 STREAM_TO_UINT8(tx_phy, pp);
883 STREAM_TO_UINT8(rx_phy, pp);
884
885 DVLOG(1) << __func__ << " Received read_phy_cb";
886 cb.Run(tx_phy, rx_phy, status);
887 }
888
889 /*******************************************************************************
890 *
891 * Function BTM_BleReadPhy
892 *
893 * Description To read the current PHYs for specified LE connection
894 *
895 *
896 * Returns BTM_SUCCESS if command successfully sent to controller,
897 * BTM_MODE_UNSUPPORTED if local controller doesn't support LE
898 * 2M or LE Coded PHY,
899 * BTM_WRONG_MODE if Device in wrong mode for request.
900 *
901 ******************************************************************************/
BTM_BleReadPhy(const RawAddress & bd_addr,base::Callback<void (uint8_t tx_phy,uint8_t rx_phy,uint8_t status)> cb)902 void BTM_BleReadPhy(
903 const RawAddress& bd_addr,
904 base::Callback<void(uint8_t tx_phy, uint8_t rx_phy, uint8_t status)> cb) {
905 if (bluetooth::shim::is_gd_shim_enabled()) {
906 return bluetooth::shim::BTM_BleReadPhy(bd_addr, cb);
907 }
908 BTM_TRACE_DEBUG("%s", __func__);
909
910 tACL_CONN* p_acl = btm_bda_to_acl(bd_addr, BT_TRANSPORT_LE);
911
912 if (p_acl == NULL) {
913 BTM_TRACE_ERROR("%s: Wrong mode: no LE link exist or LE not supported",
914 __func__);
915 cb.Run(0, 0, HCI_ERR_NO_CONNECTION);
916 return;
917 }
918
919 // checking if local controller supports it!
920 if (!controller_get_interface()->supports_ble_2m_phy() &&
921 !controller_get_interface()->supports_ble_coded_phy()) {
922 BTM_TRACE_ERROR("%s failed, request not supported in local controller!",
923 __func__);
924 cb.Run(0, 0, GATT_REQ_NOT_SUPPORTED);
925 return;
926 }
927
928 uint16_t handle = p_acl->hci_handle;
929
930 const uint8_t len = HCIC_PARAM_SIZE_BLE_READ_PHY;
931 uint8_t data[len];
932 uint8_t* pp = data;
933 UINT16_TO_STREAM(pp, handle);
934 btu_hcif_send_cmd_with_cb(FROM_HERE, HCI_BLE_READ_PHY, data, len,
935 base::Bind(&read_phy_cb, std::move(cb)));
936 return;
937 }
938
doNothing(uint8_t * data,uint16_t len)939 void doNothing(uint8_t* data, uint16_t len) {}
940
941 /*******************************************************************************
942 *
943 * Function BTM_BleSetDefaultPhy
944 *
945 * Description To set preferred PHY for ensuing LE connections
946 *
947 *
948 * Returns BTM_SUCCESS if command successfully sent to controller,
949 * BTM_MODE_UNSUPPORTED if local controller doesn't support LE
950 * 2M or LE Coded PHY
951 *
952 ******************************************************************************/
BTM_BleSetDefaultPhy(uint8_t all_phys,uint8_t tx_phys,uint8_t rx_phys)953 tBTM_STATUS BTM_BleSetDefaultPhy(uint8_t all_phys, uint8_t tx_phys,
954 uint8_t rx_phys) {
955 if (bluetooth::shim::is_gd_shim_enabled()) {
956 return bluetooth::shim::BTM_BleSetDefaultPhy(all_phys, tx_phys, rx_phys);
957 }
958 BTM_TRACE_DEBUG("%s: all_phys = 0x%02x, tx_phys = 0x%02x, rx_phys = 0x%02x",
959 __func__, all_phys, tx_phys, rx_phys);
960
961 // checking if local controller supports it!
962 if (!controller_get_interface()->supports_ble_2m_phy() &&
963 !controller_get_interface()->supports_ble_coded_phy()) {
964 BTM_TRACE_ERROR("%s failed, request not supported in local controller!",
965 __func__);
966 return BTM_MODE_UNSUPPORTED;
967 }
968
969 const uint8_t len = HCIC_PARAM_SIZE_BLE_SET_DEFAULT_PHY;
970 uint8_t data[len];
971 uint8_t* pp = data;
972 UINT8_TO_STREAM(pp, all_phys);
973 UINT8_TO_STREAM(pp, tx_phys);
974 UINT8_TO_STREAM(pp, rx_phys);
975 btu_hcif_send_cmd_with_cb(FROM_HERE, HCI_BLE_SET_DEFAULT_PHY, data, len,
976 base::Bind(doNothing));
977 return BTM_SUCCESS;
978 }
979
980 /*******************************************************************************
981 *
982 * Function BTM_BleSetPhy
983 *
984 * Description To set PHY preferences for specified LE connection
985 *
986 *
987 * Returns BTM_SUCCESS if command successfully sent to controller,
988 * BTM_MODE_UNSUPPORTED if local controller doesn't support LE
989 * 2M or LE Coded PHY,
990 * BTM_ILLEGAL_VALUE if specified remote doesn't support LE 2M
991 * or LE Coded PHY,
992 * BTM_WRONG_MODE if Device in wrong mode for request.
993 *
994 ******************************************************************************/
BTM_BleSetPhy(const RawAddress & bd_addr,uint8_t tx_phys,uint8_t rx_phys,uint16_t phy_options)995 void BTM_BleSetPhy(const RawAddress& bd_addr, uint8_t tx_phys, uint8_t rx_phys,
996 uint16_t phy_options) {
997 if (bluetooth::shim::is_gd_shim_enabled()) {
998 return bluetooth::shim::BTM_BleSetPhy(bd_addr, tx_phys, rx_phys,
999 phy_options);
1000 }
1001 tACL_CONN* p_acl = btm_bda_to_acl(bd_addr, BT_TRANSPORT_LE);
1002
1003 if (p_acl == NULL) {
1004 BTM_TRACE_ERROR("%s: Wrong mode: no LE link exist or LE not supported",
1005 __func__);
1006 return;
1007 }
1008
1009 uint8_t all_phys = 0;
1010 if (tx_phys == 0) all_phys &= 0x01;
1011 if (rx_phys == 0) all_phys &= 0x02;
1012
1013 BTM_TRACE_DEBUG(
1014 "%s: all_phys = 0x%02x, tx_phys = 0x%02x, rx_phys = 0x%02x, phy_options "
1015 "= 0x%04x",
1016 __func__, all_phys, tx_phys, rx_phys, phy_options);
1017
1018 uint16_t handle = p_acl->hci_handle;
1019
1020 // checking if local controller supports it!
1021 if (!controller_get_interface()->supports_ble_2m_phy() &&
1022 !controller_get_interface()->supports_ble_coded_phy()) {
1023 BTM_TRACE_ERROR("%s failed, request not supported in local controller!",
1024 __func__);
1025 gatt_notify_phy_updated(GATT_REQ_NOT_SUPPORTED, handle, tx_phys, rx_phys);
1026 return;
1027 }
1028
1029 if (!HCI_LE_2M_PHY_SUPPORTED(p_acl->peer_le_features) &&
1030 !HCI_LE_CODED_PHY_SUPPORTED(p_acl->peer_le_features)) {
1031 BTM_TRACE_ERROR("%s failed, peer does not support request", __func__);
1032 gatt_notify_phy_updated(GATT_REQ_NOT_SUPPORTED, handle, tx_phys, rx_phys);
1033 return;
1034 }
1035
1036 const uint8_t len = HCIC_PARAM_SIZE_BLE_SET_PHY;
1037 uint8_t data[len];
1038 uint8_t* pp = data;
1039 UINT16_TO_STREAM(pp, handle);
1040 UINT8_TO_STREAM(pp, all_phys);
1041 UINT8_TO_STREAM(pp, tx_phys);
1042 UINT8_TO_STREAM(pp, rx_phys);
1043 UINT16_TO_STREAM(pp, phy_options);
1044 btu_hcif_send_cmd_with_cb(FROM_HERE, HCI_BLE_SET_PHY, data, len,
1045 base::Bind(doNothing));
1046 }
1047
1048 /*******************************************************************************
1049 *
1050 * Function btm_ble_determine_security_act
1051 *
1052 * Description This function checks the security of current LE link
1053 * and returns the appropriate action that needs to be
1054 * taken to achieve the required security.
1055 *
1056 * Parameter is_originator - True if outgoing connection
1057 * bdaddr: remote device address
1058 * security_required: Security required for the service.
1059 *
1060 * Returns The appropriate security action required.
1061 *
1062 ******************************************************************************/
btm_ble_determine_security_act(bool is_originator,const RawAddress & bdaddr,uint16_t security_required)1063 tBTM_SEC_ACTION btm_ble_determine_security_act(bool is_originator,
1064 const RawAddress& bdaddr,
1065 uint16_t security_required) {
1066 tBTM_LE_AUTH_REQ auth_req = 0x00;
1067
1068 if (is_originator) {
1069 if ((security_required & BTM_SEC_OUT_FLAGS) == 0 &&
1070 (security_required & BTM_SEC_OUT_MITM) == 0) {
1071 BTM_TRACE_DEBUG("%s No security required for outgoing connection",
1072 __func__);
1073 return BTM_SEC_OK;
1074 }
1075
1076 if (security_required & BTM_SEC_OUT_MITM) auth_req |= BTM_LE_AUTH_REQ_MITM;
1077 } else {
1078 if ((security_required & BTM_SEC_IN_FLAGS) == 0 &&
1079 (security_required & BTM_SEC_IN_MITM) == 0) {
1080 BTM_TRACE_DEBUG("%s No security required for incoming connection",
1081 __func__);
1082 return BTM_SEC_OK;
1083 }
1084
1085 if (security_required & BTM_SEC_IN_MITM) auth_req |= BTM_LE_AUTH_REQ_MITM;
1086 }
1087
1088 tBTM_BLE_SEC_REQ_ACT ble_sec_act;
1089 btm_ble_link_sec_check(bdaddr, auth_req, &ble_sec_act);
1090
1091 BTM_TRACE_DEBUG("%s ble_sec_act %d", __func__, ble_sec_act);
1092
1093 if (ble_sec_act == BTM_BLE_SEC_REQ_ACT_DISCARD) return BTM_SEC_ENC_PENDING;
1094
1095 if (ble_sec_act == BTM_BLE_SEC_REQ_ACT_NONE) return BTM_SEC_OK;
1096
1097 uint8_t sec_flag = 0;
1098 BTM_GetSecurityFlagsByTransport(bdaddr, &sec_flag, BT_TRANSPORT_LE);
1099
1100 bool is_link_encrypted = false;
1101 bool is_key_mitm = false;
1102 if (sec_flag & (BTM_SEC_FLAG_ENCRYPTED | BTM_SEC_FLAG_LKEY_KNOWN)) {
1103 if (sec_flag & BTM_SEC_FLAG_ENCRYPTED) is_link_encrypted = true;
1104
1105 if (sec_flag & BTM_SEC_FLAG_LKEY_AUTHED) is_key_mitm = true;
1106 }
1107
1108 if (auth_req & BTM_LE_AUTH_REQ_MITM) {
1109 if (!is_key_mitm) {
1110 return BTM_SEC_ENCRYPT_MITM;
1111 } else {
1112 if (is_link_encrypted)
1113 return BTM_SEC_OK;
1114 else
1115 return BTM_SEC_ENCRYPT;
1116 }
1117 } else {
1118 if (is_link_encrypted)
1119 return BTM_SEC_OK;
1120 else
1121 return BTM_SEC_ENCRYPT_NO_MITM;
1122 }
1123
1124 return BTM_SEC_OK;
1125 }
1126
1127 /*******************************************************************************
1128 *
1129 * Function btm_ble_start_sec_check
1130 *
1131 * Description This function is to check and set the security required for
1132 * LE link for LE COC.
1133 *
1134 * Parameter bdaddr: remote device address.
1135 * psm : PSM of the LE COC sevice.
1136 * is_originator: true if outgoing connection.
1137 * p_callback : Pointer to the callback function.
1138 * p_ref_data : Pointer to be returned along with the callback.
1139 *
1140 * Returns Returns - L2CAP LE Connection Response Result Code.
1141 *
1142 ******************************************************************************/
btm_ble_start_sec_check(const RawAddress & bd_addr,uint16_t psm,bool is_originator,tBTM_SEC_CALLBACK * p_callback,void * p_ref_data)1143 tL2CAP_LE_RESULT_CODE btm_ble_start_sec_check(const RawAddress& bd_addr,
1144 uint16_t psm, bool is_originator,
1145 tBTM_SEC_CALLBACK* p_callback,
1146 void* p_ref_data) {
1147 /* Find the service record for the PSM */
1148 tBTM_SEC_SERV_REC* p_serv_rec = btm_sec_find_first_serv(is_originator, psm);
1149
1150 /* If there is no application registered with this PSM do not allow connection
1151 */
1152 if (!p_serv_rec) {
1153 BTM_TRACE_WARNING("%s PSM: %d no application registerd", __func__, psm);
1154 (*p_callback)(&bd_addr, BT_TRANSPORT_LE, p_ref_data, BTM_MODE_UNSUPPORTED);
1155 return L2CAP_LE_RESULT_NO_PSM;
1156 }
1157 uint8_t sec_flag = 0;
1158 BTM_GetSecurityFlagsByTransport(bd_addr, &sec_flag, BT_TRANSPORT_LE);
1159
1160 if (!is_originator) {
1161 if ((p_serv_rec->security_flags & BTM_SEC_IN_ENCRYPT) &&
1162 !(sec_flag & BTM_SEC_ENCRYPTED)) {
1163 BTM_TRACE_ERROR(
1164 "%s: L2CAP_LE_RESULT_INSUFFICIENT_ENCRYP. service "
1165 "security_flags=0x%x, "
1166 "sec_flag=0x%x",
1167 __func__, p_serv_rec->security_flags, sec_flag);
1168 return L2CAP_LE_RESULT_INSUFFICIENT_ENCRYP;
1169 } else if ((p_serv_rec->security_flags & BTM_SEC_IN_AUTHENTICATE) &&
1170 !(sec_flag &
1171 (BTM_SEC_LINK_KEY_AUTHED | BTM_SEC_AUTHENTICATED))) {
1172 BTM_TRACE_ERROR(
1173 "%s: L2CAP_LE_RESULT_INSUFFICIENT_AUTHENTICATION. service "
1174 "security_flags=0x%x, "
1175 "sec_flag=0x%x",
1176 __func__, p_serv_rec->security_flags, sec_flag);
1177 return L2CAP_LE_RESULT_INSUFFICIENT_AUTHENTICATION;
1178 }
1179 /* TODO: When security is required, then must check that the key size of our
1180 service is equal or smaller than the incoming connection key size. */
1181 }
1182
1183 tBTM_SEC_ACTION sec_act = btm_ble_determine_security_act(
1184 is_originator, bd_addr, p_serv_rec->security_flags);
1185
1186 tBTM_BLE_SEC_ACT ble_sec_act = BTM_BLE_SEC_NONE;
1187 tL2CAP_LE_RESULT_CODE result = L2CAP_LE_RESULT_CONN_OK;
1188
1189 switch (sec_act) {
1190 case BTM_SEC_OK:
1191 BTM_TRACE_DEBUG("%s Security met", __func__);
1192 p_callback(&bd_addr, BT_TRANSPORT_LE, p_ref_data, BTM_SUCCESS);
1193 result = L2CAP_LE_RESULT_CONN_OK;
1194 break;
1195
1196 case BTM_SEC_ENCRYPT:
1197 BTM_TRACE_DEBUG("%s Encryption needs to be done", __func__);
1198 ble_sec_act = BTM_BLE_SEC_ENCRYPT;
1199 break;
1200
1201 case BTM_SEC_ENCRYPT_MITM:
1202 BTM_TRACE_DEBUG("%s Pairing with MITM needs to be done", __func__);
1203 ble_sec_act = BTM_BLE_SEC_ENCRYPT_MITM;
1204 break;
1205
1206 case BTM_SEC_ENCRYPT_NO_MITM:
1207 BTM_TRACE_DEBUG("%s Pairing with No MITM needs to be done", __func__);
1208 ble_sec_act = BTM_BLE_SEC_ENCRYPT_NO_MITM;
1209 break;
1210
1211 case BTM_SEC_ENC_PENDING:
1212 BTM_TRACE_DEBUG("%s Ecryption pending", __func__);
1213 break;
1214 }
1215
1216 if (ble_sec_act == BTM_BLE_SEC_NONE) return result;
1217
1218 tL2C_LCB* p_lcb = l2cu_find_lcb_by_bd_addr(bd_addr, BT_TRANSPORT_LE);
1219 p_lcb->sec_act = sec_act;
1220 BTM_SetEncryption(bd_addr, BT_TRANSPORT_LE, p_callback, p_ref_data,
1221 ble_sec_act);
1222
1223 return L2CAP_LE_RESULT_CONN_OK;
1224 }
1225
1226 /*******************************************************************************
1227 *
1228 * Function btm_ble_rand_enc_complete
1229 *
1230 * Description This function is the callback functions for HCI_Rand command
1231 * and HCI_Encrypt command is completed.
1232 * This message is received from the HCI.
1233 *
1234 * Returns void
1235 *
1236 ******************************************************************************/
btm_ble_rand_enc_complete(uint8_t * p,uint16_t op_code,tBTM_RAND_ENC_CB * p_enc_cplt_cback)1237 void btm_ble_rand_enc_complete(uint8_t* p, uint16_t op_code,
1238 tBTM_RAND_ENC_CB* p_enc_cplt_cback) {
1239 tBTM_RAND_ENC params;
1240 uint8_t* p_dest = params.param_buf;
1241
1242 BTM_TRACE_DEBUG("btm_ble_rand_enc_complete");
1243
1244 memset(¶ms, 0, sizeof(tBTM_RAND_ENC));
1245
1246 /* If there was a callback address for vcs complete, call it */
1247 if (p_enc_cplt_cback && p) {
1248 /* Pass paramters to the callback function */
1249 STREAM_TO_UINT8(params.status, p); /* command status */
1250
1251 if (params.status == HCI_SUCCESS) {
1252 params.opcode = op_code;
1253
1254 if (op_code == HCI_BLE_RAND)
1255 params.param_len = BT_OCTET8_LEN;
1256 else
1257 params.param_len = OCTET16_LEN;
1258
1259 /* Fetch return info from HCI event message */
1260 memcpy(p_dest, p, params.param_len);
1261 }
1262 if (p_enc_cplt_cback) /* Call the Encryption complete callback function */
1263 (*p_enc_cplt_cback)(¶ms);
1264 }
1265 }
1266
1267 /*******************************************************************************
1268 *
1269 * Function btm_ble_get_enc_key_type
1270 *
1271 * Description This function is to increment local sign counter
1272 * Returns None
1273 *
1274 ******************************************************************************/
btm_ble_increment_sign_ctr(const RawAddress & bd_addr,bool is_local)1275 void btm_ble_increment_sign_ctr(const RawAddress& bd_addr, bool is_local) {
1276 tBTM_SEC_DEV_REC* p_dev_rec;
1277
1278 BTM_TRACE_DEBUG("btm_ble_increment_sign_ctr is_local=%d", is_local);
1279
1280 p_dev_rec = btm_find_dev(bd_addr);
1281 if (p_dev_rec != NULL) {
1282 if (is_local)
1283 p_dev_rec->ble.keys.local_counter++;
1284 else
1285 p_dev_rec->ble.keys.counter++;
1286 BTM_TRACE_DEBUG("is_local=%d local sign counter=%d peer sign counter=%d",
1287 is_local, p_dev_rec->ble.keys.local_counter,
1288 p_dev_rec->ble.keys.counter);
1289 }
1290 }
1291
1292 /*******************************************************************************
1293 *
1294 * Function btm_ble_get_enc_key_type
1295 *
1296 * Description This function is to get the BLE key type that has been
1297 * exchanged betweem the local device and the peer device.
1298 *
1299 * Returns p_key_type: output parameter to carry the key type value.
1300 *
1301 ******************************************************************************/
btm_ble_get_enc_key_type(const RawAddress & bd_addr,uint8_t * p_key_types)1302 bool btm_ble_get_enc_key_type(const RawAddress& bd_addr, uint8_t* p_key_types) {
1303 tBTM_SEC_DEV_REC* p_dev_rec;
1304
1305 BTM_TRACE_DEBUG("btm_ble_get_enc_key_type");
1306
1307 p_dev_rec = btm_find_dev(bd_addr);
1308 if (p_dev_rec != NULL) {
1309 *p_key_types = p_dev_rec->ble.key_type;
1310 return true;
1311 }
1312 return false;
1313 }
1314
1315 /*******************************************************************************
1316 *
1317 * Function btm_get_local_div
1318 *
1319 * Description This function is called to read the local DIV
1320 *
1321 * Returns TURE - if a valid DIV is availavle
1322 ******************************************************************************/
btm_get_local_div(const RawAddress & bd_addr,uint16_t * p_div)1323 bool btm_get_local_div(const RawAddress& bd_addr, uint16_t* p_div) {
1324 tBTM_SEC_DEV_REC* p_dev_rec;
1325 bool status = false;
1326 VLOG(1) << __func__ << " bd_addr: " << bd_addr;
1327
1328 *p_div = 0;
1329 p_dev_rec = btm_find_dev(bd_addr);
1330
1331 if (p_dev_rec && p_dev_rec->ble.keys.div) {
1332 status = true;
1333 *p_div = p_dev_rec->ble.keys.div;
1334 }
1335 BTM_TRACE_DEBUG("btm_get_local_div status=%d (1-OK) DIV=0x%x", status,
1336 *p_div);
1337 return status;
1338 }
1339
1340 /*******************************************************************************
1341 *
1342 * Function btm_sec_save_le_key
1343 *
1344 * Description This function is called by the SMP to update
1345 * an BLE key. SMP is internal, whereas all the keys shall
1346 * be sent to the application. The function is also called
1347 * when application passes ble key stored in NVRAM to the
1348 * btm_sec.
1349 * pass_to_application parameter is false in this case.
1350 *
1351 * Returns void
1352 *
1353 ******************************************************************************/
btm_sec_save_le_key(const RawAddress & bd_addr,tBTM_LE_KEY_TYPE key_type,tBTM_LE_KEY_VALUE * p_keys,bool pass_to_application)1354 void btm_sec_save_le_key(const RawAddress& bd_addr, tBTM_LE_KEY_TYPE key_type,
1355 tBTM_LE_KEY_VALUE* p_keys, bool pass_to_application) {
1356 tBTM_SEC_DEV_REC* p_rec;
1357 tBTM_LE_EVT_DATA cb_data;
1358
1359 BTM_TRACE_DEBUG("btm_sec_save_le_key key_type=0x%x pass_to_application=%d",
1360 key_type, pass_to_application);
1361 /* Store the updated key in the device database */
1362
1363 VLOG(1) << "bd_addr:" << bd_addr;
1364
1365 if ((p_rec = btm_find_dev(bd_addr)) != NULL &&
1366 (p_keys || key_type == BTM_LE_KEY_LID)) {
1367 btm_ble_init_pseudo_addr(p_rec, bd_addr);
1368
1369 switch (key_type) {
1370 case BTM_LE_KEY_PENC:
1371 p_rec->ble.keys.pltk = p_keys->penc_key.ltk;
1372 memcpy(p_rec->ble.keys.rand, p_keys->penc_key.rand, BT_OCTET8_LEN);
1373 p_rec->ble.keys.sec_level = p_keys->penc_key.sec_level;
1374 p_rec->ble.keys.ediv = p_keys->penc_key.ediv;
1375 p_rec->ble.keys.key_size = p_keys->penc_key.key_size;
1376 p_rec->ble.key_type |= BTM_LE_KEY_PENC;
1377 p_rec->sec_flags |= BTM_SEC_LE_LINK_KEY_KNOWN;
1378 if (p_keys->penc_key.sec_level == SMP_SEC_AUTHENTICATED)
1379 p_rec->sec_flags |= BTM_SEC_LE_LINK_KEY_AUTHED;
1380 else
1381 p_rec->sec_flags &= ~BTM_SEC_LE_LINK_KEY_AUTHED;
1382 BTM_TRACE_DEBUG(
1383 "BTM_LE_KEY_PENC key_type=0x%x sec_flags=0x%x sec_leve=0x%x",
1384 p_rec->ble.key_type, p_rec->sec_flags, p_rec->ble.keys.sec_level);
1385 break;
1386
1387 case BTM_LE_KEY_PID:
1388 p_rec->ble.keys.irk = p_keys->pid_key.irk;
1389 p_rec->ble.identity_addr = p_keys->pid_key.identity_addr;
1390 p_rec->ble.identity_addr_type = p_keys->pid_key.identity_addr_type;
1391 p_rec->ble.key_type |= BTM_LE_KEY_PID;
1392 BTM_TRACE_DEBUG(
1393 "%s: BTM_LE_KEY_PID key_type=0x%x save peer IRK, change bd_addr=%s "
1394 "to id_addr=%s id_addr_type=0x%x",
1395 __func__, p_rec->ble.key_type, p_rec->bd_addr.ToString().c_str(),
1396 p_keys->pid_key.identity_addr.ToString().c_str(),
1397 p_keys->pid_key.identity_addr_type);
1398 /* update device record address as identity address */
1399 p_rec->bd_addr = p_keys->pid_key.identity_addr;
1400 /* combine DUMO device security record if needed */
1401 btm_consolidate_dev(p_rec);
1402 break;
1403
1404 case BTM_LE_KEY_PCSRK:
1405 p_rec->ble.keys.pcsrk = p_keys->pcsrk_key.csrk;
1406 p_rec->ble.keys.srk_sec_level = p_keys->pcsrk_key.sec_level;
1407 p_rec->ble.keys.counter = p_keys->pcsrk_key.counter;
1408 p_rec->ble.key_type |= BTM_LE_KEY_PCSRK;
1409 p_rec->sec_flags |= BTM_SEC_LE_LINK_KEY_KNOWN;
1410 if (p_keys->pcsrk_key.sec_level == SMP_SEC_AUTHENTICATED)
1411 p_rec->sec_flags |= BTM_SEC_LE_LINK_KEY_AUTHED;
1412 else
1413 p_rec->sec_flags &= ~BTM_SEC_LE_LINK_KEY_AUTHED;
1414
1415 BTM_TRACE_DEBUG(
1416 "BTM_LE_KEY_PCSRK key_type=0x%x sec_flags=0x%x sec_level=0x%x "
1417 "peer_counter=%d",
1418 p_rec->ble.key_type, p_rec->sec_flags,
1419 p_rec->ble.keys.srk_sec_level, p_rec->ble.keys.counter);
1420 break;
1421
1422 case BTM_LE_KEY_LENC:
1423 p_rec->ble.keys.lltk = p_keys->lenc_key.ltk;
1424 p_rec->ble.keys.div = p_keys->lenc_key.div; /* update DIV */
1425 p_rec->ble.keys.sec_level = p_keys->lenc_key.sec_level;
1426 p_rec->ble.keys.key_size = p_keys->lenc_key.key_size;
1427 p_rec->ble.key_type |= BTM_LE_KEY_LENC;
1428
1429 BTM_TRACE_DEBUG(
1430 "BTM_LE_KEY_LENC key_type=0x%x DIV=0x%x key_size=0x%x "
1431 "sec_level=0x%x",
1432 p_rec->ble.key_type, p_rec->ble.keys.div, p_rec->ble.keys.key_size,
1433 p_rec->ble.keys.sec_level);
1434 break;
1435
1436 case BTM_LE_KEY_LCSRK: /* local CSRK has been delivered */
1437 p_rec->ble.keys.lcsrk = p_keys->lcsrk_key.csrk;
1438 p_rec->ble.keys.div = p_keys->lcsrk_key.div; /* update DIV */
1439 p_rec->ble.keys.local_csrk_sec_level = p_keys->lcsrk_key.sec_level;
1440 p_rec->ble.keys.local_counter = p_keys->lcsrk_key.counter;
1441 p_rec->ble.key_type |= BTM_LE_KEY_LCSRK;
1442 BTM_TRACE_DEBUG(
1443 "BTM_LE_KEY_LCSRK key_type=0x%x DIV=0x%x scrk_sec_level=0x%x "
1444 "local_counter=%d",
1445 p_rec->ble.key_type, p_rec->ble.keys.div,
1446 p_rec->ble.keys.local_csrk_sec_level,
1447 p_rec->ble.keys.local_counter);
1448 break;
1449
1450 case BTM_LE_KEY_LID:
1451 p_rec->ble.key_type |= BTM_LE_KEY_LID;
1452 break;
1453 default:
1454 BTM_TRACE_WARNING("btm_sec_save_le_key (Bad key_type 0x%02x)",
1455 key_type);
1456 return;
1457 }
1458
1459 VLOG(1) << "BLE key type 0x" << loghex(key_type)
1460 << " updated for BDA: " << bd_addr << " (btm_sec_save_le_key)";
1461
1462 /* Notify the application that one of the BLE keys has been updated
1463 If link key is in progress, it will get sent later.*/
1464 if (pass_to_application && btm_cb.api.p_le_callback) {
1465 cb_data.key.p_key_value = p_keys;
1466 cb_data.key.key_type = key_type;
1467
1468 (*btm_cb.api.p_le_callback)(BTM_LE_KEY_EVT, bd_addr, &cb_data);
1469 }
1470 return;
1471 }
1472
1473 LOG(WARNING) << "BLE key type 0x" << loghex(key_type)
1474 << " called for Unknown BDA or type: " << bd_addr
1475 << "(btm_sec_save_le_key)";
1476
1477 if (p_rec) {
1478 BTM_TRACE_DEBUG("sec_flags=0x%x", p_rec->sec_flags);
1479 }
1480 }
1481
1482 /*******************************************************************************
1483 *
1484 * Function btm_ble_update_sec_key_size
1485 *
1486 * Description update the current lin kencryption key size
1487 *
1488 * Returns void
1489 *
1490 ******************************************************************************/
btm_ble_update_sec_key_size(const RawAddress & bd_addr,uint8_t enc_key_size)1491 void btm_ble_update_sec_key_size(const RawAddress& bd_addr,
1492 uint8_t enc_key_size) {
1493 tBTM_SEC_DEV_REC* p_rec;
1494
1495 BTM_TRACE_DEBUG("btm_ble_update_sec_key_size enc_key_size = %d",
1496 enc_key_size);
1497
1498 p_rec = btm_find_dev(bd_addr);
1499 if (p_rec != NULL) {
1500 p_rec->enc_key_size = enc_key_size;
1501 }
1502 }
1503
1504 /*******************************************************************************
1505 *
1506 * Function btm_ble_read_sec_key_size
1507 *
1508 * Description update the current lin kencryption key size
1509 *
1510 * Returns void
1511 *
1512 ******************************************************************************/
btm_ble_read_sec_key_size(const RawAddress & bd_addr)1513 uint8_t btm_ble_read_sec_key_size(const RawAddress& bd_addr) {
1514 tBTM_SEC_DEV_REC* p_rec;
1515
1516 p_rec = btm_find_dev(bd_addr);
1517 if (p_rec != NULL) {
1518 return p_rec->enc_key_size;
1519 } else
1520 return 0;
1521 }
1522
1523 /*******************************************************************************
1524 *
1525 * Function btm_ble_link_sec_check
1526 *
1527 * Description Check BLE link security level match.
1528 *
1529 * Returns true: check is OK and the *p_sec_req_act contain the action
1530 *
1531 ******************************************************************************/
btm_ble_link_sec_check(const RawAddress & bd_addr,tBTM_LE_AUTH_REQ auth_req,tBTM_BLE_SEC_REQ_ACT * p_sec_req_act)1532 void btm_ble_link_sec_check(const RawAddress& bd_addr,
1533 tBTM_LE_AUTH_REQ auth_req,
1534 tBTM_BLE_SEC_REQ_ACT* p_sec_req_act) {
1535 tBTM_SEC_DEV_REC* p_dev_rec = btm_find_dev(bd_addr);
1536 uint8_t req_sec_level = BTM_LE_SEC_NONE, cur_sec_level = BTM_LE_SEC_NONE;
1537
1538 BTM_TRACE_DEBUG("btm_ble_link_sec_check auth_req =0x%x", auth_req);
1539
1540 if (p_dev_rec == NULL) {
1541 BTM_TRACE_ERROR("btm_ble_link_sec_check received for unknown device");
1542 return;
1543 }
1544
1545 if (p_dev_rec->sec_state == BTM_SEC_STATE_ENCRYPTING ||
1546 p_dev_rec->sec_state == BTM_SEC_STATE_AUTHENTICATING) {
1547 /* race condition: discard the security request while master is encrypting
1548 * the link */
1549 *p_sec_req_act = BTM_BLE_SEC_REQ_ACT_DISCARD;
1550 } else {
1551 req_sec_level = BTM_LE_SEC_UNAUTHENTICATE;
1552 if (auth_req & BTM_LE_AUTH_REQ_MITM) {
1553 req_sec_level = BTM_LE_SEC_AUTHENTICATED;
1554 }
1555
1556 BTM_TRACE_DEBUG("dev_rec sec_flags=0x%x", p_dev_rec->sec_flags);
1557
1558 /* currently encrpted */
1559 if (p_dev_rec->sec_flags & BTM_SEC_LE_ENCRYPTED) {
1560 if (p_dev_rec->sec_flags & BTM_SEC_LE_AUTHENTICATED)
1561 cur_sec_level = BTM_LE_SEC_AUTHENTICATED;
1562 else
1563 cur_sec_level = BTM_LE_SEC_UNAUTHENTICATE;
1564 } else /* unencrypted link */
1565 {
1566 /* if bonded, get the key security level */
1567 if (p_dev_rec->ble.key_type & BTM_LE_KEY_PENC)
1568 cur_sec_level = p_dev_rec->ble.keys.sec_level;
1569 else
1570 cur_sec_level = BTM_LE_SEC_NONE;
1571 }
1572
1573 if (cur_sec_level >= req_sec_level) {
1574 /* To avoid re-encryption on an encrypted link for an equal condition
1575 * encryption */
1576 *p_sec_req_act = BTM_BLE_SEC_REQ_ACT_ENCRYPT;
1577 } else {
1578 /* start the pariring process to upgrade the keys*/
1579 *p_sec_req_act = BTM_BLE_SEC_REQ_ACT_PAIR;
1580 }
1581 }
1582
1583 BTM_TRACE_DEBUG("cur_sec_level=%d req_sec_level=%d sec_req_act=%d",
1584 cur_sec_level, req_sec_level, *p_sec_req_act);
1585 }
1586
1587 /*******************************************************************************
1588 *
1589 * Function btm_ble_set_encryption
1590 *
1591 * Description This function is called to ensure that LE connection is
1592 * encrypted. Should be called only on an open connection.
1593 * Typically only needed for connections that first want to
1594 * bring up unencrypted links, then later encrypt them.
1595 *
1596 * Returns void
1597 * the local device ER is copied into er
1598 *
1599 ******************************************************************************/
btm_ble_set_encryption(const RawAddress & bd_addr,tBTM_BLE_SEC_ACT sec_act,uint8_t link_role)1600 tBTM_STATUS btm_ble_set_encryption(const RawAddress& bd_addr,
1601 tBTM_BLE_SEC_ACT sec_act,
1602 uint8_t link_role) {
1603 tBTM_STATUS cmd = BTM_NO_RESOURCES;
1604 tBTM_SEC_DEV_REC* p_rec = btm_find_dev(bd_addr);
1605 tBTM_BLE_SEC_REQ_ACT sec_req_act;
1606 tBTM_LE_AUTH_REQ auth_req;
1607
1608 if (p_rec == NULL) {
1609 BTM_TRACE_WARNING(
1610 "btm_ble_set_encryption (NULL device record!! sec_act=0x%x", sec_act);
1611 return (BTM_WRONG_MODE);
1612 }
1613
1614 BTM_TRACE_DEBUG("btm_ble_set_encryption sec_act=0x%x role_master=%d", sec_act,
1615 p_rec->role_master);
1616
1617 if (sec_act == BTM_BLE_SEC_ENCRYPT_MITM) {
1618 p_rec->security_required |= BTM_SEC_IN_MITM;
1619 }
1620
1621 switch (sec_act) {
1622 case BTM_BLE_SEC_ENCRYPT:
1623 if (link_role == BTM_ROLE_MASTER) {
1624 /* start link layer encryption using the security info stored */
1625 cmd = btm_ble_start_encrypt(bd_addr, false, NULL);
1626 break;
1627 }
1628 /* if salve role then fall through to call SMP_Pair below which will send a
1629 sec_request to request the master to encrypt the link */
1630 FALLTHROUGH_INTENDED; /* FALLTHROUGH */
1631 case BTM_BLE_SEC_ENCRYPT_NO_MITM:
1632 case BTM_BLE_SEC_ENCRYPT_MITM:
1633 auth_req = (sec_act == BTM_BLE_SEC_ENCRYPT_NO_MITM)
1634 ? SMP_AUTH_BOND
1635 : (SMP_AUTH_BOND | SMP_AUTH_YN_BIT);
1636 btm_ble_link_sec_check(bd_addr, auth_req, &sec_req_act);
1637 if (sec_req_act == BTM_BLE_SEC_REQ_ACT_NONE ||
1638 sec_req_act == BTM_BLE_SEC_REQ_ACT_DISCARD) {
1639 BTM_TRACE_DEBUG("%s, no action needed. Ignore", __func__);
1640 cmd = BTM_SUCCESS;
1641 break;
1642 }
1643 if (link_role == BTM_ROLE_MASTER) {
1644 if (sec_req_act == BTM_BLE_SEC_REQ_ACT_ENCRYPT) {
1645 cmd = btm_ble_start_encrypt(bd_addr, false, NULL);
1646 break;
1647 }
1648 }
1649
1650 if (SMP_Pair(bd_addr) == SMP_STARTED) {
1651 cmd = BTM_CMD_STARTED;
1652 p_rec->sec_state = BTM_SEC_STATE_AUTHENTICATING;
1653 }
1654 break;
1655
1656 default:
1657 cmd = BTM_WRONG_MODE;
1658 break;
1659 }
1660 return cmd;
1661 }
1662
1663 /*******************************************************************************
1664 *
1665 * Function btm_ble_ltk_request
1666 *
1667 * Description This function is called when encryption request is received
1668 * on a slave device.
1669 *
1670 *
1671 * Returns void
1672 *
1673 ******************************************************************************/
btm_ble_ltk_request(uint16_t handle,uint8_t rand[8],uint16_t ediv)1674 void btm_ble_ltk_request(uint16_t handle, uint8_t rand[8], uint16_t ediv) {
1675 tBTM_CB* p_cb = &btm_cb;
1676 tBTM_SEC_DEV_REC* p_dev_rec = btm_find_dev_by_handle(handle);
1677
1678 BTM_TRACE_DEBUG("btm_ble_ltk_request");
1679
1680 p_cb->ediv = ediv;
1681
1682 memcpy(p_cb->enc_rand, rand, BT_OCTET8_LEN);
1683
1684 if (p_dev_rec != NULL) {
1685 if (!smp_proc_ltk_request(p_dev_rec->bd_addr)) {
1686 btm_ble_ltk_request_reply(p_dev_rec->bd_addr, false, Octet16{0});
1687 }
1688 }
1689 }
1690
1691 /** This function is called to start LE encryption.
1692 * Returns BTM_SUCCESS if encryption was started successfully
1693 */
btm_ble_start_encrypt(const RawAddress & bda,bool use_stk,Octet16 * p_stk)1694 tBTM_STATUS btm_ble_start_encrypt(const RawAddress& bda, bool use_stk,
1695 Octet16* p_stk) {
1696 tBTM_CB* p_cb = &btm_cb;
1697 tBTM_SEC_DEV_REC* p_rec = btm_find_dev(bda);
1698 BT_OCTET8 dummy_rand = {0};
1699
1700 BTM_TRACE_DEBUG("btm_ble_start_encrypt");
1701
1702 if (!p_rec) {
1703 BTM_TRACE_ERROR("Link is not active, can not encrypt!");
1704 return BTM_WRONG_MODE;
1705 }
1706
1707 if (p_rec->sec_state == BTM_SEC_STATE_ENCRYPTING) {
1708 BTM_TRACE_WARNING("Link Encryption is active, Busy!");
1709 return BTM_BUSY;
1710 }
1711
1712 p_cb->enc_handle = p_rec->ble_hci_handle;
1713
1714 if (use_stk) {
1715 btsnd_hcic_ble_start_enc(p_rec->ble_hci_handle, dummy_rand, 0, *p_stk);
1716 } else if (p_rec->ble.key_type & BTM_LE_KEY_PENC) {
1717 btsnd_hcic_ble_start_enc(p_rec->ble_hci_handle, p_rec->ble.keys.rand,
1718 p_rec->ble.keys.ediv, p_rec->ble.keys.pltk);
1719 } else {
1720 BTM_TRACE_ERROR("No key available to encrypt the link");
1721 return BTM_NO_RESOURCES;
1722 }
1723
1724 if (p_rec->sec_state == BTM_SEC_STATE_IDLE)
1725 p_rec->sec_state = BTM_SEC_STATE_ENCRYPTING;
1726
1727 return BTM_CMD_STARTED;
1728 }
1729
1730 /*******************************************************************************
1731 *
1732 * Function btm_ble_link_encrypted
1733 *
1734 * Description This function is called when LE link encrption status is
1735 * changed.
1736 *
1737 * Returns void
1738 *
1739 ******************************************************************************/
btm_ble_link_encrypted(const RawAddress & bd_addr,uint8_t encr_enable)1740 void btm_ble_link_encrypted(const RawAddress& bd_addr, uint8_t encr_enable) {
1741 tBTM_SEC_DEV_REC* p_dev_rec = btm_find_dev(bd_addr);
1742 bool enc_cback;
1743
1744 if (!p_dev_rec) {
1745 BTM_TRACE_WARNING(
1746 "btm_ble_link_encrypted (No Device Found!) encr_enable=%d",
1747 encr_enable);
1748 return;
1749 }
1750
1751 BTM_TRACE_DEBUG("btm_ble_link_encrypted encr_enable=%d", encr_enable);
1752
1753 enc_cback = (p_dev_rec->sec_state == BTM_SEC_STATE_ENCRYPTING);
1754
1755 smp_link_encrypted(bd_addr, encr_enable);
1756
1757 BTM_TRACE_DEBUG(" p_dev_rec->sec_flags=0x%x", p_dev_rec->sec_flags);
1758
1759 if (encr_enable && p_dev_rec->enc_key_size == 0)
1760 p_dev_rec->enc_key_size = p_dev_rec->ble.keys.key_size;
1761
1762 p_dev_rec->sec_state = BTM_SEC_STATE_IDLE;
1763 if (p_dev_rec->p_callback && enc_cback) {
1764 if (encr_enable)
1765 btm_sec_dev_rec_cback_event(p_dev_rec, BTM_SUCCESS, true);
1766 else if (p_dev_rec->sec_flags & ~BTM_SEC_LE_LINK_KEY_KNOWN) {
1767 btm_sec_dev_rec_cback_event(p_dev_rec, BTM_FAILED_ON_SECURITY, true);
1768 } else if (p_dev_rec->role_master)
1769 btm_sec_dev_rec_cback_event(p_dev_rec, BTM_ERR_PROCESSING, true);
1770 }
1771 /* to notify GATT to send data if any request is pending */
1772 gatt_notify_enc_cmpl(p_dev_rec->ble.pseudo_addr);
1773 }
1774
1775 /*******************************************************************************
1776 *
1777 * Function btm_ble_ltk_request_reply
1778 *
1779 * Description This function is called to send a LTK request reply on a
1780 * slave
1781 * device.
1782 *
1783 * Returns void
1784 *
1785 ******************************************************************************/
btm_ble_ltk_request_reply(const RawAddress & bda,bool use_stk,const Octet16 & stk)1786 void btm_ble_ltk_request_reply(const RawAddress& bda, bool use_stk,
1787 const Octet16& stk) {
1788 tBTM_SEC_DEV_REC* p_rec = btm_find_dev(bda);
1789 tBTM_CB* p_cb = &btm_cb;
1790
1791 if (p_rec == NULL) {
1792 BTM_TRACE_ERROR("btm_ble_ltk_request_reply received for unknown device");
1793 return;
1794 }
1795
1796 BTM_TRACE_DEBUG("btm_ble_ltk_request_reply");
1797 p_cb->enc_handle = p_rec->ble_hci_handle;
1798 p_cb->key_size = p_rec->ble.keys.key_size;
1799
1800 BTM_TRACE_ERROR("key size = %d", p_rec->ble.keys.key_size);
1801 if (use_stk) {
1802 btsnd_hcic_ble_ltk_req_reply(btm_cb.enc_handle, stk);
1803 } else /* calculate LTK using peer device */
1804 {
1805 if (p_rec->ble.key_type & BTM_LE_KEY_LENC)
1806 btsnd_hcic_ble_ltk_req_reply(btm_cb.enc_handle, p_rec->ble.keys.lltk);
1807 else
1808 btsnd_hcic_ble_ltk_req_neg_reply(btm_cb.enc_handle);
1809 }
1810 }
1811
1812 /*******************************************************************************
1813 *
1814 * Function btm_ble_io_capabilities_req
1815 *
1816 * Description This function is called to handle SMP get IO capability
1817 * request.
1818 *
1819 * Returns void
1820 *
1821 ******************************************************************************/
btm_ble_io_capabilities_req(tBTM_SEC_DEV_REC * p_dev_rec,tBTM_LE_IO_REQ * p_data)1822 uint8_t btm_ble_io_capabilities_req(tBTM_SEC_DEV_REC* p_dev_rec,
1823 tBTM_LE_IO_REQ* p_data) {
1824 uint8_t callback_rc = BTM_SUCCESS;
1825 BTM_TRACE_DEBUG("btm_ble_io_capabilities_req");
1826 if (btm_cb.api.p_le_callback) {
1827 /* the callback function implementation may change the IO capability... */
1828 callback_rc = (*btm_cb.api.p_le_callback)(
1829 BTM_LE_IO_REQ_EVT, p_dev_rec->bd_addr, (tBTM_LE_EVT_DATA*)p_data);
1830 }
1831 if ((callback_rc == BTM_SUCCESS) || (BTM_OOB_UNKNOWN != p_data->oob_data)) {
1832 #if (BTM_BLE_CONFORMANCE_TESTING == TRUE)
1833 if (btm_cb.devcb.keep_rfu_in_auth_req) {
1834 BTM_TRACE_DEBUG("btm_ble_io_capabilities_req keep_rfu_in_auth_req = %u",
1835 btm_cb.devcb.keep_rfu_in_auth_req);
1836 p_data->auth_req &= BTM_LE_AUTH_REQ_MASK_KEEP_RFU;
1837 btm_cb.devcb.keep_rfu_in_auth_req = false;
1838 } else { /* default */
1839 p_data->auth_req &= BTM_LE_AUTH_REQ_MASK;
1840 }
1841 #else
1842 p_data->auth_req &= BTM_LE_AUTH_REQ_MASK;
1843 #endif
1844
1845 BTM_TRACE_DEBUG(
1846 "btm_ble_io_capabilities_req 1: p_dev_rec->security_required = %d "
1847 "auth_req:%d",
1848 p_dev_rec->security_required, p_data->auth_req);
1849 BTM_TRACE_DEBUG(
1850 "btm_ble_io_capabilities_req 2: i_keys=0x%x r_keys=0x%x (bit 0-LTK "
1851 "1-IRK 2-CSRK)",
1852 p_data->init_keys, p_data->resp_keys);
1853
1854 /* if authentication requires MITM protection, put on the mask */
1855 if (p_dev_rec->security_required & BTM_SEC_IN_MITM)
1856 p_data->auth_req |= BTM_LE_AUTH_REQ_MITM;
1857
1858 if (!(p_data->auth_req & SMP_AUTH_BOND)) {
1859 BTM_TRACE_DEBUG("Non bonding: No keys should be exchanged");
1860 p_data->init_keys = 0;
1861 p_data->resp_keys = 0;
1862 }
1863
1864 BTM_TRACE_DEBUG("btm_ble_io_capabilities_req 3: auth_req:%d",
1865 p_data->auth_req);
1866 BTM_TRACE_DEBUG("btm_ble_io_capabilities_req 4: i_keys=0x%x r_keys=0x%x",
1867 p_data->init_keys, p_data->resp_keys);
1868
1869 BTM_TRACE_DEBUG(
1870 "btm_ble_io_capabilities_req 5: p_data->io_cap = %d auth_req:%d",
1871 p_data->io_cap, p_data->auth_req);
1872
1873 /* remove MITM protection requirement if IO cap does not allow it */
1874 if ((p_data->io_cap == BTM_IO_CAP_NONE) && p_data->oob_data == SMP_OOB_NONE)
1875 p_data->auth_req &= ~BTM_LE_AUTH_REQ_MITM;
1876
1877 if (!(p_data->auth_req & SMP_SC_SUPPORT_BIT)) {
1878 /* if Secure Connections are not supported then remove LK derivation,
1879 ** and keypress notifications.
1880 */
1881 BTM_TRACE_DEBUG(
1882 "%s-SC not supported -> No LK derivation, no keypress notifications",
1883 __func__);
1884 p_data->auth_req &= ~SMP_KP_SUPPORT_BIT;
1885 p_data->init_keys &= ~SMP_SEC_KEY_TYPE_LK;
1886 p_data->resp_keys &= ~SMP_SEC_KEY_TYPE_LK;
1887 }
1888
1889 BTM_TRACE_DEBUG(
1890 "btm_ble_io_capabilities_req 6: IO_CAP:%d oob_data:%d auth_req:0x%02x",
1891 p_data->io_cap, p_data->oob_data, p_data->auth_req);
1892 }
1893 return callback_rc;
1894 }
1895
1896 /*******************************************************************************
1897 *
1898 * Function btm_ble_br_keys_req
1899 *
1900 * Description This function is called to handle SMP request for keys sent
1901 * over BR/EDR.
1902 *
1903 * Returns void
1904 *
1905 ******************************************************************************/
btm_ble_br_keys_req(tBTM_SEC_DEV_REC * p_dev_rec,tBTM_LE_IO_REQ * p_data)1906 uint8_t btm_ble_br_keys_req(tBTM_SEC_DEV_REC* p_dev_rec,
1907 tBTM_LE_IO_REQ* p_data) {
1908 uint8_t callback_rc = BTM_SUCCESS;
1909 BTM_TRACE_DEBUG("%s", __func__);
1910 if (btm_cb.api.p_le_callback) {
1911 /* the callback function implementation may change the IO capability... */
1912 callback_rc = (*btm_cb.api.p_le_callback)(
1913 BTM_LE_IO_REQ_EVT, p_dev_rec->bd_addr, (tBTM_LE_EVT_DATA*)p_data);
1914 }
1915
1916 return callback_rc;
1917 }
1918
1919 /*******************************************************************************
1920 *
1921 * Function btm_ble_connected
1922 *
1923 * Description This function is when a LE connection to the peer device is
1924 * establsihed
1925 *
1926 * Returns void
1927 *
1928 ******************************************************************************/
btm_ble_connected(const RawAddress & bda,uint16_t handle,uint8_t enc_mode,uint8_t role,tBLE_ADDR_TYPE addr_type,UNUSED_ATTR bool addr_matched)1929 void btm_ble_connected(const RawAddress& bda, uint16_t handle, uint8_t enc_mode,
1930 uint8_t role, tBLE_ADDR_TYPE addr_type,
1931 UNUSED_ATTR bool addr_matched) {
1932 tBTM_SEC_DEV_REC* p_dev_rec = btm_find_dev(bda);
1933 tBTM_BLE_CB* p_cb = &btm_cb.ble_ctr_cb;
1934
1935 BTM_TRACE_EVENT("btm_ble_connected");
1936
1937 /* Commenting out trace due to obf/compilation problems.
1938 */
1939 if (p_dev_rec) {
1940 VLOG(1) << __func__ << " Security Manager: handle:" << handle
1941 << " enc_mode:" << loghex(enc_mode) << " bda: " << bda
1942 << " RName: " << p_dev_rec->sec_bd_name
1943 << " p_dev_rec:" << p_dev_rec;
1944
1945 BTM_TRACE_DEBUG("btm_ble_connected sec_flags=0x%x", p_dev_rec->sec_flags);
1946 } else {
1947 VLOG(1) << __func__ << " Security Manager: handle:" << handle
1948 << " enc_mode:" << loghex(enc_mode) << " bda: " << bda
1949 << " p_dev_rec:" << p_dev_rec;
1950 }
1951
1952 if (!p_dev_rec) {
1953 /* There is no device record for new connection. Allocate one */
1954 p_dev_rec = btm_sec_alloc_dev(bda);
1955 if (p_dev_rec == NULL) return;
1956 } else /* Update the timestamp for this device */
1957 {
1958 p_dev_rec->timestamp = btm_cb.dev_rec_count++;
1959 }
1960
1961 /* update device information */
1962 p_dev_rec->device_type |= BT_DEVICE_TYPE_BLE;
1963 p_dev_rec->ble_hci_handle = handle;
1964 p_dev_rec->ble.ble_addr_type = addr_type;
1965 /* update pseudo address */
1966 p_dev_rec->ble.pseudo_addr = bda;
1967
1968 p_dev_rec->role_master = false;
1969 if (role == HCI_ROLE_MASTER) p_dev_rec->role_master = true;
1970
1971 #if (BLE_PRIVACY_SPT == TRUE)
1972 if (!addr_matched) p_dev_rec->ble.active_addr_type = BTM_BLE_ADDR_PSEUDO;
1973
1974 if (p_dev_rec->ble.ble_addr_type == BLE_ADDR_RANDOM && !addr_matched)
1975 p_dev_rec->ble.cur_rand_addr = bda;
1976 #endif
1977
1978 p_cb->inq_var.directed_conn = BTM_BLE_CONNECT_EVT;
1979
1980 return;
1981 }
1982
1983 /*****************************************************************************
1984 * Function btm_proc_smp_cback
1985 *
1986 * Description This function is the SMP callback handler.
1987 *
1988 *****************************************************************************/
btm_proc_smp_cback(tSMP_EVT event,const RawAddress & bd_addr,tSMP_EVT_DATA * p_data)1989 uint8_t btm_proc_smp_cback(tSMP_EVT event, const RawAddress& bd_addr,
1990 tSMP_EVT_DATA* p_data) {
1991 tBTM_SEC_DEV_REC* p_dev_rec = btm_find_dev(bd_addr);
1992 uint8_t res = 0;
1993
1994 BTM_TRACE_DEBUG("btm_proc_smp_cback event = %d", event);
1995
1996 if (p_dev_rec != NULL) {
1997 switch (event) {
1998 case SMP_IO_CAP_REQ_EVT:
1999 btm_ble_io_capabilities_req(p_dev_rec,
2000 (tBTM_LE_IO_REQ*)&p_data->io_req);
2001 break;
2002
2003 case SMP_BR_KEYS_REQ_EVT:
2004 btm_ble_br_keys_req(p_dev_rec, (tBTM_LE_IO_REQ*)&p_data->io_req);
2005 break;
2006
2007 case SMP_PASSKEY_REQ_EVT:
2008 case SMP_PASSKEY_NOTIF_EVT:
2009 case SMP_OOB_REQ_EVT:
2010 case SMP_NC_REQ_EVT:
2011 case SMP_SC_OOB_REQ_EVT:
2012 p_dev_rec->sec_flags |= BTM_SEC_LE_AUTHENTICATED;
2013 FALLTHROUGH_INTENDED; /* FALLTHROUGH */
2014
2015 case SMP_CONSENT_REQ_EVT:
2016 case SMP_SEC_REQUEST_EVT:
2017 if (event == SMP_SEC_REQUEST_EVT &&
2018 btm_cb.pairing_state != BTM_PAIR_STATE_IDLE) {
2019 BTM_TRACE_DEBUG("%s: Ignoring SMP Security request", __func__);
2020 break;
2021 }
2022 btm_cb.pairing_bda = bd_addr;
2023 if (event != SMP_CONSENT_REQ_EVT) {
2024 p_dev_rec->sec_state = BTM_SEC_STATE_AUTHENTICATING;
2025 }
2026 btm_cb.pairing_flags |= BTM_PAIR_FLAGS_LE_ACTIVE;
2027 FALLTHROUGH_INTENDED; /* FALLTHROUGH */
2028
2029 case SMP_COMPLT_EVT:
2030 if (btm_cb.api.p_le_callback) {
2031 /* the callback function implementation may change the IO
2032 * capability... */
2033 BTM_TRACE_DEBUG("btm_cb.api.p_le_callback=0x%x",
2034 btm_cb.api.p_le_callback);
2035 (*btm_cb.api.p_le_callback)(event, bd_addr,
2036 (tBTM_LE_EVT_DATA*)p_data);
2037 }
2038
2039 if (event == SMP_COMPLT_EVT) {
2040 p_dev_rec = btm_find_dev(bd_addr);
2041 if (p_dev_rec == NULL) {
2042 BTM_TRACE_ERROR("%s: p_dev_rec is NULL", __func__);
2043 android_errorWriteLog(0x534e4554, "120612744");
2044 return 0;
2045 }
2046 BTM_TRACE_DEBUG(
2047 "evt=SMP_COMPLT_EVT before update sec_level=0x%x sec_flags=0x%x",
2048 p_data->cmplt.sec_level, p_dev_rec->sec_flags);
2049
2050 res = (p_data->cmplt.reason == SMP_SUCCESS) ? BTM_SUCCESS
2051 : BTM_ERR_PROCESSING;
2052
2053 BTM_TRACE_DEBUG(
2054 "after update result=%d sec_level=0x%x sec_flags=0x%x", res,
2055 p_data->cmplt.sec_level, p_dev_rec->sec_flags);
2056
2057 if (p_data->cmplt.is_pair_cancel &&
2058 btm_cb.api.p_bond_cancel_cmpl_callback) {
2059 BTM_TRACE_DEBUG("Pairing Cancel completed");
2060 (*btm_cb.api.p_bond_cancel_cmpl_callback)(BTM_SUCCESS);
2061 }
2062 #if (BTM_BLE_CONFORMANCE_TESTING == TRUE)
2063 if (res != BTM_SUCCESS) {
2064 if (!btm_cb.devcb.no_disc_if_pair_fail &&
2065 p_data->cmplt.reason != SMP_CONN_TOUT) {
2066 BTM_TRACE_DEBUG("Pairing failed - prepare to remove ACL");
2067 l2cu_start_post_bond_timer(p_dev_rec->ble_hci_handle);
2068 } else {
2069 BTM_TRACE_DEBUG("Pairing failed - Not Removing ACL");
2070 p_dev_rec->sec_state = BTM_SEC_STATE_IDLE;
2071 }
2072 }
2073 #else
2074 if (res != BTM_SUCCESS && p_data->cmplt.reason != SMP_CONN_TOUT) {
2075 BTM_TRACE_DEBUG("Pairing failed - prepare to remove ACL");
2076 l2cu_start_post_bond_timer(p_dev_rec->ble_hci_handle);
2077 }
2078 #endif
2079
2080 BTM_TRACE_DEBUG(
2081 "btm_cb pairing_state=%x pairing_flags=%x pin_code_len=%x",
2082 btm_cb.pairing_state, btm_cb.pairing_flags, btm_cb.pin_code_len);
2083 VLOG(1) << "btm_cb.pairing_bda: " << btm_cb.pairing_bda;
2084
2085 /* Reset btm state only if the callback address matches pairing
2086 * address*/
2087 if (bd_addr == btm_cb.pairing_bda) {
2088 btm_cb.pairing_bda = RawAddress::kAny;
2089 btm_cb.pairing_state = BTM_PAIR_STATE_IDLE;
2090 btm_cb.pairing_flags = 0;
2091 }
2092
2093 if (res == BTM_SUCCESS) {
2094 p_dev_rec->sec_state = BTM_SEC_STATE_IDLE;
2095 #if (BLE_PRIVACY_SPT == TRUE)
2096 /* add all bonded device into resolving list if IRK is available*/
2097 btm_ble_resolving_list_load_dev(p_dev_rec);
2098 #endif
2099 }
2100
2101 btm_sec_dev_rec_cback_event(p_dev_rec, res, true);
2102 }
2103 break;
2104
2105 default:
2106 BTM_TRACE_DEBUG("unknown event = %d", event);
2107 break;
2108 }
2109 } else {
2110 BTM_TRACE_ERROR("btm_proc_smp_cback received for unknown device");
2111 }
2112
2113 return 0;
2114 }
2115
2116 /*******************************************************************************
2117 *
2118 * Function BTM_BleDataSignature
2119 *
2120 * Description This function is called to sign the data using AES128 CMAC
2121 * algorith.
2122 *
2123 * Parameter bd_addr: target device the data to be signed for.
2124 * p_text: singing data
2125 * len: length of the data to be signed.
2126 * signature: output parameter where data signature is going to
2127 * be stored.
2128 *
2129 * Returns true if signing sucessul, otherwise false.
2130 *
2131 ******************************************************************************/
BTM_BleDataSignature(const RawAddress & bd_addr,uint8_t * p_text,uint16_t len,BLE_SIGNATURE signature)2132 bool BTM_BleDataSignature(const RawAddress& bd_addr, uint8_t* p_text,
2133 uint16_t len, BLE_SIGNATURE signature) {
2134 if (bluetooth::shim::is_gd_shim_enabled()) {
2135 return bluetooth::shim::BTM_BleDataSignature(bd_addr, p_text, len,
2136 signature);
2137 }
2138 tBTM_SEC_DEV_REC* p_rec = btm_find_dev(bd_addr);
2139
2140 BTM_TRACE_DEBUG("%s", __func__);
2141 if (p_rec == NULL) {
2142 BTM_TRACE_ERROR("%s-data signing can not be done from unknown device",
2143 __func__);
2144 return false;
2145 }
2146
2147 uint8_t* p_mac = (uint8_t*)signature;
2148 uint8_t* pp;
2149 uint8_t* p_buf = (uint8_t*)osi_malloc(len + 4);
2150
2151 BTM_TRACE_DEBUG("%s-Start to generate Local CSRK", __func__);
2152 pp = p_buf;
2153 /* prepare plain text */
2154 if (p_text) {
2155 memcpy(p_buf, p_text, len);
2156 pp = (p_buf + len);
2157 }
2158
2159 UINT32_TO_STREAM(pp, p_rec->ble.keys.local_counter);
2160 UINT32_TO_STREAM(p_mac, p_rec->ble.keys.local_counter);
2161
2162 crypto_toolbox::aes_cmac(p_rec->ble.keys.lcsrk, p_buf, (uint16_t)(len + 4),
2163 BTM_CMAC_TLEN_SIZE, p_mac);
2164 btm_ble_increment_sign_ctr(bd_addr, true);
2165
2166 BTM_TRACE_DEBUG("%s p_mac = %d", __func__, p_mac);
2167 BTM_TRACE_DEBUG(
2168 "p_mac[0] = 0x%02x p_mac[1] = 0x%02x p_mac[2] = 0x%02x p_mac[3] = "
2169 "0x%02x",
2170 *p_mac, *(p_mac + 1), *(p_mac + 2), *(p_mac + 3));
2171 BTM_TRACE_DEBUG(
2172 "p_mac[4] = 0x%02x p_mac[5] = 0x%02x p_mac[6] = 0x%02x p_mac[7] = "
2173 "0x%02x",
2174 *(p_mac + 4), *(p_mac + 5), *(p_mac + 6), *(p_mac + 7));
2175 osi_free(p_buf);
2176 return true;
2177 }
2178
2179 /*******************************************************************************
2180 *
2181 * Function BTM_BleVerifySignature
2182 *
2183 * Description This function is called to verify the data signature
2184 *
2185 * Parameter bd_addr: target device the data to be signed for.
2186 * p_orig: original data before signature.
2187 * len: length of the signing data
2188 * counter: counter used when doing data signing
2189 * p_comp: signature to be compared against.
2190
2191 * Returns true if signature verified correctly; otherwise false.
2192 *
2193 ******************************************************************************/
BTM_BleVerifySignature(const RawAddress & bd_addr,uint8_t * p_orig,uint16_t len,uint32_t counter,uint8_t * p_comp)2194 bool BTM_BleVerifySignature(const RawAddress& bd_addr, uint8_t* p_orig,
2195 uint16_t len, uint32_t counter, uint8_t* p_comp) {
2196 if (bluetooth::shim::is_gd_shim_enabled()) {
2197 return bluetooth::shim::BTM_BleVerifySignature(bd_addr, p_orig, len,
2198 counter, p_comp);
2199 }
2200 bool verified = false;
2201 tBTM_SEC_DEV_REC* p_rec = btm_find_dev(bd_addr);
2202 uint8_t p_mac[BTM_CMAC_TLEN_SIZE];
2203
2204 if (p_rec == NULL || (p_rec && !(p_rec->ble.key_type & BTM_LE_KEY_PCSRK))) {
2205 BTM_TRACE_ERROR("can not verify signature for unknown device");
2206 } else if (counter < p_rec->ble.keys.counter) {
2207 BTM_TRACE_ERROR("signature received with out dated sign counter");
2208 } else if (p_orig == NULL) {
2209 BTM_TRACE_ERROR("No signature to verify");
2210 } else {
2211 BTM_TRACE_DEBUG("%s rcv_cnt=%d >= expected_cnt=%d", __func__, counter,
2212 p_rec->ble.keys.counter);
2213
2214 crypto_toolbox::aes_cmac(p_rec->ble.keys.pcsrk, p_orig, len,
2215 BTM_CMAC_TLEN_SIZE, p_mac);
2216 if (memcmp(p_mac, p_comp, BTM_CMAC_TLEN_SIZE) == 0) {
2217 btm_ble_increment_sign_ctr(bd_addr, false);
2218 verified = true;
2219 }
2220 }
2221 return verified;
2222 }
2223
2224 /*******************************************************************************
2225 *
2226 * Function BTM_GetLeSecurityState
2227 *
2228 * Description This function is called to get security mode 1 flags and
2229 * encryption key size for LE peer.
2230 *
2231 * Returns bool true if LE device is found, false otherwise.
2232 *
2233 ******************************************************************************/
BTM_GetLeSecurityState(const RawAddress & bd_addr,uint8_t * p_le_dev_sec_flags,uint8_t * p_le_key_size)2234 bool BTM_GetLeSecurityState(const RawAddress& bd_addr,
2235 uint8_t* p_le_dev_sec_flags,
2236 uint8_t* p_le_key_size) {
2237 if (bluetooth::shim::is_gd_shim_enabled()) {
2238 return bluetooth::shim::BTM_GetLeSecurityState(bd_addr, p_le_dev_sec_flags,
2239 p_le_key_size);
2240 }
2241 tBTM_SEC_DEV_REC* p_dev_rec;
2242 uint16_t dev_rec_sec_flags;
2243
2244 *p_le_dev_sec_flags = 0;
2245 *p_le_key_size = 0;
2246
2247 p_dev_rec = btm_find_dev(bd_addr);
2248 if (p_dev_rec == NULL) {
2249 BTM_TRACE_ERROR("%s fails", __func__);
2250 return (false);
2251 }
2252
2253 if (p_dev_rec->ble_hci_handle == BTM_SEC_INVALID_HANDLE) {
2254 BTM_TRACE_ERROR("%s-this is not LE device", __func__);
2255 return (false);
2256 }
2257
2258 dev_rec_sec_flags = p_dev_rec->sec_flags;
2259
2260 if (dev_rec_sec_flags & BTM_SEC_LE_ENCRYPTED) {
2261 /* link is encrypted with LTK or STK */
2262 *p_le_key_size = p_dev_rec->enc_key_size;
2263 *p_le_dev_sec_flags |= BTM_SEC_LE_LINK_ENCRYPTED;
2264
2265 *p_le_dev_sec_flags |=
2266 (dev_rec_sec_flags & BTM_SEC_LE_AUTHENTICATED)
2267 ? BTM_SEC_LE_LINK_PAIRED_WITH_MITM /* set auth LTK flag */
2268 : BTM_SEC_LE_LINK_PAIRED_WITHOUT_MITM; /* set unauth LTK flag */
2269 } else if (p_dev_rec->ble.key_type & BTM_LE_KEY_PENC) {
2270 /* link is unencrypted, still LTK is available */
2271 *p_le_key_size = p_dev_rec->ble.keys.key_size;
2272
2273 *p_le_dev_sec_flags |=
2274 (dev_rec_sec_flags & BTM_SEC_LE_LINK_KEY_AUTHED)
2275 ? BTM_SEC_LE_LINK_PAIRED_WITH_MITM /* set auth LTK flag */
2276 : BTM_SEC_LE_LINK_PAIRED_WITHOUT_MITM; /* set unauth LTK flag */
2277 }
2278
2279 BTM_TRACE_DEBUG("%s - le_dev_sec_flags: 0x%02x, le_key_size: %d", __func__,
2280 *p_le_dev_sec_flags, *p_le_key_size);
2281
2282 return true;
2283 }
2284
2285 /*******************************************************************************
2286 *
2287 * Function BTM_BleSecurityProcedureIsRunning
2288 *
2289 * Description This function indicates if LE security procedure is
2290 * currently running with the peer.
2291 *
2292 * Returns bool true if security procedure is running, false
2293 * otherwise.
2294 *
2295 ******************************************************************************/
BTM_BleSecurityProcedureIsRunning(const RawAddress & bd_addr)2296 bool BTM_BleSecurityProcedureIsRunning(const RawAddress& bd_addr) {
2297 if (bluetooth::shim::is_gd_shim_enabled()) {
2298 return bluetooth::shim::BTM_BleSecurityProcedureIsRunning(bd_addr);
2299 }
2300 tBTM_SEC_DEV_REC* p_dev_rec = btm_find_dev(bd_addr);
2301
2302 if (p_dev_rec == NULL) {
2303 LOG(ERROR) << __func__ << " device with BDA: " << bd_addr
2304 << " is not found";
2305 return false;
2306 }
2307
2308 return (p_dev_rec->sec_state == BTM_SEC_STATE_ENCRYPTING ||
2309 p_dev_rec->sec_state == BTM_SEC_STATE_AUTHENTICATING);
2310 }
2311
2312 /*******************************************************************************
2313 *
2314 * Function BTM_BleGetSupportedKeySize
2315 *
2316 * Description This function gets the maximum encryption key size in bytes
2317 * the local device can suport.
2318 * record.
2319 *
2320 * Returns the key size or 0 if the size can't be retrieved.
2321 *
2322 ******************************************************************************/
BTM_BleGetSupportedKeySize(const RawAddress & bd_addr)2323 extern uint8_t BTM_BleGetSupportedKeySize(const RawAddress& bd_addr) {
2324 if (bluetooth::shim::is_gd_shim_enabled()) {
2325 return bluetooth::shim::BTM_BleGetSupportedKeySize(bd_addr);
2326 }
2327 #if (L2CAP_LE_COC_INCLUDED == TRUE)
2328 tBTM_SEC_DEV_REC* p_dev_rec = btm_find_dev(bd_addr);
2329 tBTM_LE_EVT_DATA btm_le_evt_data;
2330 uint8_t callback_rc;
2331
2332 if (!p_dev_rec) {
2333 LOG(ERROR) << __func__ << " device with BDA: " << bd_addr
2334 << " is not found";
2335 return 0;
2336 }
2337
2338 if (btm_cb.api.p_le_callback == NULL) {
2339 BTM_TRACE_ERROR("%s can't access supported key size", __func__);
2340 return 0;
2341 }
2342
2343 callback_rc = (*btm_cb.api.p_le_callback)(
2344 BTM_LE_IO_REQ_EVT, p_dev_rec->bd_addr, &btm_le_evt_data);
2345
2346 if (callback_rc != BTM_SUCCESS) {
2347 BTM_TRACE_ERROR("%s can't access supported key size", __func__);
2348 return 0;
2349 }
2350
2351 BTM_TRACE_DEBUG("%s device supports key size = %d", __func__,
2352 btm_le_evt_data.io_req.max_key_size);
2353 return (btm_le_evt_data.io_req.max_key_size);
2354 #else
2355 return 0;
2356 #endif
2357 }
2358
2359 /*******************************************************************************
2360 * Utility functions for LE device IR/ER generation
2361 ******************************************************************************/
2362 /** This function is to notify application new keys have been generated. */
btm_notify_new_key(uint8_t key_type)2363 static void btm_notify_new_key(uint8_t key_type) {
2364 tBTM_BLE_LOCAL_KEYS* p_local_keys = NULL;
2365
2366 BTM_TRACE_DEBUG("btm_notify_new_key key_type=%d", key_type);
2367
2368 if (btm_cb.api.p_le_key_callback) {
2369 switch (key_type) {
2370 case BTM_BLE_KEY_TYPE_ID:
2371 BTM_TRACE_DEBUG("BTM_BLE_KEY_TYPE_ID");
2372 p_local_keys = (tBTM_BLE_LOCAL_KEYS*)&btm_cb.devcb.id_keys;
2373 break;
2374
2375 case BTM_BLE_KEY_TYPE_ER:
2376 BTM_TRACE_DEBUG("BTM_BLE_KEY_TYPE_ER");
2377 p_local_keys =
2378 (tBTM_BLE_LOCAL_KEYS*)&btm_cb.devcb.ble_encryption_key_value;
2379 break;
2380
2381 default:
2382 BTM_TRACE_ERROR("unknown key type: %d", key_type);
2383 break;
2384 }
2385 if (p_local_keys != NULL)
2386 (*btm_cb.api.p_le_key_callback)(key_type, p_local_keys);
2387 }
2388 }
2389
2390 /** implementation of btm_ble_reset_id */
btm_ble_reset_id_impl(const Octet16 & rand1,const Octet16 & rand2)2391 static void btm_ble_reset_id_impl(const Octet16& rand1, const Octet16& rand2) {
2392 /* Regenerate Identity Root */
2393 btm_cb.devcb.id_keys.ir = rand1;
2394 uint8_t btm_ble_dhk_pt = 0x03;
2395
2396 /* generate DHK= Eir({0x03, 0x00, 0x00 ...}) */
2397 btm_cb.devcb.id_keys.dhk =
2398 crypto_toolbox::aes_128(btm_cb.devcb.id_keys.ir, &btm_ble_dhk_pt, 1);
2399
2400 uint8_t btm_ble_irk_pt = 0x01;
2401 /* IRK = D1(IR, 1) */
2402 btm_cb.devcb.id_keys.irk =
2403 crypto_toolbox::aes_128(btm_cb.devcb.id_keys.ir, &btm_ble_irk_pt, 1);
2404
2405 btm_notify_new_key(BTM_BLE_KEY_TYPE_ID);
2406
2407 #if (BLE_PRIVACY_SPT == TRUE)
2408 /* if privacy is enabled, new RPA should be calculated */
2409 if (btm_cb.ble_ctr_cb.privacy_mode != BTM_PRIVACY_NONE) {
2410 btm_gen_resolvable_private_addr(base::Bind(&btm_gen_resolve_paddr_low));
2411 }
2412 #endif
2413
2414 /* proceed generate ER */
2415 btm_cb.devcb.ble_encryption_key_value = rand2;
2416 btm_notify_new_key(BTM_BLE_KEY_TYPE_ER);
2417 }
2418
2419 struct reset_id_data {
2420 Octet16 rand1;
2421 Octet16 rand2;
2422 };
2423
2424 /** This function is called to reset LE device identity. */
btm_ble_reset_id(void)2425 void btm_ble_reset_id(void) {
2426 BTM_TRACE_DEBUG("btm_ble_reset_id");
2427
2428 /* In order to reset identity, we need four random numbers. Make four nested
2429 * calls to generate them first, then proceed to perform the actual reset in
2430 * btm_ble_reset_id_impl. */
2431 btsnd_hcic_ble_rand(base::Bind([](BT_OCTET8 rand) {
2432 reset_id_data tmp;
2433 memcpy(tmp.rand1.data(), rand, BT_OCTET8_LEN);
2434 btsnd_hcic_ble_rand(base::Bind(
2435 [](reset_id_data tmp, BT_OCTET8 rand) {
2436 memcpy(tmp.rand1.data() + 8, rand, BT_OCTET8_LEN);
2437 btsnd_hcic_ble_rand(base::Bind(
2438 [](reset_id_data tmp, BT_OCTET8 rand) {
2439 memcpy(tmp.rand2.data(), rand, BT_OCTET8_LEN);
2440 btsnd_hcic_ble_rand(base::Bind(
2441 [](reset_id_data tmp, BT_OCTET8 rand) {
2442 memcpy(tmp.rand2.data() + 8, rand, BT_OCTET8_LEN);
2443 // when all random numbers are ready, do the actual reset.
2444 btm_ble_reset_id_impl(tmp.rand1, tmp.rand2);
2445 },
2446 tmp));
2447 },
2448 tmp));
2449 },
2450 tmp));
2451 }));
2452 }
2453
2454 /* This function set a random address to local controller. It also temporarily
2455 * disable scans and adv before sending the command to the controller. */
btm_ble_set_random_address(const RawAddress & random_bda)2456 void btm_ble_set_random_address(const RawAddress& random_bda) {
2457 tBTM_LE_RANDOM_CB* p_cb = &btm_cb.ble_ctr_cb.addr_mgnt_cb;
2458 tBTM_BLE_CB* p_ble_cb = &btm_cb.ble_ctr_cb;
2459 bool adv_mode = btm_cb.ble_ctr_cb.inq_var.adv_mode;
2460
2461 BTM_TRACE_DEBUG("%s", __func__);
2462
2463 if (adv_mode == BTM_BLE_ADV_ENABLE)
2464 btsnd_hcic_ble_set_adv_enable(BTM_BLE_ADV_DISABLE);
2465 if (BTM_BLE_IS_SCAN_ACTIVE(p_ble_cb->scan_activity)) btm_ble_stop_scan();
2466 btm_ble_suspend_bg_conn();
2467
2468 p_cb->private_addr = random_bda;
2469 btsnd_hcic_ble_set_random_addr(p_cb->private_addr);
2470
2471 if (adv_mode == BTM_BLE_ADV_ENABLE)
2472 btsnd_hcic_ble_set_adv_enable(BTM_BLE_ADV_ENABLE);
2473 if (BTM_BLE_IS_SCAN_ACTIVE(p_ble_cb->scan_activity)) btm_ble_start_scan();
2474 btm_ble_resume_bg_conn();
2475 }
2476
2477 #if BTM_BLE_CONFORMANCE_TESTING == TRUE
2478 /*******************************************************************************
2479 *
2480 * Function btm_ble_set_no_disc_if_pair_fail
2481 *
2482 * Description This function indicates whether no disconnect of the ACL
2483 * should be used if pairing failed
2484 *
2485 * Returns void
2486 *
2487 ******************************************************************************/
btm_ble_set_no_disc_if_pair_fail(bool disable_disc)2488 void btm_ble_set_no_disc_if_pair_fail(bool disable_disc) {
2489 BTM_TRACE_DEBUG("btm_ble_set_disc_enable_if_pair_fail disable_disc=%d",
2490 disable_disc);
2491 btm_cb.devcb.no_disc_if_pair_fail = disable_disc;
2492 }
2493
2494 /*******************************************************************************
2495 *
2496 * Function btm_ble_set_test_mac_value
2497 *
2498 * Description This function set test MAC value
2499 *
2500 * Returns void
2501 *
2502 ******************************************************************************/
btm_ble_set_test_mac_value(bool enable,uint8_t * p_test_mac_val)2503 void btm_ble_set_test_mac_value(bool enable, uint8_t* p_test_mac_val) {
2504 BTM_TRACE_DEBUG("btm_ble_set_test_mac_value enable=%d", enable);
2505 btm_cb.devcb.enable_test_mac_val = enable;
2506 memcpy(btm_cb.devcb.test_mac, p_test_mac_val, BT_OCTET8_LEN);
2507 }
2508
2509 /*******************************************************************************
2510 *
2511 * Function btm_ble_set_test_local_sign_cntr_value
2512 *
2513 * Description This function set test local sign counter value
2514 *
2515 * Returns void
2516 *
2517 ******************************************************************************/
btm_ble_set_test_local_sign_cntr_value(bool enable,uint32_t test_local_sign_cntr)2518 void btm_ble_set_test_local_sign_cntr_value(bool enable,
2519 uint32_t test_local_sign_cntr) {
2520 BTM_TRACE_DEBUG(
2521 "btm_ble_set_test_local_sign_cntr_value enable=%d local_sign_cntr=%d",
2522 enable, test_local_sign_cntr);
2523 btm_cb.devcb.enable_test_local_sign_cntr = enable;
2524 btm_cb.devcb.test_local_sign_cntr = test_local_sign_cntr;
2525 }
2526
2527 /*******************************************************************************
2528 *
2529 * Function btm_ble_set_keep_rfu_in_auth_req
2530 *
2531 * Description This function indicates if RFU bits have to be kept as is
2532 * (by default they have to be set to 0 by the sender).
2533 *
2534 * Returns void
2535 *
2536 ******************************************************************************/
btm_ble_set_keep_rfu_in_auth_req(bool keep_rfu)2537 void btm_ble_set_keep_rfu_in_auth_req(bool keep_rfu) {
2538 BTM_TRACE_DEBUG("btm_ble_set_keep_rfu_in_auth_req keep_rfus=%d", keep_rfu);
2539 btm_cb.devcb.keep_rfu_in_auth_req = keep_rfu;
2540 }
2541
2542 #endif /* BTM_BLE_CONFORMANCE_TESTING */
2543