1 /******************************************************************************
2 *
3 * Copyright 1999-2012 Broadcom Corporation
4 *
5 * Licensed under the Apache License, Version 2.0 (the "License");
6 * you may not use this file except in compliance with the License.
7 * You may obtain a copy of the License at:
8 *
9 * http://www.apache.org/licenses/LICENSE-2.0
10 *
11 * Unless required by applicable law or agreed to in writing, software
12 * distributed under the License is distributed on an "AS IS" BASIS,
13 * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
14 * See the License for the specific language governing permissions and
15 * limitations under the License.
16 *
17 ******************************************************************************/
18
19 /******************************************************************************
20 *
21 * This file contains functions for BLE device control utilities, and LE
22 * security functions.
23 *
24 ******************************************************************************/
25
26 #define LOG_TAG "bt_btm_ble"
27
28 #include <cstdint>
29
30 #include "device/include/controller.h"
31 #include "main/shim/btm_api.h"
32 #include "main/shim/l2c_api.h"
33 #include "main/shim/shim.h"
34 #include "osi/include/allocator.h"
35 #include "osi/include/properties.h"
36 #include "stack/btm/btm_dev.h"
37 #include "stack/btm/btm_int_types.h"
38 #include "stack/btm/security_device_record.h"
39 #include "stack/crypto_toolbox/crypto_toolbox.h"
40 #include "stack/include/acl_api.h"
41 #include "stack/include/bt_octets.h"
42 #include "stack/include/bt_types.h"
43 #include "stack/include/btm_api.h"
44 #include "stack/include/btu.h"
45 #include "stack/include/gatt_api.h"
46 #include "stack/include/l2cap_security_interface.h"
47 #include "stack/include/l2cdefs.h"
48 #include "stack/include/smp_api.h"
49 #include "types/raw_address.h"
50
51 #include <base/logging.h>
52
53 extern tBTM_CB btm_cb;
54
55 extern bool btm_ble_init_pseudo_addr(tBTM_SEC_DEV_REC* p_dev_rec,
56 const RawAddress& new_pseudo_addr);
57 extern void gatt_notify_phy_updated(tGATT_STATUS status, uint16_t handle,
58 uint8_t tx_phy, uint8_t rx_phy);
59
60
61 #ifndef PROPERTY_BLE_PRIVACY_ENABLED
62 #define PROPERTY_BLE_PRIVACY_ENABLED "bluetooth.core.gap.le.privacy.enabled"
63 #endif
64
65 // Pairing parameters defined in Vol 3, Part H, Chapter 3.5.1 - 3.5.2
66 // All present in the exact decimal values, not hex
67 // Ex: bluetooth.core.smp.le.ctkd.initiator_key_distribution 15(0x0f)
68 static const char kPropertyCtkdAuthRequest[] =
69 "bluetooth.core.smp.le.ctkd.auth_request";
70 static const char kPropertyCtkdIoCapabilities[] =
71 "bluetooth.core.smp.le.ctkd.io_capabilities";
72 // Vol 3, Part H, Chapter 3.6.1, Figure 3.11
73 // |EncKey(1)|IdKey(1)|SignKey(1)|LinkKey(1)|Reserved(4)|
74 static const char kPropertyCtkdInitiatorKeyDistribution[] =
75 "bluetooth.core.smp.le.ctkd.initiator_key_distribution";
76 static const char kPropertyCtkdResponderKeyDistribution[] =
77 "bluetooth.core.smp.le.ctkd.responder_key_distribution";
78 static const char kPropertyCtkdMaxKeySize[] =
79 "bluetooth.core.smp.le.ctkd.max_key_size";
80
81 /******************************************************************************/
82 /* External Function to be called by other modules */
83 /******************************************************************************/
BTM_SecAddBleDevice(const RawAddress & bd_addr,tBT_DEVICE_TYPE dev_type,tBLE_ADDR_TYPE addr_type)84 void BTM_SecAddBleDevice(const RawAddress& bd_addr, tBT_DEVICE_TYPE dev_type,
85 tBLE_ADDR_TYPE addr_type) {
86 if (bluetooth::shim::is_gd_shim_enabled()) {
87 return bluetooth::shim::BTM_SecAddBleDevice(bd_addr, dev_type, addr_type);
88 }
89
90 LOG_DEBUG("dev_type=0x%x", dev_type);
91
92 tBTM_SEC_DEV_REC* p_dev_rec = btm_find_dev(bd_addr);
93 if (!p_dev_rec) {
94 p_dev_rec = btm_sec_allocate_dev_rec();
95
96 p_dev_rec->bd_addr = bd_addr;
97 p_dev_rec->hci_handle = BTM_GetHCIConnHandle(bd_addr, BT_TRANSPORT_BR_EDR);
98 p_dev_rec->ble_hci_handle = BTM_GetHCIConnHandle(bd_addr, BT_TRANSPORT_LE);
99
100 /* update conn params, use default value for background connection params */
101 p_dev_rec->conn_params.min_conn_int = BTM_BLE_CONN_PARAM_UNDEF;
102 p_dev_rec->conn_params.max_conn_int = BTM_BLE_CONN_PARAM_UNDEF;
103 p_dev_rec->conn_params.supervision_tout = BTM_BLE_CONN_PARAM_UNDEF;
104 p_dev_rec->conn_params.peripheral_latency = BTM_BLE_CONN_PARAM_UNDEF;
105
106 LOG_DEBUG("Device added, handle=0x%x, p_dev_rec=%p, bd_addr=%s",
107 p_dev_rec->ble_hci_handle, p_dev_rec, PRIVATE_ADDRESS(bd_addr));
108 }
109
110 memset(p_dev_rec->sec_bd_name, 0, sizeof(tBTM_BD_NAME));
111
112 p_dev_rec->device_type |= dev_type;
113 if (is_ble_addr_type_known(addr_type)) {
114 p_dev_rec->ble.SetAddressType(addr_type);
115 } else {
116 LOG_WARN(
117 "Please do not update device record from anonymous le advertisement");
118 }
119
120 /* sync up with the Inq Data base*/
121 tBTM_INQ_INFO* p_info = BTM_InqDbRead(bd_addr);
122 if (p_info) {
123 p_info->results.ble_addr_type = p_dev_rec->ble.AddressType();
124 p_info->results.device_type = p_dev_rec->device_type;
125 LOG_DEBUG("InqDb device_type =0x%x addr_type=0x%x",
126 p_info->results.device_type, p_info->results.ble_addr_type);
127 }
128 }
129
130 /*******************************************************************************
131 *
132 * Function BTM_SecAddBleKey
133 *
134 * Description Add/modify LE device information. This function will be
135 * normally called during host startup to restore all required
136 * information stored in the NVRAM.
137 *
138 * Parameters: bd_addr - BD address of the peer
139 * p_le_key - LE key values.
140 * key_type - LE SMP key type.
141 *
142 * Returns true if added OK, else false
143 *
144 ******************************************************************************/
BTM_SecAddBleKey(const RawAddress & bd_addr,tBTM_LE_KEY_VALUE * p_le_key,tBTM_LE_KEY_TYPE key_type)145 void BTM_SecAddBleKey(const RawAddress& bd_addr, tBTM_LE_KEY_VALUE* p_le_key,
146 tBTM_LE_KEY_TYPE key_type) {
147 if (bluetooth::shim::is_gd_shim_enabled()) {
148 return bluetooth::shim::BTM_SecAddBleKey(bd_addr, p_le_key, key_type);
149 }
150
151 tBTM_SEC_DEV_REC* p_dev_rec = btm_find_dev(bd_addr);
152 if (!p_dev_rec || !p_le_key ||
153 (key_type != BTM_LE_KEY_PENC && key_type != BTM_LE_KEY_PID &&
154 key_type != BTM_LE_KEY_PCSRK && key_type != BTM_LE_KEY_LENC &&
155 key_type != BTM_LE_KEY_LCSRK && key_type != BTM_LE_KEY_LID)) {
156 LOG(WARNING) << __func__
157 << " Wrong Type, or No Device record for bdaddr: " << bd_addr
158 << ", Type: " << key_type;
159 return;
160 }
161
162 LOG_DEBUG("Adding BLE key device:%s key_type:%hhu", PRIVATE_ADDRESS(bd_addr),
163 key_type);
164
165 btm_sec_save_le_key(bd_addr, key_type, p_le_key, false);
166 // Only set peer irk. Local irk is always the same.
167 if (key_type == BTM_LE_KEY_PID) {
168 btm_ble_resolving_list_load_dev(*p_dev_rec);
169 }
170 }
171
172 /*******************************************************************************
173 *
174 * Function BTM_BleLoadLocalKeys
175 *
176 * Description Local local identity key, encryption root or sign counter.
177 *
178 * Parameters: key_type: type of key, can be BTM_BLE_KEY_TYPE_ID,
179 * BTM_BLE_KEY_TYPE_ER
180 * or BTM_BLE_KEY_TYPE_COUNTER.
181 * p_key: pointer to the key.
182 *
183 * Returns non2.
184 *
185 ******************************************************************************/
BTM_BleLoadLocalKeys(uint8_t key_type,tBTM_BLE_LOCAL_KEYS * p_key)186 void BTM_BleLoadLocalKeys(uint8_t key_type, tBTM_BLE_LOCAL_KEYS* p_key) {
187 if (bluetooth::shim::is_gd_shim_enabled()) {
188 return bluetooth::shim::BTM_BleLoadLocalKeys(key_type, p_key);
189 }
190
191 tBTM_DEVCB* p_devcb = &btm_cb.devcb;
192 BTM_TRACE_DEBUG("%s", __func__);
193 if (p_key != NULL) {
194 switch (key_type) {
195 case BTM_BLE_KEY_TYPE_ID:
196 memcpy(&p_devcb->id_keys, &p_key->id_keys,
197 sizeof(tBTM_BLE_LOCAL_ID_KEYS));
198 break;
199
200 case BTM_BLE_KEY_TYPE_ER:
201 p_devcb->ble_encryption_key_value = p_key->er;
202 break;
203
204 default:
205 BTM_TRACE_ERROR("unknow local key type: %d", key_type);
206 break;
207 }
208 }
209 }
210
211 /** Returns local device encryption root (ER) */
BTM_GetDeviceEncRoot()212 const Octet16& BTM_GetDeviceEncRoot() {
213 if (bluetooth::shim::is_gd_shim_enabled()) {
214 return bluetooth::shim::BTM_GetDeviceEncRoot();
215 }
216 return btm_cb.devcb.ble_encryption_key_value;
217 }
218
219 /** Returns local device identity root (IR). */
BTM_GetDeviceIDRoot()220 const Octet16& BTM_GetDeviceIDRoot() {
221 if (bluetooth::shim::is_gd_shim_enabled()) {
222 return bluetooth::shim::BTM_GetDeviceIDRoot();
223 }
224 return btm_cb.devcb.id_keys.irk;
225 }
226
227 /** Return local device DHK. */
BTM_GetDeviceDHK()228 const Octet16& BTM_GetDeviceDHK() {
229 if (bluetooth::shim::is_gd_shim_enabled()) {
230 return bluetooth::shim::BTM_GetDeviceDHK();
231 }
232 return btm_cb.devcb.id_keys.dhk;
233 }
234
235
236 /*******************************************************************************
237 *
238 * Function BTM_SecurityGrant
239 *
240 * Description This function is called to grant security process.
241 *
242 * Parameters bd_addr - peer device bd address.
243 * res - result of the operation BTM_SUCCESS if success.
244 * Otherwise, BTM_REPEATED_ATTEMPTS if too many
245 * attempts.
246 *
247 * Returns None
248 *
249 ******************************************************************************/
BTM_SecurityGrant(const RawAddress & bd_addr,uint8_t res)250 void BTM_SecurityGrant(const RawAddress& bd_addr, uint8_t res) {
251 if (bluetooth::shim::is_gd_shim_enabled()) {
252 return bluetooth::shim::BTM_SecurityGrant(bd_addr, res);
253 }
254 tSMP_STATUS res_smp =
255 (res == BTM_SUCCESS) ? SMP_SUCCESS : SMP_REPEATED_ATTEMPTS;
256 BTM_TRACE_DEBUG("BTM_SecurityGrant");
257 SMP_SecurityGrant(bd_addr, res_smp);
258 }
259
260 /*******************************************************************************
261 *
262 * Function BTM_BlePasskeyReply
263 *
264 * Description This function is called after Security Manager submitted
265 * passkey request to the application.
266 *
267 * Parameters: bd_addr - Address of the device for which passkey was
268 * requested
269 * res - result of the operation BTM_SUCCESS if success
270 * key_len - length in bytes of the Passkey
271 * p_passkey - pointer to array with the passkey
272 *
273 ******************************************************************************/
BTM_BlePasskeyReply(const RawAddress & bd_addr,uint8_t res,uint32_t passkey)274 void BTM_BlePasskeyReply(const RawAddress& bd_addr, uint8_t res,
275 uint32_t passkey) {
276 if (bluetooth::shim::is_gd_shim_enabled()) {
277 ASSERT_LOG(false, "This should not be invoked from code path");
278 }
279 tBTM_SEC_DEV_REC* p_dev_rec = btm_find_dev(bd_addr);
280 tSMP_STATUS res_smp =
281 (res == BTM_SUCCESS) ? SMP_SUCCESS : SMP_PASSKEY_ENTRY_FAIL;
282
283 if (p_dev_rec == NULL) {
284 BTM_TRACE_ERROR("Passkey reply to Unknown device");
285 return;
286 }
287
288 p_dev_rec->sec_flags |= BTM_SEC_LE_AUTHENTICATED;
289 BTM_TRACE_DEBUG("BTM_BlePasskeyReply");
290 SMP_PasskeyReply(bd_addr, res_smp, passkey);
291 }
292
293 /*******************************************************************************
294 *
295 * Function BTM_BleConfirmReply
296 *
297 * Description This function is called after Security Manager submitted
298 * numeric comparison request to the application.
299 *
300 * Parameters: bd_addr - Address of the device with which numeric
301 * comparison was requested
302 * res - comparison result BTM_SUCCESS if success
303 *
304 ******************************************************************************/
BTM_BleConfirmReply(const RawAddress & bd_addr,uint8_t res)305 void BTM_BleConfirmReply(const RawAddress& bd_addr, uint8_t res) {
306 if (bluetooth::shim::is_gd_shim_enabled()) {
307 ASSERT_LOG(false, "This should not be invoked from code path");
308 }
309 tBTM_SEC_DEV_REC* p_dev_rec = btm_find_dev(bd_addr);
310 tSMP_STATUS res_smp =
311 (res == BTM_SUCCESS) ? SMP_SUCCESS : SMP_PASSKEY_ENTRY_FAIL;
312
313 if (p_dev_rec == NULL) {
314 BTM_TRACE_ERROR("Passkey reply to Unknown device");
315 return;
316 }
317
318 p_dev_rec->sec_flags |= BTM_SEC_LE_AUTHENTICATED;
319 BTM_TRACE_DEBUG("%s", __func__);
320 SMP_ConfirmReply(bd_addr, res_smp);
321 }
322
323 /*******************************************************************************
324 *
325 * Function BTM_BleOobDataReply
326 *
327 * Description This function is called to provide the OOB data for
328 * SMP in response to BTM_LE_OOB_REQ_EVT
329 *
330 * Parameters: bd_addr - Address of the peer device
331 * res - result of the operation SMP_SUCCESS if success
332 * p_data - oob data, depending on transport and
333 * capabilities.
334 * Might be "Simple Pairing Randomizer", or
335 * "Security Manager TK Value".
336 *
337 ******************************************************************************/
BTM_BleOobDataReply(const RawAddress & bd_addr,uint8_t res,uint8_t len,uint8_t * p_data)338 void BTM_BleOobDataReply(const RawAddress& bd_addr, uint8_t res, uint8_t len,
339 uint8_t* p_data) {
340 if (bluetooth::shim::is_gd_shim_enabled()) {
341 return bluetooth::shim::BTM_BleOobDataReply(bd_addr, res, len, p_data);
342 }
343 tSMP_STATUS res_smp = (res == BTM_SUCCESS) ? SMP_SUCCESS : SMP_OOB_FAIL;
344 tBTM_SEC_DEV_REC* p_dev_rec = btm_find_dev(bd_addr);
345
346 BTM_TRACE_DEBUG("%s:", __func__);
347
348 if (p_dev_rec == NULL) {
349 BTM_TRACE_ERROR("%s: Unknown device", __func__);
350 return;
351 }
352
353 p_dev_rec->sec_flags |= BTM_SEC_LE_AUTHENTICATED;
354 SMP_OobDataReply(bd_addr, res_smp, len, p_data);
355 }
356
357 /*******************************************************************************
358 *
359 * Function BTM_BleSecureConnectionOobDataReply
360 *
361 * Description This function is called to provide the OOB data for
362 * SMP in response to BTM_LE_OOB_REQ_EVT when secure connection
363 * data is available
364 *
365 * Parameters: bd_addr - Address of the peer device
366 * p_c - pointer to Confirmation.
367 * p_r - pointer to Randomizer
368 *
369 ******************************************************************************/
BTM_BleSecureConnectionOobDataReply(const RawAddress & bd_addr,uint8_t * p_c,uint8_t * p_r)370 void BTM_BleSecureConnectionOobDataReply(const RawAddress& bd_addr,
371 uint8_t* p_c, uint8_t* p_r) {
372 if (bluetooth::shim::is_gd_shim_enabled()) {
373 return bluetooth::shim::BTM_BleSecureConnectionOobDataReply(bd_addr, p_c,
374 p_r);
375 }
376 tBTM_SEC_DEV_REC* p_dev_rec = btm_find_dev(bd_addr);
377
378 BTM_TRACE_DEBUG("%s:", __func__);
379
380 if (p_dev_rec == NULL) {
381 BTM_TRACE_ERROR("%s: Unknown device", __func__);
382 return;
383 }
384
385 p_dev_rec->sec_flags |= BTM_SEC_LE_AUTHENTICATED;
386
387 tSMP_SC_OOB_DATA oob;
388 memset(&oob, 0, sizeof(tSMP_SC_OOB_DATA));
389
390 oob.peer_oob_data.present = true;
391 memcpy(&oob.peer_oob_data.randomizer, p_r, OCTET16_LEN);
392 memcpy(&oob.peer_oob_data.commitment, p_c, OCTET16_LEN);
393 oob.peer_oob_data.addr_rcvd_from.type = p_dev_rec->ble.AddressType();
394 oob.peer_oob_data.addr_rcvd_from.bda = bd_addr;
395
396 SMP_SecureConnectionOobDataReply((uint8_t*)&oob);
397 }
398
399 /********************************************************
400 *
401 * Function BTM_BleSetPrefConnParams
402 *
403 * Description Set a peripheral's preferred connection parameters
404 *
405 * Parameters: bd_addr - BD address of the peripheral
406 * scan_interval: scan interval
407 * scan_window: scan window
408 * min_conn_int - minimum preferred connection interval
409 * max_conn_int - maximum preferred connection interval
410 * peripheral_latency - preferred peripheral latency
411 * supervision_tout - preferred supervision timeout
412 *
413 * Returns void
414 *
415 ******************************************************************************/
BTM_BleSetPrefConnParams(const RawAddress & bd_addr,uint16_t min_conn_int,uint16_t max_conn_int,uint16_t peripheral_latency,uint16_t supervision_tout)416 void BTM_BleSetPrefConnParams(const RawAddress& bd_addr, uint16_t min_conn_int,
417 uint16_t max_conn_int,
418 uint16_t peripheral_latency,
419 uint16_t supervision_tout) {
420 if (bluetooth::shim::is_gd_shim_enabled()) {
421 return bluetooth::shim::BTM_BleSetPrefConnParams(
422 bd_addr, min_conn_int, max_conn_int, peripheral_latency,
423 supervision_tout);
424 }
425 tBTM_SEC_DEV_REC* p_dev_rec = btm_find_dev(bd_addr);
426
427 BTM_TRACE_API(
428 "BTM_BleSetPrefConnParams min: %u max: %u latency: %u \
429 tout: %u",
430 min_conn_int, max_conn_int, peripheral_latency, supervision_tout);
431
432 if (BTM_BLE_ISVALID_PARAM(min_conn_int, BTM_BLE_CONN_INT_MIN,
433 BTM_BLE_CONN_INT_MAX) &&
434 BTM_BLE_ISVALID_PARAM(max_conn_int, BTM_BLE_CONN_INT_MIN,
435 BTM_BLE_CONN_INT_MAX) &&
436 BTM_BLE_ISVALID_PARAM(supervision_tout, BTM_BLE_CONN_SUP_TOUT_MIN,
437 BTM_BLE_CONN_SUP_TOUT_MAX) &&
438 (peripheral_latency <= BTM_BLE_CONN_LATENCY_MAX ||
439 peripheral_latency == BTM_BLE_CONN_PARAM_UNDEF)) {
440 if (p_dev_rec) {
441 /* expect conn int and stout and peripheral latency to be updated all
442 * together
443 */
444 if (min_conn_int != BTM_BLE_CONN_PARAM_UNDEF ||
445 max_conn_int != BTM_BLE_CONN_PARAM_UNDEF) {
446 if (min_conn_int != BTM_BLE_CONN_PARAM_UNDEF)
447 p_dev_rec->conn_params.min_conn_int = min_conn_int;
448 else
449 p_dev_rec->conn_params.min_conn_int = max_conn_int;
450
451 if (max_conn_int != BTM_BLE_CONN_PARAM_UNDEF)
452 p_dev_rec->conn_params.max_conn_int = max_conn_int;
453 else
454 p_dev_rec->conn_params.max_conn_int = min_conn_int;
455
456 if (peripheral_latency != BTM_BLE_CONN_PARAM_UNDEF)
457 p_dev_rec->conn_params.peripheral_latency = peripheral_latency;
458 else
459 p_dev_rec->conn_params.peripheral_latency =
460 BTM_BLE_CONN_PERIPHERAL_LATENCY_DEF;
461
462 if (supervision_tout != BTM_BLE_CONN_PARAM_UNDEF)
463 p_dev_rec->conn_params.supervision_tout = supervision_tout;
464 else
465 p_dev_rec->conn_params.supervision_tout = BTM_BLE_CONN_TIMEOUT_DEF;
466 }
467
468 } else {
469 BTM_TRACE_ERROR("Unknown Device, setting rejected");
470 }
471 } else {
472 BTM_TRACE_ERROR("Illegal Connection Parameters");
473 }
474 }
475
476 /*******************************************************************************
477 *
478 * Function BTM_ReadDevInfo
479 *
480 * Description This function is called to read the device/address type
481 * of BD address.
482 *
483 * Parameter remote_bda: remote device address
484 * p_dev_type: output parameter to read the device type.
485 * p_addr_type: output parameter to read the address type.
486 *
487 ******************************************************************************/
BTM_ReadDevInfo(const RawAddress & remote_bda,tBT_DEVICE_TYPE * p_dev_type,tBLE_ADDR_TYPE * p_addr_type)488 void BTM_ReadDevInfo(const RawAddress& remote_bda, tBT_DEVICE_TYPE* p_dev_type,
489 tBLE_ADDR_TYPE* p_addr_type) {
490 tBTM_SEC_DEV_REC* p_dev_rec = btm_find_dev(remote_bda);
491 tBTM_INQ_INFO* p_inq_info = BTM_InqDbRead(remote_bda);
492
493 *p_addr_type = BLE_ADDR_PUBLIC;
494
495 if (!p_dev_rec) {
496 *p_dev_type = BT_DEVICE_TYPE_BREDR;
497 /* Check with the BT manager if details about remote device are known */
498 if (p_inq_info != NULL) {
499 *p_dev_type = p_inq_info->results.device_type;
500 *p_addr_type = p_inq_info->results.ble_addr_type;
501 } else {
502 /* unknown device, assume BR/EDR */
503 BTM_TRACE_DEBUG("btm_find_dev_type - unknown device, BR/EDR assumed");
504 }
505 } else /* there is a security device record exisitng */
506 {
507 /* new inquiry result, merge device type in security device record */
508 if (p_inq_info) {
509 p_dev_rec->device_type |= p_inq_info->results.device_type;
510 if (is_ble_addr_type_known(p_inq_info->results.ble_addr_type))
511 p_dev_rec->ble.SetAddressType(p_inq_info->results.ble_addr_type);
512 else
513 LOG_WARN(
514 "Please do not update device record from anonymous le "
515 "advertisement");
516 }
517
518 if (p_dev_rec->bd_addr == remote_bda &&
519 p_dev_rec->ble.pseudo_addr == remote_bda) {
520 *p_dev_type = p_dev_rec->device_type;
521 *p_addr_type = p_dev_rec->ble.AddressType();
522 } else if (p_dev_rec->ble.pseudo_addr == remote_bda) {
523 *p_dev_type = BT_DEVICE_TYPE_BLE;
524 *p_addr_type = p_dev_rec->ble.AddressType();
525 } else /* matching static adddress only */ {
526 if (p_dev_rec->device_type != BT_DEVICE_TYPE_UNKNOWN) {
527 *p_dev_type = p_dev_rec->device_type;
528 } else {
529 LOG_WARN("device_type not set; assuming BR/EDR");
530 *p_dev_type = BT_DEVICE_TYPE_BREDR;
531 }
532 *p_addr_type = BLE_ADDR_PUBLIC;
533 }
534 }
535 LOG_DEBUG("Determining device_type:%s addr_type:%s",
536 DeviceTypeText(*p_dev_type).c_str(),
537 AddressTypeText(*p_addr_type).c_str());
538 }
539
540 /*******************************************************************************
541 *
542 * Function BTM_ReadConnectedTransportAddress
543 *
544 * Description This function is called to read the paired device/address
545 * type of other device paired corresponding to the BD_address
546 *
547 * Parameter remote_bda: remote device address, carry out the transport
548 * address
549 * transport: active transport
550 *
551 * Return true if an active link is identified; false otherwise
552 *
553 ******************************************************************************/
BTM_ReadConnectedTransportAddress(RawAddress * remote_bda,tBT_TRANSPORT transport)554 bool BTM_ReadConnectedTransportAddress(RawAddress* remote_bda,
555 tBT_TRANSPORT transport) {
556 if (bluetooth::shim::is_gd_shim_enabled()) {
557 return bluetooth::shim::BTM_ReadConnectedTransportAddress(remote_bda,
558 transport);
559 }
560 tBTM_SEC_DEV_REC* p_dev_rec = btm_find_dev(*remote_bda);
561
562 /* if no device can be located, return */
563 if (p_dev_rec == NULL) return false;
564
565 if (transport == BT_TRANSPORT_BR_EDR) {
566 if (BTM_IsAclConnectionUp(p_dev_rec->bd_addr, transport)) {
567 *remote_bda = p_dev_rec->bd_addr;
568 return true;
569 } else if (p_dev_rec->device_type & BT_DEVICE_TYPE_BREDR) {
570 *remote_bda = p_dev_rec->bd_addr;
571 } else
572 *remote_bda = RawAddress::kEmpty;
573 return false;
574 }
575
576 if (transport == BT_TRANSPORT_LE) {
577 *remote_bda = p_dev_rec->ble.pseudo_addr;
578 if (BTM_IsAclConnectionUp(p_dev_rec->ble.pseudo_addr, transport))
579 return true;
580 else
581 return false;
582 }
583
584 return false;
585 }
586
587 /*******************************************************************************
588 *
589 * Function BTM_BleReceiverTest
590 *
591 * Description This function is called to start the LE Receiver test
592 *
593 * Parameter rx_freq - Frequency Range
594 * p_cmd_cmpl_cback - Command Complete callback
595 *
596 ******************************************************************************/
BTM_BleReceiverTest(uint8_t rx_freq,tBTM_CMPL_CB * p_cmd_cmpl_cback)597 void BTM_BleReceiverTest(uint8_t rx_freq, tBTM_CMPL_CB* p_cmd_cmpl_cback) {
598 if (bluetooth::shim::is_gd_shim_enabled()) {
599 return bluetooth::shim::BTM_BleReceiverTest(rx_freq, p_cmd_cmpl_cback);
600 }
601 btm_cb.devcb.p_le_test_cmd_cmpl_cb = p_cmd_cmpl_cback;
602
603 btsnd_hcic_ble_receiver_test(rx_freq);
604 }
605
606 /*******************************************************************************
607 *
608 * Function BTM_BleTransmitterTest
609 *
610 * Description This function is called to start the LE Transmitter test
611 *
612 * Parameter tx_freq - Frequency Range
613 * test_data_len - Length in bytes of payload data in each
614 * packet
615 * packet_payload - Pattern to use in the payload
616 * p_cmd_cmpl_cback - Command Complete callback
617 *
618 ******************************************************************************/
BTM_BleTransmitterTest(uint8_t tx_freq,uint8_t test_data_len,uint8_t packet_payload,tBTM_CMPL_CB * p_cmd_cmpl_cback)619 void BTM_BleTransmitterTest(uint8_t tx_freq, uint8_t test_data_len,
620 uint8_t packet_payload,
621 tBTM_CMPL_CB* p_cmd_cmpl_cback) {
622 if (bluetooth::shim::is_gd_shim_enabled()) {
623 return bluetooth::shim::BTM_BleTransmitterTest(
624 tx_freq, test_data_len, packet_payload, p_cmd_cmpl_cback);
625 }
626 btm_cb.devcb.p_le_test_cmd_cmpl_cb = p_cmd_cmpl_cback;
627 btsnd_hcic_ble_transmitter_test(tx_freq, test_data_len, packet_payload);
628 }
629
630 /*******************************************************************************
631 *
632 * Function BTM_BleTestEnd
633 *
634 * Description This function is called to stop the in-progress TX or RX
635 * test
636 *
637 * Parameter p_cmd_cmpl_cback - Command complete callback
638 *
639 ******************************************************************************/
BTM_BleTestEnd(tBTM_CMPL_CB * p_cmd_cmpl_cback)640 void BTM_BleTestEnd(tBTM_CMPL_CB* p_cmd_cmpl_cback) {
641 if (bluetooth::shim::is_gd_shim_enabled()) {
642 return bluetooth::shim::BTM_BleTestEnd(p_cmd_cmpl_cback);
643 }
644 btm_cb.devcb.p_le_test_cmd_cmpl_cb = p_cmd_cmpl_cback;
645
646 btsnd_hcic_ble_test_end();
647 }
648
649 /*******************************************************************************
650 * Internal Functions
651 ******************************************************************************/
btm_ble_test_command_complete(uint8_t * p)652 void btm_ble_test_command_complete(uint8_t* p) {
653 tBTM_CMPL_CB* p_cb = btm_cb.devcb.p_le_test_cmd_cmpl_cb;
654
655 btm_cb.devcb.p_le_test_cmd_cmpl_cb = NULL;
656
657 if (p_cb) {
658 (*p_cb)(p);
659 }
660 }
661
662 /*******************************************************************************
663 *
664 * Function BTM_UseLeLink
665 *
666 * Description This function is to select the underlying physical link to
667 * use.
668 *
669 * Returns true to use LE, false use BR/EDR.
670 *
671 ******************************************************************************/
BTM_UseLeLink(const RawAddress & bd_addr)672 bool BTM_UseLeLink(const RawAddress& bd_addr) {
673 if (bluetooth::shim::is_gd_shim_enabled()) {
674 return bluetooth::shim::BTM_UseLeLink(bd_addr);
675 }
676
677 if (BTM_IsAclConnectionUp(bd_addr, BT_TRANSPORT_BR_EDR)) {
678 return false;
679 } else if (BTM_IsAclConnectionUp(bd_addr, BT_TRANSPORT_LE)) {
680 return true;
681 }
682
683 tBT_DEVICE_TYPE dev_type;
684 tBLE_ADDR_TYPE addr_type;
685 BTM_ReadDevInfo(bd_addr, &dev_type, &addr_type);
686 return (dev_type == BT_DEVICE_TYPE_BLE);
687 }
688
BTM_SetBleDataLength(const RawAddress & bd_addr,uint16_t tx_pdu_length)689 tBTM_STATUS BTM_SetBleDataLength(const RawAddress& bd_addr,
690 uint16_t tx_pdu_length) {
691 if (!controller_get_interface()->supports_ble_packet_extension()) {
692 LOG_INFO("Local controller unable to support le packet extension");
693 return BTM_ILLEGAL_VALUE;
694 }
695
696 if (tx_pdu_length > BTM_BLE_DATA_SIZE_MAX)
697 tx_pdu_length = BTM_BLE_DATA_SIZE_MAX;
698 else if (tx_pdu_length < BTM_BLE_DATA_SIZE_MIN)
699 tx_pdu_length = BTM_BLE_DATA_SIZE_MIN;
700
701 uint16_t tx_time = BTM_BLE_DATA_TX_TIME_MAX_LEGACY;
702
703 if (controller_get_interface()->get_bt_version()->hci_version >=
704 HCI_PROTO_VERSION_5_0)
705 tx_time = BTM_BLE_DATA_TX_TIME_MAX;
706
707 if (!BTM_IsAclConnectionUp(bd_addr, BT_TRANSPORT_LE)) {
708 LOG_INFO(
709 "Unable to set data length because no le acl link connected to device");
710 return BTM_WRONG_MODE;
711 }
712
713 if (bluetooth::shim::is_gd_l2cap_enabled()) {
714 uint16_t handle = bluetooth::shim::L2CA_GetLeHandle(bd_addr);
715 btsnd_hcic_ble_set_data_length(handle, tx_pdu_length, tx_time);
716 return BTM_SUCCESS;
717 }
718
719 uint16_t hci_handle = BTM_GetHCIConnHandle(bd_addr, BT_TRANSPORT_LE);
720
721 if (!acl_peer_supports_ble_packet_extension(hci_handle)) {
722 LOG_INFO("Remote device unable to support le packet extension");
723 return BTM_ILLEGAL_VALUE;
724 }
725
726 tx_pdu_length = std::min<uint16_t>(
727 tx_pdu_length,
728 controller_get_interface()->get_ble_maximum_tx_data_length());
729 tx_time = std::min<uint16_t>(
730 tx_time, controller_get_interface()->get_ble_maximum_tx_time());
731
732 btsnd_hcic_ble_set_data_length(hci_handle, tx_pdu_length, tx_time);
733
734 return BTM_SUCCESS;
735 }
736
read_phy_cb(base::Callback<void (uint8_t tx_phy,uint8_t rx_phy,uint8_t status)> cb,uint8_t * data,uint16_t len)737 void read_phy_cb(
738 base::Callback<void(uint8_t tx_phy, uint8_t rx_phy, uint8_t status)> cb,
739 uint8_t* data, uint16_t len) {
740 uint8_t status, tx_phy, rx_phy;
741 uint16_t handle;
742
743 LOG_ASSERT(len == 5) << "Received bad response length: " << len;
744 uint8_t* pp = data;
745 STREAM_TO_UINT8(status, pp);
746 STREAM_TO_UINT16(handle, pp);
747 handle = handle & 0x0FFF;
748 STREAM_TO_UINT8(tx_phy, pp);
749 STREAM_TO_UINT8(rx_phy, pp);
750
751 DVLOG(1) << __func__ << " Received read_phy_cb";
752 cb.Run(tx_phy, rx_phy, status);
753 }
754
755 /*******************************************************************************
756 *
757 * Function BTM_BleReadPhy
758 *
759 * Description To read the current PHYs for specified LE connection
760 *
761 *
762 * Returns BTM_SUCCESS if command successfully sent to controller,
763 * BTM_MODE_UNSUPPORTED if local controller doesn't support LE
764 * 2M or LE Coded PHY,
765 * BTM_WRONG_MODE if Device in wrong mode for request.
766 *
767 ******************************************************************************/
BTM_BleReadPhy(const RawAddress & bd_addr,base::Callback<void (uint8_t tx_phy,uint8_t rx_phy,uint8_t status)> cb)768 void BTM_BleReadPhy(
769 const RawAddress& bd_addr,
770 base::Callback<void(uint8_t tx_phy, uint8_t rx_phy, uint8_t status)> cb) {
771 if (bluetooth::shim::is_gd_shim_enabled()) {
772 return bluetooth::shim::BTM_BleReadPhy(bd_addr, cb);
773 }
774 BTM_TRACE_DEBUG("%s", __func__);
775
776 if (!BTM_IsAclConnectionUp(bd_addr, BT_TRANSPORT_LE)) {
777 BTM_TRACE_ERROR("%s: Wrong mode: no LE link exist or LE not supported",
778 __func__);
779 cb.Run(0, 0, HCI_ERR_NO_CONNECTION);
780 return;
781 }
782
783 // checking if local controller supports it!
784 if (!controller_get_interface()->supports_ble_2m_phy() &&
785 !controller_get_interface()->supports_ble_coded_phy()) {
786 BTM_TRACE_ERROR("%s failed, request not supported in local controller!",
787 __func__);
788 cb.Run(0, 0, GATT_REQ_NOT_SUPPORTED);
789 return;
790 }
791
792 uint16_t handle = BTM_GetHCIConnHandle(bd_addr, BT_TRANSPORT_LE);
793
794 const uint8_t len = HCIC_PARAM_SIZE_BLE_READ_PHY;
795 uint8_t data[len];
796 uint8_t* pp = data;
797 UINT16_TO_STREAM(pp, handle);
798 btu_hcif_send_cmd_with_cb(FROM_HERE, HCI_BLE_READ_PHY, data, len,
799 base::Bind(&read_phy_cb, std::move(cb)));
800 return;
801 }
802
doNothing(uint8_t * data,uint16_t len)803 void doNothing(uint8_t* data, uint16_t len) {}
804
BTM_BleSetPhy(const RawAddress & bd_addr,uint8_t tx_phys,uint8_t rx_phys,uint16_t phy_options)805 void BTM_BleSetPhy(const RawAddress& bd_addr, uint8_t tx_phys, uint8_t rx_phys,
806 uint16_t phy_options) {
807 if (bluetooth::shim::is_gd_shim_enabled()) {
808 return bluetooth::shim::BTM_BleSetPhy(bd_addr, tx_phys, rx_phys,
809 phy_options);
810 }
811 if (!BTM_IsAclConnectionUp(bd_addr, BT_TRANSPORT_LE)) {
812 LOG_INFO(
813 "Unable to set phy preferences because no le acl is connected to "
814 "device");
815 return;
816 }
817
818 uint8_t all_phys = 0;
819 if (tx_phys == 0) all_phys &= 0x01;
820 if (rx_phys == 0) all_phys &= 0x02;
821
822 uint16_t handle = BTM_GetHCIConnHandle(bd_addr, BT_TRANSPORT_LE);
823
824 // checking if local controller supports it!
825 if (!controller_get_interface()->supports_ble_2m_phy() &&
826 !controller_get_interface()->supports_ble_coded_phy()) {
827 LOG_INFO("Local controller unable to support setting of le phy parameters");
828 gatt_notify_phy_updated(GATT_REQ_NOT_SUPPORTED, handle, tx_phys, rx_phys);
829 return;
830 }
831
832 if (!acl_peer_supports_ble_2m_phy(handle) &&
833 !acl_peer_supports_ble_coded_phy(handle)) {
834 LOG_INFO("Remote device unable to support setting of le phy parameter");
835 gatt_notify_phy_updated(GATT_REQ_NOT_SUPPORTED, handle, tx_phys, rx_phys);
836 return;
837 }
838
839 const uint8_t len = HCIC_PARAM_SIZE_BLE_SET_PHY;
840 uint8_t data[len];
841 uint8_t* pp = data;
842 UINT16_TO_STREAM(pp, handle);
843 UINT8_TO_STREAM(pp, all_phys);
844 UINT8_TO_STREAM(pp, tx_phys);
845 UINT8_TO_STREAM(pp, rx_phys);
846 UINT16_TO_STREAM(pp, phy_options);
847 btu_hcif_send_cmd_with_cb(FROM_HERE, HCI_BLE_SET_PHY, data, len,
848 base::Bind(doNothing));
849 }
850
851 /*******************************************************************************
852 *
853 * Function btm_ble_determine_security_act
854 *
855 * Description This function checks the security of current LE link
856 * and returns the appropriate action that needs to be
857 * taken to achieve the required security.
858 *
859 * Parameter is_originator - True if outgoing connection
860 * bdaddr: remote device address
861 * security_required: Security required for the service.
862 *
863 * Returns The appropriate security action required.
864 *
865 ******************************************************************************/
btm_ble_determine_security_act(bool is_originator,const RawAddress & bdaddr,uint16_t security_required)866 tBTM_SEC_ACTION btm_ble_determine_security_act(bool is_originator,
867 const RawAddress& bdaddr,
868 uint16_t security_required) {
869 tBTM_LE_AUTH_REQ auth_req = 0x00;
870
871 if (is_originator) {
872 if ((security_required & BTM_SEC_OUT_FLAGS) == 0 &&
873 (security_required & BTM_SEC_OUT_MITM) == 0) {
874 BTM_TRACE_DEBUG("%s No security required for outgoing connection",
875 __func__);
876 return BTM_SEC_OK;
877 }
878
879 if (security_required & BTM_SEC_OUT_MITM) auth_req |= BTM_LE_AUTH_REQ_MITM;
880 } else {
881 if ((security_required & BTM_SEC_IN_FLAGS) == 0 &&
882 (security_required & BTM_SEC_IN_MITM) == 0) {
883 BTM_TRACE_DEBUG("%s No security required for incoming connection",
884 __func__);
885 return BTM_SEC_OK;
886 }
887
888 if (security_required & BTM_SEC_IN_MITM) auth_req |= BTM_LE_AUTH_REQ_MITM;
889 }
890
891 tBTM_BLE_SEC_REQ_ACT ble_sec_act = { BTM_BLE_SEC_REQ_ACT_NONE };
892 btm_ble_link_sec_check(bdaddr, auth_req, &ble_sec_act);
893
894 BTM_TRACE_DEBUG("%s ble_sec_act %d", __func__, ble_sec_act);
895
896 if (ble_sec_act == BTM_BLE_SEC_REQ_ACT_DISCARD) return BTM_SEC_ENC_PENDING;
897
898 if (ble_sec_act == BTM_BLE_SEC_REQ_ACT_NONE) return BTM_SEC_OK;
899
900 bool is_link_encrypted = BTM_IsEncrypted(bdaddr, BT_TRANSPORT_LE);
901 bool is_key_mitm = BTM_IsLinkKeyAuthed(bdaddr, BT_TRANSPORT_LE);
902
903 if (auth_req & BTM_LE_AUTH_REQ_MITM) {
904 if (!is_key_mitm) {
905 return BTM_SEC_ENCRYPT_MITM;
906 } else {
907 if (is_link_encrypted)
908 return BTM_SEC_OK;
909 else
910 return BTM_SEC_ENCRYPT;
911 }
912 } else {
913 if (is_link_encrypted)
914 return BTM_SEC_OK;
915 else
916 return BTM_SEC_ENCRYPT_NO_MITM;
917 }
918
919 return BTM_SEC_OK;
920 }
921
922 /*******************************************************************************
923 *
924 * Function btm_ble_start_sec_check
925 *
926 * Description This function is to check and set the security required for
927 * LE link for LE COC.
928 *
929 * Parameter bdaddr: remote device address.
930 * psm : PSM of the LE COC sevice.
931 * is_originator: true if outgoing connection.
932 * p_callback : Pointer to the callback function.
933 * p_ref_data : Pointer to be returned along with the callback.
934 *
935 * Returns Returns - L2CAP LE Connection Response Result Code.
936 *
937 ******************************************************************************/
btm_ble_start_sec_check(const RawAddress & bd_addr,uint16_t psm,bool is_originator,tBTM_SEC_CALLBACK * p_callback,void * p_ref_data)938 tL2CAP_LE_RESULT_CODE btm_ble_start_sec_check(const RawAddress& bd_addr,
939 uint16_t psm, bool is_originator,
940 tBTM_SEC_CALLBACK* p_callback,
941 void* p_ref_data) {
942 /* Find the service record for the PSM */
943 tBTM_SEC_SERV_REC* p_serv_rec = btm_sec_find_first_serv(is_originator, psm);
944
945 /* If there is no application registered with this PSM do not allow connection
946 */
947 if (!p_serv_rec) {
948 LOG_WARN("PSM: %d no application registered", psm);
949 (*p_callback)(&bd_addr, BT_TRANSPORT_LE, p_ref_data, BTM_MODE_UNSUPPORTED);
950 return L2CAP_LE_RESULT_NO_PSM;
951 }
952
953 bool is_encrypted = BTM_IsEncrypted(bd_addr, BT_TRANSPORT_LE);
954 bool is_link_key_authed = BTM_IsLinkKeyAuthed(bd_addr, BT_TRANSPORT_LE);
955 bool is_authenticated = BTM_IsAuthenticated(bd_addr, BT_TRANSPORT_LE);
956
957 if (!is_originator) {
958 if ((p_serv_rec->security_flags & BTM_SEC_IN_ENCRYPT) && !is_encrypted) {
959 LOG_ERROR(
960 "L2CAP_LE_RESULT_INSUFFICIENT_ENCRYP. service "
961 "security_flags=0x%x, ",
962 p_serv_rec->security_flags);
963 return L2CAP_LE_RESULT_INSUFFICIENT_ENCRYP;
964 } else if ((p_serv_rec->security_flags & BTM_SEC_IN_AUTHENTICATE) &&
965 !(is_link_key_authed || is_authenticated)) {
966 LOG_ERROR(
967 "L2CAP_LE_RESULT_INSUFFICIENT_AUTHENTICATION. service "
968 "security_flags=0x%x, ",
969 p_serv_rec->security_flags);
970 return L2CAP_LE_RESULT_INSUFFICIENT_AUTHENTICATION;
971 }
972 /* TODO: When security is required, then must check that the key size of our
973 service is equal or smaller than the incoming connection key size. */
974 }
975
976 tBTM_SEC_ACTION sec_act = btm_ble_determine_security_act(
977 is_originator, bd_addr, p_serv_rec->security_flags);
978
979 tBTM_BLE_SEC_ACT ble_sec_act = BTM_BLE_SEC_NONE;
980 tL2CAP_LE_RESULT_CODE result = L2CAP_LE_RESULT_CONN_OK;
981
982 switch (sec_act) {
983 case BTM_SEC_OK:
984 LOG_DEBUG("Security met");
985 p_callback(&bd_addr, BT_TRANSPORT_LE, p_ref_data, BTM_SUCCESS);
986 result = L2CAP_LE_RESULT_CONN_OK;
987 break;
988
989 case BTM_SEC_ENCRYPT:
990 LOG_DEBUG("Encryption needs to be done");
991 ble_sec_act = BTM_BLE_SEC_ENCRYPT;
992 break;
993
994 case BTM_SEC_ENCRYPT_MITM:
995 LOG_DEBUG("Pairing with MITM needs to be done");
996 ble_sec_act = BTM_BLE_SEC_ENCRYPT_MITM;
997 break;
998
999 case BTM_SEC_ENCRYPT_NO_MITM:
1000 LOG_DEBUG("Pairing with No MITM needs to be done");
1001 ble_sec_act = BTM_BLE_SEC_ENCRYPT_NO_MITM;
1002 break;
1003
1004 case BTM_SEC_ENC_PENDING:
1005 LOG_DEBUG("Ecryption pending");
1006 break;
1007 }
1008
1009 if (ble_sec_act == BTM_BLE_SEC_NONE) {
1010 if (bluetooth::common::init_flags::queue_l2cap_coc_while_encrypting_is_enabled()) {
1011 if (sec_act != BTM_SEC_ENC_PENDING) {
1012 return result;
1013 }
1014 } else {
1015 return result;
1016 }
1017 } else {
1018 l2cble_update_sec_act(bd_addr, sec_act);
1019 }
1020
1021 BTM_SetEncryption(bd_addr, BT_TRANSPORT_LE, p_callback, p_ref_data,
1022 ble_sec_act);
1023
1024 return L2CAP_LE_RESULT_CONN_OK;
1025 }
1026
1027 /*******************************************************************************
1028 *
1029 * Function btm_ble_rand_enc_complete
1030 *
1031 * Description This function is the callback functions for HCI_Rand command
1032 * and HCI_Encrypt command is completed.
1033 * This message is received from the HCI.
1034 *
1035 * Returns void
1036 *
1037 ******************************************************************************/
btm_ble_rand_enc_complete(uint8_t * p,uint16_t evt_len,uint16_t op_code,tBTM_RAND_ENC_CB * p_enc_cplt_cback)1038 void btm_ble_rand_enc_complete(uint8_t* p, uint16_t evt_len,
1039 uint16_t op_code,
1040 tBTM_RAND_ENC_CB* p_enc_cplt_cback) {
1041 tBTM_RAND_ENC params;
1042 uint8_t* p_dest = params.param_buf;
1043
1044 BTM_TRACE_DEBUG("btm_ble_rand_enc_complete");
1045
1046 memset(¶ms, 0, sizeof(tBTM_RAND_ENC));
1047
1048 /* If there was a callback address for vcs complete, call it */
1049 if (p_enc_cplt_cback && p) {
1050
1051 if (evt_len < 1) {
1052 goto err_out;
1053 }
1054
1055 /* Pass paramters to the callback function */
1056 STREAM_TO_UINT8(params.status, p); /* command status */
1057
1058 if (params.status == HCI_SUCCESS) {
1059 params.opcode = op_code;
1060
1061 if (op_code == HCI_BLE_RAND)
1062 params.param_len = BT_OCTET8_LEN;
1063 else
1064 params.param_len = OCTET16_LEN;
1065
1066 if (evt_len < 1 + params.param_len) {
1067 goto err_out;
1068 }
1069
1070 /* Fetch return info from HCI event message */
1071 memcpy(p_dest, p, params.param_len);
1072 }
1073 if (p_enc_cplt_cback) /* Call the Encryption complete callback function */
1074 (*p_enc_cplt_cback)(¶ms);
1075 }
1076
1077 return;
1078
1079 err_out:
1080 BTM_TRACE_ERROR("%s malformatted event packet, too short", __func__);
1081 }
1082
1083 /*******************************************************************************
1084 *
1085 * Function btm_ble_get_enc_key_type
1086 *
1087 * Description This function is to increment local sign counter
1088 * Returns None
1089 *
1090 ******************************************************************************/
btm_ble_increment_sign_ctr(const RawAddress & bd_addr,bool is_local)1091 void btm_ble_increment_sign_ctr(const RawAddress& bd_addr, bool is_local) {
1092 tBTM_SEC_DEV_REC* p_dev_rec;
1093
1094 BTM_TRACE_DEBUG("btm_ble_increment_sign_ctr is_local=%d", is_local);
1095
1096 p_dev_rec = btm_find_dev(bd_addr);
1097 if (p_dev_rec != NULL) {
1098 if (is_local)
1099 p_dev_rec->ble.keys.local_counter++;
1100 else
1101 p_dev_rec->ble.keys.counter++;
1102 BTM_TRACE_DEBUG("is_local=%d local sign counter=%d peer sign counter=%d",
1103 is_local, p_dev_rec->ble.keys.local_counter,
1104 p_dev_rec->ble.keys.counter);
1105 }
1106 }
1107
1108 /*******************************************************************************
1109 *
1110 * Function btm_ble_get_enc_key_type
1111 *
1112 * Description This function is to get the BLE key type that has been
1113 * exchanged betweem the local device and the peer device.
1114 *
1115 * Returns p_key_type: output parameter to carry the key type value.
1116 *
1117 ******************************************************************************/
btm_ble_get_enc_key_type(const RawAddress & bd_addr,uint8_t * p_key_types)1118 bool btm_ble_get_enc_key_type(const RawAddress& bd_addr, uint8_t* p_key_types) {
1119 tBTM_SEC_DEV_REC* p_dev_rec;
1120
1121 BTM_TRACE_DEBUG("btm_ble_get_enc_key_type");
1122
1123 p_dev_rec = btm_find_dev(bd_addr);
1124 if (p_dev_rec != NULL) {
1125 *p_key_types = p_dev_rec->ble.key_type;
1126 return true;
1127 }
1128 return false;
1129 }
1130
1131 /*******************************************************************************
1132 *
1133 * Function btm_get_local_div
1134 *
1135 * Description This function is called to read the local DIV
1136 *
1137 * Returns TURE - if a valid DIV is availavle
1138 ******************************************************************************/
btm_get_local_div(const RawAddress & bd_addr,uint16_t * p_div)1139 bool btm_get_local_div(const RawAddress& bd_addr, uint16_t* p_div) {
1140 tBTM_SEC_DEV_REC* p_dev_rec;
1141 bool status = false;
1142 VLOG(1) << __func__ << " bd_addr: " << bd_addr;
1143
1144 *p_div = 0;
1145 p_dev_rec = btm_find_dev(bd_addr);
1146
1147 if (p_dev_rec && p_dev_rec->ble.keys.div) {
1148 status = true;
1149 *p_div = p_dev_rec->ble.keys.div;
1150 }
1151 BTM_TRACE_DEBUG("btm_get_local_div status=%d (1-OK) DIV=0x%x", status,
1152 *p_div);
1153 return status;
1154 }
1155
1156 /*******************************************************************************
1157 *
1158 * Function btm_sec_save_le_key
1159 *
1160 * Description This function is called by the SMP to update
1161 * an BLE key. SMP is internal, whereas all the keys shall
1162 * be sent to the application. The function is also called
1163 * when application passes ble key stored in NVRAM to the
1164 * btm_sec.
1165 * pass_to_application parameter is false in this case.
1166 *
1167 * Returns void
1168 *
1169 ******************************************************************************/
btm_sec_save_le_key(const RawAddress & bd_addr,tBTM_LE_KEY_TYPE key_type,tBTM_LE_KEY_VALUE * p_keys,bool pass_to_application)1170 void btm_sec_save_le_key(const RawAddress& bd_addr, tBTM_LE_KEY_TYPE key_type,
1171 tBTM_LE_KEY_VALUE* p_keys, bool pass_to_application) {
1172 tBTM_SEC_DEV_REC* p_rec;
1173 tBTM_LE_EVT_DATA cb_data;
1174
1175 BTM_TRACE_DEBUG("btm_sec_save_le_key key_type=0x%x pass_to_application=%d",
1176 key_type, pass_to_application);
1177 /* Store the updated key in the device database */
1178
1179 VLOG(1) << "bd_addr:" << bd_addr;
1180
1181 if ((p_rec = btm_find_dev(bd_addr)) != NULL &&
1182 (p_keys || key_type == BTM_LE_KEY_LID)) {
1183 btm_ble_init_pseudo_addr(p_rec, bd_addr);
1184
1185 switch (key_type) {
1186 case BTM_LE_KEY_PENC:
1187 p_rec->ble.keys.pltk = p_keys->penc_key.ltk;
1188 memcpy(p_rec->ble.keys.rand, p_keys->penc_key.rand, BT_OCTET8_LEN);
1189 p_rec->ble.keys.sec_level = p_keys->penc_key.sec_level;
1190 p_rec->ble.keys.ediv = p_keys->penc_key.ediv;
1191 p_rec->ble.keys.key_size = p_keys->penc_key.key_size;
1192 p_rec->ble.key_type |= BTM_LE_KEY_PENC;
1193 p_rec->sec_flags |= BTM_SEC_LE_LINK_KEY_KNOWN;
1194 if (p_keys->penc_key.sec_level == SMP_SEC_AUTHENTICATED)
1195 p_rec->sec_flags |= BTM_SEC_LE_LINK_KEY_AUTHED;
1196 else
1197 p_rec->sec_flags &= ~BTM_SEC_LE_LINK_KEY_AUTHED;
1198 BTM_TRACE_DEBUG(
1199 "BTM_LE_KEY_PENC key_type=0x%x sec_flags=0x%x sec_leve=0x%x",
1200 p_rec->ble.key_type, p_rec->sec_flags, p_rec->ble.keys.sec_level);
1201 break;
1202
1203 case BTM_LE_KEY_PID:
1204 p_rec->ble.keys.irk = p_keys->pid_key.irk;
1205 p_rec->ble.identity_address_with_type.bda =
1206 p_keys->pid_key.identity_addr;
1207 p_rec->ble.identity_address_with_type.type =
1208 p_keys->pid_key.identity_addr_type;
1209 p_rec->ble.key_type |= BTM_LE_KEY_PID;
1210 BTM_TRACE_DEBUG(
1211 "%s: BTM_LE_KEY_PID key_type=0x%x save peer IRK, change bd_addr=%s "
1212 "to id_addr=%s id_addr_type=0x%x",
1213 __func__, p_rec->ble.key_type, p_rec->bd_addr.ToString().c_str(),
1214 p_keys->pid_key.identity_addr.ToString().c_str(),
1215 p_keys->pid_key.identity_addr_type);
1216 /* update device record address as identity address */
1217 p_rec->bd_addr = p_keys->pid_key.identity_addr;
1218 /* combine DUMO device security record if needed */
1219 btm_consolidate_dev(p_rec);
1220 break;
1221
1222 case BTM_LE_KEY_PCSRK:
1223 p_rec->ble.keys.pcsrk = p_keys->pcsrk_key.csrk;
1224 p_rec->ble.keys.srk_sec_level = p_keys->pcsrk_key.sec_level;
1225 p_rec->ble.keys.counter = p_keys->pcsrk_key.counter;
1226 p_rec->ble.key_type |= BTM_LE_KEY_PCSRK;
1227 p_rec->sec_flags |= BTM_SEC_LE_LINK_KEY_KNOWN;
1228 if (p_keys->pcsrk_key.sec_level == SMP_SEC_AUTHENTICATED)
1229 p_rec->sec_flags |= BTM_SEC_LE_LINK_KEY_AUTHED;
1230 else
1231 p_rec->sec_flags &= ~BTM_SEC_LE_LINK_KEY_AUTHED;
1232
1233 BTM_TRACE_DEBUG(
1234 "BTM_LE_KEY_PCSRK key_type=0x%x sec_flags=0x%x sec_level=0x%x "
1235 "peer_counter=%d",
1236 p_rec->ble.key_type, p_rec->sec_flags,
1237 p_rec->ble.keys.srk_sec_level, p_rec->ble.keys.counter);
1238 break;
1239
1240 case BTM_LE_KEY_LENC:
1241 p_rec->ble.keys.lltk = p_keys->lenc_key.ltk;
1242 p_rec->ble.keys.div = p_keys->lenc_key.div; /* update DIV */
1243 p_rec->ble.keys.sec_level = p_keys->lenc_key.sec_level;
1244 p_rec->ble.keys.key_size = p_keys->lenc_key.key_size;
1245 p_rec->ble.key_type |= BTM_LE_KEY_LENC;
1246
1247 BTM_TRACE_DEBUG(
1248 "BTM_LE_KEY_LENC key_type=0x%x DIV=0x%x key_size=0x%x "
1249 "sec_level=0x%x",
1250 p_rec->ble.key_type, p_rec->ble.keys.div, p_rec->ble.keys.key_size,
1251 p_rec->ble.keys.sec_level);
1252 break;
1253
1254 case BTM_LE_KEY_LCSRK: /* local CSRK has been delivered */
1255 p_rec->ble.keys.lcsrk = p_keys->lcsrk_key.csrk;
1256 p_rec->ble.keys.div = p_keys->lcsrk_key.div; /* update DIV */
1257 p_rec->ble.keys.local_csrk_sec_level = p_keys->lcsrk_key.sec_level;
1258 p_rec->ble.keys.local_counter = p_keys->lcsrk_key.counter;
1259 p_rec->ble.key_type |= BTM_LE_KEY_LCSRK;
1260 BTM_TRACE_DEBUG(
1261 "BTM_LE_KEY_LCSRK key_type=0x%x DIV=0x%x scrk_sec_level=0x%x "
1262 "local_counter=%d",
1263 p_rec->ble.key_type, p_rec->ble.keys.div,
1264 p_rec->ble.keys.local_csrk_sec_level,
1265 p_rec->ble.keys.local_counter);
1266 break;
1267
1268 case BTM_LE_KEY_LID:
1269 p_rec->ble.key_type |= BTM_LE_KEY_LID;
1270 break;
1271 default:
1272 BTM_TRACE_WARNING("btm_sec_save_le_key (Bad key_type 0x%02x)",
1273 key_type);
1274 return;
1275 }
1276
1277 VLOG(1) << "BLE key type 0x" << loghex(key_type)
1278 << " updated for BDA: " << bd_addr << " (btm_sec_save_le_key)";
1279
1280 /* Notify the application that one of the BLE keys has been updated
1281 If link key is in progress, it will get sent later.*/
1282 if (pass_to_application && btm_cb.api.p_le_callback) {
1283 cb_data.key.p_key_value = p_keys;
1284 cb_data.key.key_type = key_type;
1285
1286 (*btm_cb.api.p_le_callback)(BTM_LE_KEY_EVT, bd_addr, &cb_data);
1287 }
1288 return;
1289 }
1290
1291 LOG(WARNING) << "BLE key type 0x" << loghex(key_type)
1292 << " called for Unknown BDA or type: " << bd_addr
1293 << "(btm_sec_save_le_key)";
1294
1295 if (p_rec) {
1296 BTM_TRACE_DEBUG("sec_flags=0x%x", p_rec->sec_flags);
1297 }
1298 }
1299
1300 /*******************************************************************************
1301 *
1302 * Function btm_ble_update_sec_key_size
1303 *
1304 * Description update the current lin kencryption key size
1305 *
1306 * Returns void
1307 *
1308 ******************************************************************************/
btm_ble_update_sec_key_size(const RawAddress & bd_addr,uint8_t enc_key_size)1309 void btm_ble_update_sec_key_size(const RawAddress& bd_addr,
1310 uint8_t enc_key_size) {
1311 tBTM_SEC_DEV_REC* p_rec;
1312
1313 BTM_TRACE_DEBUG("btm_ble_update_sec_key_size enc_key_size = %d",
1314 enc_key_size);
1315
1316 p_rec = btm_find_dev(bd_addr);
1317 if (p_rec != NULL) {
1318 p_rec->enc_key_size = enc_key_size;
1319 }
1320 }
1321
1322 /*******************************************************************************
1323 *
1324 * Function btm_ble_read_sec_key_size
1325 *
1326 * Description update the current lin kencryption key size
1327 *
1328 * Returns void
1329 *
1330 ******************************************************************************/
btm_ble_read_sec_key_size(const RawAddress & bd_addr)1331 uint8_t btm_ble_read_sec_key_size(const RawAddress& bd_addr) {
1332 tBTM_SEC_DEV_REC* p_rec;
1333
1334 p_rec = btm_find_dev(bd_addr);
1335 if (p_rec != NULL) {
1336 return p_rec->enc_key_size;
1337 } else
1338 return 0;
1339 }
1340
1341 /*******************************************************************************
1342 *
1343 * Function btm_ble_link_sec_check
1344 *
1345 * Description Check BLE link security level match.
1346 *
1347 * Returns true: check is OK and the *p_sec_req_act contain the action
1348 *
1349 ******************************************************************************/
btm_ble_link_sec_check(const RawAddress & bd_addr,tBTM_LE_AUTH_REQ auth_req,tBTM_BLE_SEC_REQ_ACT * p_sec_req_act)1350 void btm_ble_link_sec_check(const RawAddress& bd_addr,
1351 tBTM_LE_AUTH_REQ auth_req,
1352 tBTM_BLE_SEC_REQ_ACT* p_sec_req_act) {
1353 tBTM_SEC_DEV_REC* p_dev_rec = btm_find_dev(bd_addr);
1354 uint8_t req_sec_level = BTM_LE_SEC_NONE, cur_sec_level = BTM_LE_SEC_NONE;
1355
1356 BTM_TRACE_DEBUG("btm_ble_link_sec_check auth_req =0x%x", auth_req);
1357
1358 if (p_dev_rec == NULL) {
1359 BTM_TRACE_ERROR("btm_ble_link_sec_check received for unknown device");
1360 return;
1361 }
1362
1363 if (p_dev_rec->sec_state == BTM_SEC_STATE_ENCRYPTING ||
1364 p_dev_rec->sec_state == BTM_SEC_STATE_AUTHENTICATING) {
1365 /* race condition: discard the security request while central is encrypting
1366 * the link */
1367 *p_sec_req_act = BTM_BLE_SEC_REQ_ACT_DISCARD;
1368 } else {
1369 req_sec_level = BTM_LE_SEC_UNAUTHENTICATE;
1370 if (auth_req & BTM_LE_AUTH_REQ_MITM) {
1371 req_sec_level = BTM_LE_SEC_AUTHENTICATED;
1372 }
1373
1374 BTM_TRACE_DEBUG("dev_rec sec_flags=0x%x", p_dev_rec->sec_flags);
1375
1376 /* currently encrpted */
1377 if (p_dev_rec->sec_flags & BTM_SEC_LE_ENCRYPTED) {
1378 if (p_dev_rec->sec_flags & BTM_SEC_LE_AUTHENTICATED)
1379 cur_sec_level = BTM_LE_SEC_AUTHENTICATED;
1380 else
1381 cur_sec_level = BTM_LE_SEC_UNAUTHENTICATE;
1382 } else /* unencrypted link */
1383 {
1384 /* if bonded, get the key security level */
1385 if (p_dev_rec->ble.key_type & BTM_LE_KEY_PENC)
1386 cur_sec_level = p_dev_rec->ble.keys.sec_level;
1387 else
1388 cur_sec_level = BTM_LE_SEC_NONE;
1389 }
1390
1391 if (cur_sec_level >= req_sec_level) {
1392 /* To avoid re-encryption on an encrypted link for an equal condition
1393 * encryption */
1394 *p_sec_req_act = BTM_BLE_SEC_REQ_ACT_ENCRYPT;
1395 } else {
1396 /* start the pariring process to upgrade the keys*/
1397 *p_sec_req_act = BTM_BLE_SEC_REQ_ACT_PAIR;
1398 }
1399 }
1400
1401 BTM_TRACE_DEBUG("cur_sec_level=%d req_sec_level=%d sec_req_act=%d",
1402 cur_sec_level, req_sec_level, *p_sec_req_act);
1403 }
1404
1405 /*******************************************************************************
1406 *
1407 * Function btm_ble_set_encryption
1408 *
1409 * Description This function is called to ensure that LE connection is
1410 * encrypted. Should be called only on an open connection.
1411 * Typically only needed for connections that first want to
1412 * bring up unencrypted links, then later encrypt them.
1413 *
1414 * Returns void
1415 * the local device ER is copied into er
1416 *
1417 ******************************************************************************/
btm_ble_set_encryption(const RawAddress & bd_addr,tBTM_BLE_SEC_ACT sec_act,uint8_t link_role)1418 tBTM_STATUS btm_ble_set_encryption(const RawAddress& bd_addr,
1419 tBTM_BLE_SEC_ACT sec_act,
1420 uint8_t link_role) {
1421 tBTM_STATUS cmd = BTM_NO_RESOURCES;
1422 tBTM_SEC_DEV_REC* p_rec = btm_find_dev(bd_addr);
1423 tBTM_BLE_SEC_REQ_ACT sec_req_act;
1424 tBTM_LE_AUTH_REQ auth_req;
1425
1426 if (p_rec == NULL) {
1427 BTM_TRACE_WARNING(
1428 "btm_ble_set_encryption (NULL device record!! sec_act=0x%x", sec_act);
1429 return (BTM_WRONG_MODE);
1430 }
1431
1432 BTM_TRACE_DEBUG("btm_ble_set_encryption sec_act=0x%x role_central=%d",
1433 sec_act, p_rec->role_central);
1434
1435 if (sec_act == BTM_BLE_SEC_ENCRYPT_MITM) {
1436 p_rec->security_required |= BTM_SEC_IN_MITM;
1437 }
1438
1439 switch (sec_act) {
1440 case BTM_BLE_SEC_ENCRYPT:
1441 if (link_role == HCI_ROLE_CENTRAL) {
1442 /* start link layer encryption using the security info stored */
1443 cmd = btm_ble_start_encrypt(bd_addr, false, NULL);
1444 break;
1445 }
1446 /* if salve role then fall through to call SMP_Pair below which will send
1447 a sec_request to request the central to encrypt the link */
1448 FALLTHROUGH_INTENDED; /* FALLTHROUGH */
1449 case BTM_BLE_SEC_ENCRYPT_NO_MITM:
1450 case BTM_BLE_SEC_ENCRYPT_MITM:
1451 auth_req = (sec_act == BTM_BLE_SEC_ENCRYPT_NO_MITM)
1452 ? SMP_AUTH_BOND
1453 : (SMP_AUTH_BOND | SMP_AUTH_YN_BIT);
1454 btm_ble_link_sec_check(bd_addr, auth_req, &sec_req_act);
1455 if (sec_req_act == BTM_BLE_SEC_REQ_ACT_NONE ||
1456 sec_req_act == BTM_BLE_SEC_REQ_ACT_DISCARD) {
1457 BTM_TRACE_DEBUG("%s, no action needed. Ignore", __func__);
1458 cmd = BTM_SUCCESS;
1459 break;
1460 }
1461 if (link_role == HCI_ROLE_CENTRAL) {
1462 if (sec_req_act == BTM_BLE_SEC_REQ_ACT_ENCRYPT) {
1463 cmd = btm_ble_start_encrypt(bd_addr, false, NULL);
1464 break;
1465 }
1466 }
1467
1468 if (SMP_Pair(bd_addr) == SMP_STARTED) {
1469 cmd = BTM_CMD_STARTED;
1470 p_rec->sec_state = BTM_SEC_STATE_AUTHENTICATING;
1471 }
1472 break;
1473
1474 default:
1475 cmd = BTM_WRONG_MODE;
1476 break;
1477 }
1478 return cmd;
1479 }
1480
1481 /*******************************************************************************
1482 *
1483 * Function btm_ble_ltk_request
1484 *
1485 * Description This function is called when encryption request is received
1486 * on a peripheral device.
1487 *
1488 *
1489 * Returns void
1490 *
1491 ******************************************************************************/
btm_ble_ltk_request(uint16_t handle,uint8_t rand[8],uint16_t ediv)1492 void btm_ble_ltk_request(uint16_t handle, uint8_t rand[8], uint16_t ediv) {
1493 tBTM_CB* p_cb = &btm_cb;
1494 tBTM_SEC_DEV_REC* p_dev_rec = btm_find_dev_by_handle(handle);
1495
1496 BTM_TRACE_DEBUG("btm_ble_ltk_request");
1497
1498 p_cb->ediv = ediv;
1499
1500 memcpy(p_cb->enc_rand, rand, BT_OCTET8_LEN);
1501
1502 if (p_dev_rec != NULL) {
1503 if (!smp_proc_ltk_request(p_dev_rec->bd_addr)) {
1504 btm_ble_ltk_request_reply(p_dev_rec->bd_addr, false, Octet16{0});
1505 }
1506 }
1507 }
1508
1509 /** This function is called to start LE encryption.
1510 * Returns BTM_SUCCESS if encryption was started successfully
1511 */
btm_ble_start_encrypt(const RawAddress & bda,bool use_stk,Octet16 * p_stk)1512 tBTM_STATUS btm_ble_start_encrypt(const RawAddress& bda, bool use_stk,
1513 Octet16* p_stk) {
1514 tBTM_CB* p_cb = &btm_cb;
1515 tBTM_SEC_DEV_REC* p_rec = btm_find_dev(bda);
1516 BT_OCTET8 dummy_rand = {0};
1517
1518 BTM_TRACE_DEBUG("btm_ble_start_encrypt");
1519
1520 if (!p_rec) {
1521 BTM_TRACE_ERROR("Link is not active, can not encrypt!");
1522 return BTM_WRONG_MODE;
1523 }
1524
1525 if (p_rec->sec_state == BTM_SEC_STATE_ENCRYPTING) {
1526 BTM_TRACE_WARNING("Link Encryption is active, Busy!");
1527 return BTM_BUSY;
1528 }
1529
1530 p_cb->enc_handle = p_rec->ble_hci_handle;
1531
1532 if (use_stk) {
1533 btsnd_hcic_ble_start_enc(p_rec->ble_hci_handle, dummy_rand, 0, *p_stk);
1534 } else if (p_rec->ble.key_type & BTM_LE_KEY_PENC) {
1535 btsnd_hcic_ble_start_enc(p_rec->ble_hci_handle, p_rec->ble.keys.rand,
1536 p_rec->ble.keys.ediv, p_rec->ble.keys.pltk);
1537 } else {
1538 BTM_TRACE_ERROR("No key available to encrypt the link");
1539 return BTM_NO_RESOURCES;
1540 }
1541
1542 if (p_rec->sec_state == BTM_SEC_STATE_IDLE)
1543 p_rec->sec_state = BTM_SEC_STATE_ENCRYPTING;
1544
1545 return BTM_CMD_STARTED;
1546 }
1547
1548 /*******************************************************************************
1549 *
1550 * Function btm_ble_link_encrypted
1551 *
1552 * Description This function is called when LE link encrption status is
1553 * changed.
1554 *
1555 * Returns void
1556 *
1557 ******************************************************************************/
btm_ble_link_encrypted(const RawAddress & bd_addr,uint8_t encr_enable)1558 void btm_ble_link_encrypted(const RawAddress& bd_addr, uint8_t encr_enable) {
1559 tBTM_SEC_DEV_REC* p_dev_rec = btm_find_dev(bd_addr);
1560 bool enc_cback;
1561
1562 if (!p_dev_rec) {
1563 BTM_TRACE_WARNING(
1564 "btm_ble_link_encrypted (No Device Found!) encr_enable=%d",
1565 encr_enable);
1566 return;
1567 }
1568
1569 BTM_TRACE_DEBUG("btm_ble_link_encrypted encr_enable=%d", encr_enable);
1570
1571 enc_cback = (p_dev_rec->sec_state == BTM_SEC_STATE_ENCRYPTING);
1572
1573 smp_link_encrypted(bd_addr, encr_enable);
1574
1575 BTM_TRACE_DEBUG(" p_dev_rec->sec_flags=0x%x", p_dev_rec->sec_flags);
1576
1577 if (encr_enable && p_dev_rec->enc_key_size == 0)
1578 p_dev_rec->enc_key_size = p_dev_rec->ble.keys.key_size;
1579
1580 p_dev_rec->sec_state = BTM_SEC_STATE_IDLE;
1581 if (p_dev_rec->p_callback && enc_cback) {
1582 if (encr_enable)
1583 btm_sec_dev_rec_cback_event(p_dev_rec, BTM_SUCCESS, true);
1584 else if (p_dev_rec->sec_flags & ~BTM_SEC_LE_LINK_KEY_KNOWN) {
1585 btm_sec_dev_rec_cback_event(p_dev_rec, BTM_FAILED_ON_SECURITY, true);
1586 }
1587 /* Add logic handle for KEY_MISSING */
1588 else if (p_dev_rec->role_central && (p_dev_rec->sec_status == HCI_ERR_KEY_MISSING)) {
1589 btm_sec_dev_rec_cback_event(p_dev_rec, BTM_ERR_KEY_MISSING, true);
1590 }
1591 else if (p_dev_rec->role_central)
1592 btm_sec_dev_rec_cback_event(p_dev_rec, BTM_ERR_PROCESSING, true);
1593 }
1594 /* to notify GATT to send data if any request is pending */
1595 gatt_notify_enc_cmpl(p_dev_rec->ble.pseudo_addr);
1596 }
1597
1598 /*******************************************************************************
1599 *
1600 * Function btm_ble_ltk_request_reply
1601 *
1602 * Description This function is called to send a LTK request reply on a
1603 * peripheral
1604 * device.
1605 *
1606 * Returns void
1607 *
1608 ******************************************************************************/
btm_ble_ltk_request_reply(const RawAddress & bda,bool use_stk,const Octet16 & stk)1609 void btm_ble_ltk_request_reply(const RawAddress& bda, bool use_stk,
1610 const Octet16& stk) {
1611 tBTM_SEC_DEV_REC* p_rec = btm_find_dev(bda);
1612 tBTM_CB* p_cb = &btm_cb;
1613
1614 if (p_rec == NULL) {
1615 BTM_TRACE_ERROR("btm_ble_ltk_request_reply received for unknown device");
1616 return;
1617 }
1618
1619 BTM_TRACE_DEBUG("btm_ble_ltk_request_reply");
1620 p_cb->enc_handle = p_rec->ble_hci_handle;
1621 p_cb->key_size = p_rec->ble.keys.key_size;
1622
1623 BTM_TRACE_ERROR("key size = %d", p_rec->ble.keys.key_size);
1624 if (use_stk) {
1625 btsnd_hcic_ble_ltk_req_reply(btm_cb.enc_handle, stk);
1626 return;
1627 }
1628 /* calculate LTK using peer device */
1629 if (p_rec->ble.key_type & BTM_LE_KEY_LENC) {
1630 btsnd_hcic_ble_ltk_req_reply(btm_cb.enc_handle, p_rec->ble.keys.lltk);
1631 return;
1632 }
1633
1634 p_rec = btm_find_dev_with_lenc(bda);
1635 if (!p_rec) {
1636 btsnd_hcic_ble_ltk_req_neg_reply(btm_cb.enc_handle);
1637 return;
1638 }
1639
1640 LOG_INFO("Found second sec_dev_rec for device that have LTK");
1641 /* This can happen when remote established LE connection using RPA to this
1642 * device, but then pair with us using Classing transport while still keeping
1643 * LE connection. If remote attempts to encrypt the LE connection, we might
1644 * end up here. We will eventually consolidate both entries, this is to avoid
1645 * race conditions. */
1646
1647 LOG_ASSERT(p_rec->ble.key_type & BTM_LE_KEY_LENC);
1648 p_cb->key_size = p_rec->ble.keys.key_size;
1649 btsnd_hcic_ble_ltk_req_reply(btm_cb.enc_handle, p_rec->ble.keys.lltk);
1650 }
1651
1652 /*******************************************************************************
1653 *
1654 * Function btm_ble_io_capabilities_req
1655 *
1656 * Description This function is called to handle SMP get IO capability
1657 * request.
1658 *
1659 * Returns void
1660 *
1661 ******************************************************************************/
btm_ble_io_capabilities_req(tBTM_SEC_DEV_REC * p_dev_rec,tBTM_LE_IO_REQ * p_data)1662 uint8_t btm_ble_io_capabilities_req(tBTM_SEC_DEV_REC* p_dev_rec,
1663 tBTM_LE_IO_REQ* p_data) {
1664 uint8_t callback_rc = BTM_SUCCESS;
1665 BTM_TRACE_DEBUG("btm_ble_io_capabilities_req");
1666 if (btm_cb.api.p_le_callback) {
1667 /* the callback function implementation may change the IO capability... */
1668 callback_rc = (*btm_cb.api.p_le_callback)(
1669 BTM_LE_IO_REQ_EVT, p_dev_rec->bd_addr, (tBTM_LE_EVT_DATA*)p_data);
1670 }
1671 if ((callback_rc == BTM_SUCCESS) || (BTM_OOB_UNKNOWN != p_data->oob_data)) {
1672 #if (BTM_BLE_CONFORMANCE_TESTING == TRUE)
1673 if (btm_cb.devcb.keep_rfu_in_auth_req) {
1674 BTM_TRACE_DEBUG("btm_ble_io_capabilities_req keep_rfu_in_auth_req = %u",
1675 btm_cb.devcb.keep_rfu_in_auth_req);
1676 p_data->auth_req &= BTM_LE_AUTH_REQ_MASK_KEEP_RFU;
1677 btm_cb.devcb.keep_rfu_in_auth_req = false;
1678 } else { /* default */
1679 p_data->auth_req &= BTM_LE_AUTH_REQ_MASK;
1680 }
1681 #else
1682 p_data->auth_req &= BTM_LE_AUTH_REQ_MASK;
1683 #endif
1684
1685 BTM_TRACE_DEBUG(
1686 "btm_ble_io_capabilities_req 1: p_dev_rec->security_required = %d "
1687 "auth_req:%d",
1688 p_dev_rec->security_required, p_data->auth_req);
1689 BTM_TRACE_DEBUG(
1690 "btm_ble_io_capabilities_req 2: i_keys=0x%x r_keys=0x%x (bit 0-LTK "
1691 "1-IRK 2-CSRK)",
1692 p_data->init_keys, p_data->resp_keys);
1693
1694 /* if authentication requires MITM protection, put on the mask */
1695 if (p_dev_rec->security_required & BTM_SEC_IN_MITM)
1696 p_data->auth_req |= BTM_LE_AUTH_REQ_MITM;
1697
1698 if (!(p_data->auth_req & SMP_AUTH_BOND)) {
1699 BTM_TRACE_DEBUG("Non bonding: No keys should be exchanged");
1700 p_data->init_keys = 0;
1701 p_data->resp_keys = 0;
1702 }
1703
1704 BTM_TRACE_DEBUG("btm_ble_io_capabilities_req 3: auth_req:%d",
1705 p_data->auth_req);
1706 BTM_TRACE_DEBUG("btm_ble_io_capabilities_req 4: i_keys=0x%x r_keys=0x%x",
1707 p_data->init_keys, p_data->resp_keys);
1708
1709 BTM_TRACE_DEBUG(
1710 "btm_ble_io_capabilities_req 5: p_data->io_cap = %d auth_req:%d",
1711 p_data->io_cap, p_data->auth_req);
1712
1713 /* remove MITM protection requirement if IO cap does not allow it */
1714 if ((p_data->io_cap == BTM_IO_CAP_NONE) && p_data->oob_data == SMP_OOB_NONE)
1715 p_data->auth_req &= ~BTM_LE_AUTH_REQ_MITM;
1716
1717 if (!(p_data->auth_req & SMP_SC_SUPPORT_BIT)) {
1718 /* if Secure Connections are not supported then remove LK derivation,
1719 ** and keypress notifications.
1720 */
1721 BTM_TRACE_DEBUG(
1722 "%s-SC not supported -> No LK derivation, no keypress notifications",
1723 __func__);
1724 p_data->auth_req &= ~SMP_KP_SUPPORT_BIT;
1725 p_data->init_keys &= ~SMP_SEC_KEY_TYPE_LK;
1726 p_data->resp_keys &= ~SMP_SEC_KEY_TYPE_LK;
1727 }
1728
1729 BTM_TRACE_DEBUG(
1730 "btm_ble_io_capabilities_req 6: IO_CAP:%d oob_data:%d auth_req:0x%02x",
1731 p_data->io_cap, p_data->oob_data, p_data->auth_req);
1732 }
1733 return callback_rc;
1734 }
1735
1736 /*******************************************************************************
1737 *
1738 * Function btm_ble_br_keys_req
1739 *
1740 * Description This function is called to handle SMP request for keys sent
1741 * over BR/EDR.
1742 *
1743 * Returns void
1744 *
1745 ******************************************************************************/
btm_ble_br_keys_req(tBTM_SEC_DEV_REC * p_dev_rec,tBTM_LE_IO_REQ * p_data)1746 uint8_t btm_ble_br_keys_req(tBTM_SEC_DEV_REC* p_dev_rec,
1747 tBTM_LE_IO_REQ* p_data) {
1748 uint8_t callback_rc = BTM_SUCCESS;
1749 BTM_TRACE_DEBUG("%s", __func__);
1750 p_data->io_cap =
1751 osi_property_get_int32(kPropertyCtkdIoCapabilities, BTM_IO_CAP_UNKNOWN);
1752 p_data->auth_req = osi_property_get_int32(kPropertyCtkdAuthRequest,
1753 BTM_LE_AUTH_REQ_SC_MITM_BOND);
1754 p_data->init_keys = osi_property_get_int32(
1755 kPropertyCtkdInitiatorKeyDistribution, SMP_BR_SEC_DEFAULT_KEY);
1756 p_data->resp_keys = osi_property_get_int32(
1757 kPropertyCtkdResponderKeyDistribution, SMP_BR_SEC_DEFAULT_KEY);
1758 p_data->max_key_size =
1759 osi_property_get_int32(kPropertyCtkdMaxKeySize, BTM_BLE_MAX_KEY_SIZE);
1760 // No OOB data for BR/EDR
1761 p_data->oob_data = false;
1762
1763 return callback_rc;
1764 }
1765
1766 /*******************************************************************************
1767 *
1768 * Function btm_ble_connected
1769 *
1770 * Description This function is when a LE connection to the peer device is
1771 * establsihed
1772 *
1773 * Returns void
1774 *
1775 ******************************************************************************/
btm_ble_connected(const RawAddress & bda,uint16_t handle,uint8_t enc_mode,uint8_t role,tBLE_ADDR_TYPE addr_type,bool addr_matched)1776 void btm_ble_connected(const RawAddress& bda, uint16_t handle, uint8_t enc_mode,
1777 uint8_t role, tBLE_ADDR_TYPE addr_type,
1778 bool addr_matched) {
1779 tBTM_SEC_DEV_REC* p_dev_rec = btm_find_dev(bda);
1780 if (!p_dev_rec) {
1781 LOG_INFO("Creating new device record for new ble connection");
1782 p_dev_rec = btm_sec_alloc_dev(bda);
1783 if (p_dev_rec == nullptr) {
1784 LOG_WARN("Unable to create device record for new ble connection");
1785 return;
1786 }
1787 } else {
1788 LOG_INFO("Updating device record timestamp for existing ble connection");
1789 // TODO() Why is timestamp a counter ?
1790 p_dev_rec->timestamp = btm_cb.dev_rec_count++;
1791 }
1792
1793 if (is_ble_addr_type_known(addr_type))
1794 p_dev_rec->ble.SetAddressType(addr_type);
1795 else
1796 LOG_WARN(
1797 "Please do not update device record from anonymous le advertisement");
1798
1799 p_dev_rec->ble.pseudo_addr = bda;
1800 p_dev_rec->ble_hci_handle = handle;
1801 p_dev_rec->device_type |= BT_DEVICE_TYPE_BLE;
1802 p_dev_rec->role_central = (role == HCI_ROLE_CENTRAL) ? true : false;
1803
1804 if (!addr_matched) {
1805 p_dev_rec->ble.active_addr_type = tBTM_SEC_BLE::BTM_BLE_ADDR_PSEUDO;
1806 if (p_dev_rec->ble.AddressType() == BLE_ADDR_RANDOM) {
1807 p_dev_rec->ble.cur_rand_addr = bda;
1808 }
1809 }
1810 btm_cb.ble_ctr_cb.inq_var.directed_conn = BTM_BLE_ADV_IND_EVT;
1811 }
1812
btm_ble_connected_from_address_with_type(const tBLE_BD_ADDR & address_with_type,uint16_t handle,uint8_t enc_mode,uint8_t role,bool addr_matched)1813 void btm_ble_connected_from_address_with_type(
1814 const tBLE_BD_ADDR& address_with_type, uint16_t handle, uint8_t enc_mode,
1815 uint8_t role, bool addr_matched) {
1816 btm_ble_connected(address_with_type.bda, handle, enc_mode, role,
1817 address_with_type.type, addr_matched);
1818 }
1819
1820 /*****************************************************************************
1821 * Function btm_proc_smp_cback
1822 *
1823 * Description This function is the SMP callback handler.
1824 *
1825 *****************************************************************************/
btm_proc_smp_cback(tSMP_EVT event,const RawAddress & bd_addr,const tSMP_EVT_DATA * p_data)1826 tBTM_STATUS btm_proc_smp_cback(tSMP_EVT event, const RawAddress& bd_addr,
1827 const tSMP_EVT_DATA* p_data) {
1828 BTM_TRACE_DEBUG("btm_proc_smp_cback event = %d", event);
1829
1830 if (event == SMP_SC_LOC_OOB_DATA_UP_EVT) {
1831 btm_sec_cr_loc_oob_data_cback_event(RawAddress{}, p_data->loc_oob_data);
1832 return BTM_SUCCESS;
1833 }
1834
1835 tBTM_SEC_DEV_REC* p_dev_rec = btm_find_dev(bd_addr);
1836 tBTM_STATUS res = BTM_SUCCESS;
1837
1838 if (p_dev_rec != NULL) {
1839 switch (event) {
1840 case SMP_IO_CAP_REQ_EVT:
1841 btm_ble_io_capabilities_req(p_dev_rec,
1842 (tBTM_LE_IO_REQ*)&p_data->io_req);
1843 break;
1844
1845 case SMP_BR_KEYS_REQ_EVT:
1846 btm_ble_br_keys_req(p_dev_rec, (tBTM_LE_IO_REQ*)&p_data->io_req);
1847 break;
1848
1849 case SMP_PASSKEY_REQ_EVT:
1850 case SMP_PASSKEY_NOTIF_EVT:
1851 case SMP_OOB_REQ_EVT:
1852 case SMP_NC_REQ_EVT:
1853 case SMP_SC_OOB_REQ_EVT:
1854 p_dev_rec->sec_flags |= BTM_SEC_LE_AUTHENTICATED;
1855 FALLTHROUGH_INTENDED; /* FALLTHROUGH */
1856
1857 case SMP_CONSENT_REQ_EVT:
1858 case SMP_SEC_REQUEST_EVT:
1859 if (event == SMP_SEC_REQUEST_EVT &&
1860 btm_cb.pairing_state != BTM_PAIR_STATE_IDLE) {
1861 BTM_TRACE_DEBUG("%s: Ignoring SMP Security request", __func__);
1862 break;
1863 }
1864 btm_cb.pairing_bda = bd_addr;
1865 if (event != SMP_CONSENT_REQ_EVT) {
1866 p_dev_rec->sec_state = BTM_SEC_STATE_AUTHENTICATING;
1867 }
1868 btm_cb.pairing_flags |= BTM_PAIR_FLAGS_LE_ACTIVE;
1869 FALLTHROUGH_INTENDED; /* FALLTHROUGH */
1870
1871 case SMP_COMPLT_EVT:
1872 if (btm_cb.api.p_le_callback) {
1873 /* the callback function implementation may change the IO
1874 * capability... */
1875 BTM_TRACE_DEBUG("btm_cb.api.p_le_callback=0x%x",
1876 btm_cb.api.p_le_callback);
1877 (*btm_cb.api.p_le_callback)(event, bd_addr,
1878 (tBTM_LE_EVT_DATA*)p_data);
1879 }
1880
1881 if (event == SMP_COMPLT_EVT) {
1882 p_dev_rec = btm_find_dev(bd_addr);
1883 if (p_dev_rec == NULL) {
1884 BTM_TRACE_ERROR("%s: p_dev_rec is NULL", __func__);
1885 return BTM_SUCCESS;
1886 }
1887 BTM_TRACE_DEBUG(
1888 "evt=SMP_COMPLT_EVT before update sec_level=0x%x sec_flags=0x%x",
1889 p_data->cmplt.sec_level, p_dev_rec->sec_flags);
1890
1891 res = (p_data->cmplt.reason == SMP_SUCCESS) ? BTM_SUCCESS
1892 : BTM_ERR_PROCESSING;
1893
1894 BTM_TRACE_DEBUG(
1895 "after update result=%d sec_level=0x%x sec_flags=0x%x", res,
1896 p_data->cmplt.sec_level, p_dev_rec->sec_flags);
1897
1898 if (p_data->cmplt.is_pair_cancel &&
1899 btm_cb.api.p_bond_cancel_cmpl_callback) {
1900 BTM_TRACE_DEBUG("Pairing Cancel completed");
1901 (*btm_cb.api.p_bond_cancel_cmpl_callback)(BTM_SUCCESS);
1902 }
1903 #if (BTM_BLE_CONFORMANCE_TESTING == TRUE)
1904 if (res != BTM_SUCCESS) {
1905 if (!btm_cb.devcb.no_disc_if_pair_fail &&
1906 p_data->cmplt.reason != SMP_CONN_TOUT) {
1907 BTM_TRACE_DEBUG("Pairing failed - prepare to remove ACL");
1908 l2cu_start_post_bond_timer(p_dev_rec->ble_hci_handle);
1909 } else {
1910 BTM_TRACE_DEBUG("Pairing failed - Not Removing ACL");
1911 p_dev_rec->sec_state = BTM_SEC_STATE_IDLE;
1912 }
1913 }
1914 #else
1915 if (res != BTM_SUCCESS && p_data->cmplt.reason != SMP_CONN_TOUT) {
1916 BTM_TRACE_DEBUG("Pairing failed - prepare to remove ACL");
1917 l2cu_start_post_bond_timer(p_dev_rec->ble_hci_handle);
1918 }
1919 #endif
1920
1921 BTM_TRACE_DEBUG(
1922 "btm_cb pairing_state=%x pairing_flags=%x pin_code_len=%x",
1923 btm_cb.pairing_state, btm_cb.pairing_flags, btm_cb.pin_code_len);
1924 VLOG(1) << "btm_cb.pairing_bda: " << btm_cb.pairing_bda;
1925
1926 /* Reset btm state only if the callback address matches pairing
1927 * address*/
1928 if (bd_addr == btm_cb.pairing_bda) {
1929 btm_cb.pairing_bda = RawAddress::kAny;
1930 btm_cb.pairing_state = BTM_PAIR_STATE_IDLE;
1931 btm_cb.pairing_flags = 0;
1932 }
1933
1934 if (res == BTM_SUCCESS) {
1935 p_dev_rec->sec_state = BTM_SEC_STATE_IDLE;
1936 /* add all bonded device into resolving list if IRK is available*/
1937 btm_ble_resolving_list_load_dev(*p_dev_rec);
1938 }
1939
1940 btm_sec_dev_rec_cback_event(p_dev_rec, res, true);
1941 }
1942 break;
1943
1944 case SMP_LE_ADDR_ASSOC_EVT:
1945 if (btm_cb.api.p_le_callback) {
1946 BTM_TRACE_DEBUG("btm_cb.api.p_le_callback=0x%x",
1947 btm_cb.api.p_le_callback);
1948 (*btm_cb.api.p_le_callback)(event, bd_addr,
1949 (tBTM_LE_EVT_DATA*)p_data);
1950 }
1951 break;
1952
1953 default:
1954 BTM_TRACE_DEBUG("unknown event = %d", event);
1955 break;
1956 }
1957 } else {
1958 LOG_WARN("Unexpected event '%d' for unknown device.", event);
1959 }
1960
1961 return BTM_SUCCESS;
1962 }
1963
1964 /*******************************************************************************
1965 *
1966 * Function BTM_BleDataSignature
1967 *
1968 * Description This function is called to sign the data using AES128 CMAC
1969 * algorith.
1970 *
1971 * Parameter bd_addr: target device the data to be signed for.
1972 * p_text: singing data
1973 * len: length of the data to be signed.
1974 * signature: output parameter where data signature is going to
1975 * be stored.
1976 *
1977 * Returns true if signing sucessul, otherwise false.
1978 *
1979 ******************************************************************************/
BTM_BleDataSignature(const RawAddress & bd_addr,uint8_t * p_text,uint16_t len,BLE_SIGNATURE signature)1980 bool BTM_BleDataSignature(const RawAddress& bd_addr, uint8_t* p_text,
1981 uint16_t len, BLE_SIGNATURE signature) {
1982 if (bluetooth::shim::is_gd_shim_enabled()) {
1983 return bluetooth::shim::BTM_BleDataSignature(bd_addr, p_text, len,
1984 signature);
1985 }
1986 tBTM_SEC_DEV_REC* p_rec = btm_find_dev(bd_addr);
1987
1988 BTM_TRACE_DEBUG("%s", __func__);
1989 if (p_rec == NULL) {
1990 BTM_TRACE_ERROR("%s-data signing can not be done from unknown device",
1991 __func__);
1992 return false;
1993 }
1994
1995 uint8_t* p_mac = (uint8_t*)signature;
1996 uint8_t* pp;
1997 uint8_t* p_buf = (uint8_t*)osi_malloc(len + 4);
1998
1999 BTM_TRACE_DEBUG("%s-Start to generate Local CSRK", __func__);
2000 pp = p_buf;
2001 /* prepare plain text */
2002 if (p_text) {
2003 memcpy(p_buf, p_text, len);
2004 pp = (p_buf + len);
2005 }
2006
2007 UINT32_TO_STREAM(pp, p_rec->ble.keys.local_counter);
2008 UINT32_TO_STREAM(p_mac, p_rec->ble.keys.local_counter);
2009
2010 crypto_toolbox::aes_cmac(p_rec->ble.keys.lcsrk, p_buf, (uint16_t)(len + 4),
2011 BTM_CMAC_TLEN_SIZE, p_mac);
2012 btm_ble_increment_sign_ctr(bd_addr, true);
2013
2014 BTM_TRACE_DEBUG("%s p_mac = %d", __func__, p_mac);
2015 BTM_TRACE_DEBUG(
2016 "p_mac[0] = 0x%02x p_mac[1] = 0x%02x p_mac[2] = 0x%02x p_mac[3] = "
2017 "0x%02x",
2018 *p_mac, *(p_mac + 1), *(p_mac + 2), *(p_mac + 3));
2019 BTM_TRACE_DEBUG(
2020 "p_mac[4] = 0x%02x p_mac[5] = 0x%02x p_mac[6] = 0x%02x p_mac[7] = "
2021 "0x%02x",
2022 *(p_mac + 4), *(p_mac + 5), *(p_mac + 6), *(p_mac + 7));
2023 osi_free(p_buf);
2024 return true;
2025 }
2026
2027 /*******************************************************************************
2028 *
2029 * Function BTM_BleVerifySignature
2030 *
2031 * Description This function is called to verify the data signature
2032 *
2033 * Parameter bd_addr: target device the data to be signed for.
2034 * p_orig: original data before signature.
2035 * len: length of the signing data
2036 * counter: counter used when doing data signing
2037 * p_comp: signature to be compared against.
2038
2039 * Returns true if signature verified correctly; otherwise false.
2040 *
2041 ******************************************************************************/
BTM_BleVerifySignature(const RawAddress & bd_addr,uint8_t * p_orig,uint16_t len,uint32_t counter,uint8_t * p_comp)2042 bool BTM_BleVerifySignature(const RawAddress& bd_addr, uint8_t* p_orig,
2043 uint16_t len, uint32_t counter, uint8_t* p_comp) {
2044 if (bluetooth::shim::is_gd_shim_enabled()) {
2045 return bluetooth::shim::BTM_BleVerifySignature(bd_addr, p_orig, len,
2046 counter, p_comp);
2047 }
2048 bool verified = false;
2049 tBTM_SEC_DEV_REC* p_rec = btm_find_dev(bd_addr);
2050 uint8_t p_mac[BTM_CMAC_TLEN_SIZE];
2051
2052 if (p_rec == NULL || (p_rec && !(p_rec->ble.key_type & BTM_LE_KEY_PCSRK))) {
2053 BTM_TRACE_ERROR("can not verify signature for unknown device");
2054 } else if (counter < p_rec->ble.keys.counter) {
2055 BTM_TRACE_ERROR("signature received with out dated sign counter");
2056 } else if (p_orig == NULL) {
2057 BTM_TRACE_ERROR("No signature to verify");
2058 } else {
2059 BTM_TRACE_DEBUG("%s rcv_cnt=%d >= expected_cnt=%d", __func__, counter,
2060 p_rec->ble.keys.counter);
2061
2062 crypto_toolbox::aes_cmac(p_rec->ble.keys.pcsrk, p_orig, len,
2063 BTM_CMAC_TLEN_SIZE, p_mac);
2064 if (memcmp(p_mac, p_comp, BTM_CMAC_TLEN_SIZE) == 0) {
2065 btm_ble_increment_sign_ctr(bd_addr, false);
2066 verified = true;
2067 }
2068 }
2069 return verified;
2070 }
2071
2072 /*******************************************************************************
2073 * Utility functions for LE device IR/ER generation
2074 ******************************************************************************/
2075 /** This function is to notify application new keys have been generated. */
btm_notify_new_key(uint8_t key_type)2076 static void btm_notify_new_key(uint8_t key_type) {
2077 tBTM_BLE_LOCAL_KEYS* p_local_keys = NULL;
2078
2079 BTM_TRACE_DEBUG("btm_notify_new_key key_type=%d", key_type);
2080
2081 if (btm_cb.api.p_le_key_callback) {
2082 switch (key_type) {
2083 case BTM_BLE_KEY_TYPE_ID:
2084 BTM_TRACE_DEBUG("BTM_BLE_KEY_TYPE_ID");
2085 p_local_keys = (tBTM_BLE_LOCAL_KEYS*)&btm_cb.devcb.id_keys;
2086 break;
2087
2088 case BTM_BLE_KEY_TYPE_ER:
2089 BTM_TRACE_DEBUG("BTM_BLE_KEY_TYPE_ER");
2090 p_local_keys =
2091 (tBTM_BLE_LOCAL_KEYS*)&btm_cb.devcb.ble_encryption_key_value;
2092 break;
2093
2094 default:
2095 BTM_TRACE_ERROR("unknown key type: %d", key_type);
2096 break;
2097 }
2098 if (p_local_keys != NULL)
2099 (*btm_cb.api.p_le_key_callback)(key_type, p_local_keys);
2100 }
2101 }
2102
2103 /** implementation of btm_ble_reset_id */
btm_ble_reset_id_impl(const Octet16 & rand1,const Octet16 & rand2)2104 static void btm_ble_reset_id_impl(const Octet16& rand1, const Octet16& rand2) {
2105 /* Regenerate Identity Root */
2106 btm_cb.devcb.id_keys.ir = rand1;
2107 uint8_t btm_ble_dhk_pt = 0x03;
2108
2109 /* generate DHK= Eir({0x03, 0x00, 0x00 ...}) */
2110 btm_cb.devcb.id_keys.dhk =
2111 crypto_toolbox::aes_128(btm_cb.devcb.id_keys.ir, &btm_ble_dhk_pt, 1);
2112
2113 uint8_t btm_ble_irk_pt = 0x01;
2114 /* IRK = D1(IR, 1) */
2115 btm_cb.devcb.id_keys.irk =
2116 crypto_toolbox::aes_128(btm_cb.devcb.id_keys.ir, &btm_ble_irk_pt, 1);
2117
2118 btm_notify_new_key(BTM_BLE_KEY_TYPE_ID);
2119
2120 /* if privacy is enabled, new RPA should be calculated */
2121 if (btm_cb.ble_ctr_cb.privacy_mode != BTM_PRIVACY_NONE) {
2122 btm_gen_resolvable_private_addr(base::Bind(&btm_gen_resolve_paddr_low));
2123 }
2124
2125 /* proceed generate ER */
2126 btm_cb.devcb.ble_encryption_key_value = rand2;
2127 btm_notify_new_key(BTM_BLE_KEY_TYPE_ER);
2128
2129 /* if privacy is enabled, update the irk and RPA in the LE address manager */
2130 if (btm_cb.ble_ctr_cb.privacy_mode != BTM_PRIVACY_NONE) {
2131 BTM_BleConfigPrivacy(true);
2132 }
2133 }
2134
2135 struct reset_id_data {
2136 Octet16 rand1;
2137 Octet16 rand2;
2138 };
2139
2140 /** This function is called to reset LE device identity. */
btm_ble_reset_id(void)2141 void btm_ble_reset_id(void) {
2142 BTM_TRACE_DEBUG("btm_ble_reset_id");
2143
2144 /* In order to reset identity, we need four random numbers. Make four nested
2145 * calls to generate them first, then proceed to perform the actual reset in
2146 * btm_ble_reset_id_impl. */
2147 btsnd_hcic_ble_rand(base::Bind([](BT_OCTET8 rand) {
2148 reset_id_data tmp;
2149 memcpy(tmp.rand1.data(), rand, BT_OCTET8_LEN);
2150 btsnd_hcic_ble_rand(base::Bind(
2151 [](reset_id_data tmp, BT_OCTET8 rand) {
2152 memcpy(tmp.rand1.data() + 8, rand, BT_OCTET8_LEN);
2153 btsnd_hcic_ble_rand(base::Bind(
2154 [](reset_id_data tmp, BT_OCTET8 rand) {
2155 memcpy(tmp.rand2.data(), rand, BT_OCTET8_LEN);
2156 btsnd_hcic_ble_rand(base::Bind(
2157 [](reset_id_data tmp, BT_OCTET8 rand) {
2158 memcpy(tmp.rand2.data() + 8, rand, BT_OCTET8_LEN);
2159 // when all random numbers are ready, do the actual reset.
2160 btm_ble_reset_id_impl(tmp.rand1, tmp.rand2);
2161 },
2162 tmp));
2163 },
2164 tmp));
2165 },
2166 tmp));
2167 }));
2168 }
2169
2170 /*******************************************************************************
2171 *
2172 * Function btm_ble_get_acl_remote_addr
2173 *
2174 * Description This function reads the active remote address used for the
2175 * connection.
2176 *
2177 * Returns success return true, otherwise false.
2178 *
2179 ******************************************************************************/
btm_ble_get_acl_remote_addr(uint16_t hci_handle,RawAddress & conn_addr,tBLE_ADDR_TYPE * p_addr_type)2180 bool btm_ble_get_acl_remote_addr(uint16_t hci_handle, RawAddress& conn_addr,
2181 tBLE_ADDR_TYPE* p_addr_type) {
2182 tBTM_SEC_DEV_REC* p_dev_rec = btm_find_dev_by_handle(hci_handle);
2183 if (p_dev_rec == nullptr) {
2184 LOG_WARN("Unable to find security device record hci_handle:%hu",
2185 hci_handle);
2186 // TODO Release acl resource
2187 return false;
2188 }
2189
2190 bool st = true;
2191
2192 switch (p_dev_rec->ble.active_addr_type) {
2193 case tBTM_SEC_BLE::BTM_BLE_ADDR_PSEUDO:
2194 conn_addr = p_dev_rec->bd_addr;
2195 *p_addr_type = p_dev_rec->ble.AddressType();
2196 break;
2197
2198 case tBTM_SEC_BLE::BTM_BLE_ADDR_RRA:
2199 conn_addr = p_dev_rec->ble.cur_rand_addr;
2200 *p_addr_type = BLE_ADDR_RANDOM;
2201 break;
2202
2203 case tBTM_SEC_BLE::BTM_BLE_ADDR_STATIC:
2204 conn_addr = p_dev_rec->ble.identity_address_with_type.bda;
2205 *p_addr_type = p_dev_rec->ble.identity_address_with_type.type;
2206 break;
2207
2208 default:
2209 LOG_WARN("Unable to find record with active address type: %d",
2210 p_dev_rec->ble.active_addr_type);
2211 st = false;
2212 break;
2213 }
2214 return st;
2215 }
2216
2217 #if BTM_BLE_CONFORMANCE_TESTING == TRUE
2218 /*******************************************************************************
2219 *
2220 * Function btm_ble_set_no_disc_if_pair_fail
2221 *
2222 * Description This function indicates whether no disconnect of the ACL
2223 * should be used if pairing failed
2224 *
2225 * Returns void
2226 *
2227 ******************************************************************************/
btm_ble_set_no_disc_if_pair_fail(bool disable_disc)2228 void btm_ble_set_no_disc_if_pair_fail(bool disable_disc) {
2229 BTM_TRACE_DEBUG("btm_ble_set_disc_enable_if_pair_fail disable_disc=%d",
2230 disable_disc);
2231 btm_cb.devcb.no_disc_if_pair_fail = disable_disc;
2232 }
2233
2234 /*******************************************************************************
2235 *
2236 * Function btm_ble_set_test_mac_value
2237 *
2238 * Description This function set test MAC value
2239 *
2240 * Returns void
2241 *
2242 ******************************************************************************/
btm_ble_set_test_mac_value(bool enable,uint8_t * p_test_mac_val)2243 void btm_ble_set_test_mac_value(bool enable, uint8_t* p_test_mac_val) {
2244 BTM_TRACE_DEBUG("btm_ble_set_test_mac_value enable=%d", enable);
2245 btm_cb.devcb.enable_test_mac_val = enable;
2246 memcpy(btm_cb.devcb.test_mac, p_test_mac_val, BT_OCTET8_LEN);
2247 }
2248
2249 /*******************************************************************************
2250 *
2251 * Function btm_ble_set_test_local_sign_cntr_value
2252 *
2253 * Description This function set test local sign counter value
2254 *
2255 * Returns void
2256 *
2257 ******************************************************************************/
btm_ble_set_test_local_sign_cntr_value(bool enable,uint32_t test_local_sign_cntr)2258 void btm_ble_set_test_local_sign_cntr_value(bool enable,
2259 uint32_t test_local_sign_cntr) {
2260 BTM_TRACE_DEBUG(
2261 "btm_ble_set_test_local_sign_cntr_value enable=%d local_sign_cntr=%d",
2262 enable, test_local_sign_cntr);
2263 btm_cb.devcb.enable_test_local_sign_cntr = enable;
2264 btm_cb.devcb.test_local_sign_cntr = test_local_sign_cntr;
2265 }
2266
2267 /*******************************************************************************
2268 *
2269 * Function btm_ble_set_keep_rfu_in_auth_req
2270 *
2271 * Description This function indicates if RFU bits have to be kept as is
2272 * (by default they have to be set to 0 by the sender).
2273 *
2274 * Returns void
2275 *
2276 ******************************************************************************/
btm_ble_set_keep_rfu_in_auth_req(bool keep_rfu)2277 void btm_ble_set_keep_rfu_in_auth_req(bool keep_rfu) {
2278 BTM_TRACE_DEBUG("btm_ble_set_keep_rfu_in_auth_req keep_rfus=%d", keep_rfu);
2279 btm_cb.devcb.keep_rfu_in_auth_req = keep_rfu;
2280 }
2281
2282 #endif /* BTM_BLE_CONFORMANCE_TESTING */
2283