1 /******************************************************************************
2 *
3 * Copyright 1999-2012 Broadcom Corporation
4 *
5 * Licensed under the Apache License, Version 2.0 (the "License");
6 * you may not use this file except in compliance with the License.
7 * You may obtain a copy of the License at:
8 *
9 * http://www.apache.org/licenses/LICENSE-2.0
10 *
11 * Unless required by applicable law or agreed to in writing, software
12 * distributed under the License is distributed on an "AS IS" BASIS,
13 * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
14 * See the License for the specific language governing permissions and
15 * limitations under the License.
16 *
17 ******************************************************************************/
18
19 /******************************************************************************
20 *
21 * this file contains GATT authentication handling functions
22 *
23 ******************************************************************************/
24 #include <string.h>
25
26 #include "bt_target.h"
27 #include "bt_utils.h"
28 #include "gatt_api.h"
29 #include "gatt_int.h"
30 #include "osi/include/allocator.h"
31 #include "osi/include/osi.h"
32 #include "stack/btm/btm_ble_int.h"
33 #include "stack/btm/btm_ble_int_types.h"
34 #include "stack/btm/btm_sec.h"
35 #include "stack/include/bt_hdr.h"
36 #include "types/raw_address.h"
37
38 #include <base/logging.h>
39
40 using base::StringPrintf;
41
42 /*******************************************************************************
43 *
44 * Function gatt_sign_data
45 *
46 * Description This function sign the data for write command.
47 *
48 * Returns true if encrypted, otherwise false.
49 *
50 ******************************************************************************/
gatt_sign_data(tGATT_CLCB * p_clcb)51 static bool gatt_sign_data(tGATT_CLCB* p_clcb) {
52 tGATT_VALUE* p_attr = (tGATT_VALUE*)p_clcb->p_attr_buf;
53 uint8_t *p_data = NULL, *p;
54 uint16_t payload_size = p_clcb->p_tcb->payload_size;
55 bool status = false;
56 uint8_t* p_signature;
57
58 /* do not need to mark channel securoty activity for data signing */
59 gatt_set_sec_act(p_clcb->p_tcb, GATT_SEC_OK);
60
61 p_data =
62 (uint8_t*)osi_malloc(p_attr->len + 3); /* 3 = 2 byte handle + opcode */
63
64 p = p_data;
65 UINT8_TO_STREAM(p, GATT_SIGN_CMD_WRITE);
66 UINT16_TO_STREAM(p, p_attr->handle);
67 ARRAY_TO_STREAM(p, p_attr->value, p_attr->len);
68
69 /* sign data length should be attribulte value length plus 2B handle + 1B op
70 * code */
71 if ((payload_size - GATT_AUTH_SIGN_LEN - 3) < p_attr->len)
72 p_attr->len = payload_size - GATT_AUTH_SIGN_LEN - 3;
73
74 p_signature = p_attr->value + p_attr->len;
75 if (BTM_BleDataSignature(
76 p_clcb->p_tcb->peer_bda, p_data,
77 (uint16_t)(p_attr->len + 3), /* 3 = 2 byte handle + opcode */
78 p_signature)) {
79 p_attr->len += BTM_BLE_AUTH_SIGN_LEN;
80 gatt_set_ch_state(p_clcb->p_tcb, GATT_CH_OPEN);
81 gatt_act_write(p_clcb, GATT_SEC_SIGN_DATA);
82 } else {
83 gatt_end_operation(p_clcb, GATT_INTERNAL_ERROR, NULL);
84 }
85
86 osi_free(p_data);
87
88 return status;
89 }
90
91 /*******************************************************************************
92 *
93 * Function gatt_verify_signature
94 *
95 * Description This function start to verify the sign data when receiving
96 * the data from peer device.
97 *
98 * Returns
99 *
100 ******************************************************************************/
gatt_verify_signature(tGATT_TCB & tcb,uint16_t cid,BT_HDR * p_buf)101 void gatt_verify_signature(tGATT_TCB& tcb, uint16_t cid, BT_HDR* p_buf) {
102 uint16_t cmd_len;
103 uint8_t op_code;
104 uint8_t *p, *p_orig = (uint8_t*)(p_buf + 1) + p_buf->offset;
105 uint32_t counter;
106
107 if (p_buf->len < GATT_AUTH_SIGN_LEN + 4) {
108 LOG(ERROR) << StringPrintf("%s: Data length %u less than expected %u",
109 __func__, p_buf->len, GATT_AUTH_SIGN_LEN + 4);
110 return;
111 }
112 cmd_len = p_buf->len - GATT_AUTH_SIGN_LEN + 4;
113 p = p_orig + cmd_len - 4;
114 STREAM_TO_UINT32(counter, p);
115
116 if (!BTM_BleVerifySignature(tcb.peer_bda, p_orig, cmd_len, counter, p)) {
117 /* if this is a bad signature, assume from attacker, ignore it */
118 LOG(ERROR) << StringPrintf("Signature Verification Failed, data ignored");
119 return;
120 }
121
122 STREAM_TO_UINT8(op_code, p_orig);
123 gatt_server_handle_client_req(tcb, cid, op_code, (uint16_t)(p_buf->len - 1),
124 p_orig);
125 }
126 /*******************************************************************************
127 *
128 * Function gatt_sec_check_complete
129 *
130 * Description security check complete and proceed to data sending action.
131 *
132 * Returns void.
133 *
134 ******************************************************************************/
gatt_sec_check_complete(bool sec_check_ok,tGATT_CLCB * p_clcb,uint8_t sec_act)135 void gatt_sec_check_complete(bool sec_check_ok, tGATT_CLCB* p_clcb,
136 uint8_t sec_act) {
137 if (p_clcb && p_clcb->p_tcb && p_clcb->p_tcb->pending_enc_clcb.empty()) {
138 gatt_set_sec_act(p_clcb->p_tcb, GATT_SEC_NONE);
139 }
140
141 if (!sec_check_ok) {
142 gatt_end_operation(p_clcb, GATT_AUTH_FAIL, NULL);
143 } else if (p_clcb->operation == GATTC_OPTYPE_WRITE) {
144 gatt_act_write(p_clcb, sec_act);
145 } else if (p_clcb->operation == GATTC_OPTYPE_READ) {
146 gatt_act_read(p_clcb, p_clcb->counter);
147 }
148 }
149 /*******************************************************************************
150 *
151 * Function gatt_enc_cmpl_cback
152 *
153 * Description link encryption complete callback.
154 *
155 * Returns
156 *
157 ******************************************************************************/
gatt_enc_cmpl_cback(const RawAddress * bd_addr,tBT_TRANSPORT transport,UNUSED_ATTR void * p_ref_data,tBTM_STATUS result)158 void gatt_enc_cmpl_cback(const RawAddress* bd_addr, tBT_TRANSPORT transport,
159 UNUSED_ATTR void* p_ref_data, tBTM_STATUS result) {
160 VLOG(1) << StringPrintf("gatt_enc_cmpl_cback");
161 tGATT_TCB* p_tcb = gatt_find_tcb_by_addr(*bd_addr, transport);
162 if (!p_tcb) {
163 LOG(ERROR) << StringPrintf("%s: enc callback for unknown bd_addr",
164 __func__);
165 return;
166 }
167
168 if (gatt_get_sec_act(p_tcb) == GATT_SEC_ENC_PENDING) return;
169
170 if (p_tcb->pending_enc_clcb.empty()) {
171 LOG(ERROR) << StringPrintf("%s: no operation waiting for encrypting",
172 __func__);
173 return;
174 }
175
176 tGATT_CLCB* p_clcb = p_tcb->pending_enc_clcb.front();
177 p_tcb->pending_enc_clcb.pop_front();
178
179 if (p_clcb != NULL) {
180 bool status = false;
181 if (result == BTM_SUCCESS) {
182 if (gatt_get_sec_act(p_tcb) == GATT_SEC_ENCRYPT_MITM) {
183 status = BTM_IsLinkKeyAuthed(*bd_addr, transport);
184 } else {
185 status = true;
186 }
187 }
188
189 gatt_sec_check_complete(status, p_clcb, p_tcb->sec_act);
190 }
191
192 /* start all other pending operation in queue */
193 std::deque<tGATT_CLCB*> new_pending_clcbs;
194 while (!p_tcb->pending_enc_clcb.empty()) {
195 tGATT_CLCB* p_clcb = p_tcb->pending_enc_clcb.front();
196 p_tcb->pending_enc_clcb.pop_front();
197 if (p_clcb != NULL && gatt_security_check_start(p_clcb))
198 new_pending_clcbs.push_back(p_clcb);
199 }
200 p_tcb->pending_enc_clcb = new_pending_clcbs;
201 }
202
203 /*******************************************************************************
204 *
205 * Function gatt_notify_enc_cmpl
206 *
207 * Description link encryption complete notification for all encryption
208 * process initiated outside GATT.
209 *
210 * Returns
211 *
212 ******************************************************************************/
gatt_notify_enc_cmpl(const RawAddress & bd_addr)213 void gatt_notify_enc_cmpl(const RawAddress& bd_addr) {
214 tGATT_TCB* p_tcb = gatt_find_tcb_by_addr(bd_addr, BT_TRANSPORT_LE);
215 if (!p_tcb) {
216 VLOG(1) << StringPrintf(
217 "notify GATT for encryption completion of unknown device");
218 return;
219 }
220
221 for (uint8_t i = 0; i < GATT_MAX_APPS; i++) {
222 if (gatt_cb.cl_rcb[i].in_use && gatt_cb.cl_rcb[i].app_cb.p_enc_cmpl_cb) {
223 (*gatt_cb.cl_rcb[i].app_cb.p_enc_cmpl_cb)(gatt_cb.cl_rcb[i].gatt_if,
224 bd_addr);
225 }
226 }
227
228 if (gatt_get_sec_act(p_tcb) == GATT_SEC_ENC_PENDING) {
229 gatt_set_sec_act(p_tcb, GATT_SEC_NONE);
230
231 std::deque<tGATT_CLCB*> new_pending_clcbs;
232 while (!p_tcb->pending_enc_clcb.empty()) {
233 tGATT_CLCB* p_clcb = p_tcb->pending_enc_clcb.front();
234 p_tcb->pending_enc_clcb.pop_front();
235 if (p_clcb != NULL && gatt_security_check_start(p_clcb))
236 new_pending_clcbs.push_back(p_clcb);
237 }
238 p_tcb->pending_enc_clcb = new_pending_clcbs;
239 }
240 }
241 /*******************************************************************************
242 *
243 * Function gatt_set_sec_act
244 *
245 * Description This function set the sec_act in clcb
246 *
247 * Returns none
248 *
249 ******************************************************************************/
gatt_set_sec_act(tGATT_TCB * p_tcb,tGATT_SEC_ACTION sec_act)250 void gatt_set_sec_act(tGATT_TCB* p_tcb, tGATT_SEC_ACTION sec_act) {
251 if (p_tcb) {
252 p_tcb->sec_act = sec_act;
253 }
254 }
255 /*******************************************************************************
256 *
257 * Function gatt_get_sec_act
258 *
259 * Description This function get the sec_act in clcb
260 *
261 * Returns none
262 *
263 ******************************************************************************/
gatt_get_sec_act(tGATT_TCB * p_tcb)264 tGATT_SEC_ACTION gatt_get_sec_act(tGATT_TCB* p_tcb) {
265 tGATT_SEC_ACTION sec_act = GATT_SEC_NONE;
266 if (p_tcb) {
267 sec_act = p_tcb->sec_act;
268 }
269 return sec_act;
270 }
271 /**
272 * This routine determine the security action based on auth_request and current
273 * link status. Returns tGATT_SEC_ACTION (security action)
274 */
gatt_determine_sec_act(tGATT_CLCB * p_clcb)275 tGATT_SEC_ACTION gatt_determine_sec_act(tGATT_CLCB* p_clcb) {
276 tGATT_SEC_ACTION act = GATT_SEC_OK;
277 tGATT_TCB* p_tcb = p_clcb->p_tcb;
278 tGATT_AUTH_REQ auth_req = p_clcb->auth_req;
279 bool is_link_encrypted = false;
280 bool is_link_key_known = false;
281 bool is_key_mitm = false;
282 uint8_t key_type;
283 tBTM_BLE_SEC_REQ_ACT sec_act = BTM_BLE_SEC_REQ_ACT_NONE;
284
285 if (auth_req == GATT_AUTH_REQ_NONE) return act;
286
287 btm_ble_link_sec_check(p_tcb->peer_bda, auth_req, &sec_act);
288
289 /* if a encryption is pending, need to wait */
290 if (sec_act == BTM_BLE_SEC_REQ_ACT_DISCARD && auth_req != GATT_AUTH_REQ_NONE)
291 return GATT_SEC_ENC_PENDING;
292
293 is_link_key_known =
294 BTM_IsLinkKeyKnown(p_tcb->peer_bda, p_clcb->p_tcb->transport);
295 is_link_encrypted =
296 BTM_IsEncrypted(p_tcb->peer_bda, p_clcb->p_tcb->transport);
297 is_key_mitm = BTM_IsLinkKeyAuthed(p_tcb->peer_bda, p_clcb->p_tcb->transport);
298
299 /* first check link key upgrade required or not */
300 switch (auth_req) {
301 case GATT_AUTH_REQ_MITM:
302 case GATT_AUTH_REQ_SIGNED_MITM:
303 if (!is_key_mitm) act = GATT_SEC_ENCRYPT_MITM;
304 break;
305
306 case GATT_AUTH_REQ_NO_MITM:
307 case GATT_AUTH_REQ_SIGNED_NO_MITM:
308 if (!is_link_key_known) act = GATT_SEC_ENCRYPT_NO_MITM;
309 break;
310 default:
311 break;
312 }
313
314 /* now check link needs to be encrypted or not if the link key upgrade is not
315 * required */
316 if (act == GATT_SEC_OK) {
317 if (p_tcb->transport == BT_TRANSPORT_LE &&
318 (p_clcb->operation == GATTC_OPTYPE_WRITE) &&
319 (p_clcb->op_subtype == GATT_WRITE_NO_RSP)) {
320 /* this is a write command request
321 check data signing required or not */
322 if (!is_link_encrypted) {
323 btm_ble_get_enc_key_type(p_tcb->peer_bda, &key_type);
324
325 if ((key_type & BTM_LE_KEY_LCSRK) &&
326 ((auth_req == GATT_AUTH_REQ_SIGNED_NO_MITM) ||
327 (auth_req == GATT_AUTH_REQ_SIGNED_MITM))) {
328 act = GATT_SEC_SIGN_DATA;
329 } else {
330 act = GATT_SEC_ENCRYPT;
331 }
332 }
333 } else {
334 if (!is_link_encrypted) {
335 act = GATT_SEC_ENCRYPT;
336 }
337 }
338 }
339
340 return act;
341 }
342
343 /*******************************************************************************
344 *
345 * Function gatt_get_link_encrypt_status
346 *
347 * Description This routine get the encryption status of the specified link
348 *
349 *
350 * Returns tGATT_STATUS link encryption status
351 *
352 ******************************************************************************/
gatt_get_link_encrypt_status(tGATT_TCB & tcb)353 tGATT_STATUS gatt_get_link_encrypt_status(tGATT_TCB& tcb) {
354 tGATT_STATUS encrypt_status = GATT_NOT_ENCRYPTED;
355
356 bool encrypted = BTM_IsEncrypted(tcb.peer_bda, tcb.transport);
357 bool link_key_known = BTM_IsLinkKeyKnown(tcb.peer_bda, tcb.transport);
358 bool link_key_authed = BTM_IsLinkKeyAuthed(tcb.peer_bda, tcb.transport);
359
360 if (encrypted && link_key_known) {
361 encrypt_status = GATT_ENCRYPED_NO_MITM;
362 if (link_key_authed) {
363 encrypt_status = GATT_ENCRYPED_MITM;
364 }
365 }
366
367 VLOG(1) << StringPrintf("gatt_get_link_encrypt_status status=0x%x",
368 encrypt_status);
369 return encrypt_status;
370 }
371
372 /*******************************************************************************
373 *
374 * Function gatt_convert_sec_action
375 *
376 * Description Convert GATT security action enum into equivalent
377 * BTM BLE security action enum
378 *
379 * Returns bool true - conversation is successful
380 *
381 ******************************************************************************/
gatt_convert_sec_action(tGATT_SEC_ACTION gatt_sec_act,tBTM_BLE_SEC_ACT * p_btm_sec_act)382 static bool gatt_convert_sec_action(tGATT_SEC_ACTION gatt_sec_act,
383 tBTM_BLE_SEC_ACT* p_btm_sec_act) {
384 bool status = true;
385 switch (gatt_sec_act) {
386 case GATT_SEC_ENCRYPT:
387 *p_btm_sec_act = BTM_BLE_SEC_ENCRYPT;
388 break;
389 case GATT_SEC_ENCRYPT_NO_MITM:
390 *p_btm_sec_act = BTM_BLE_SEC_ENCRYPT_NO_MITM;
391 break;
392 case GATT_SEC_ENCRYPT_MITM:
393 *p_btm_sec_act = BTM_BLE_SEC_ENCRYPT_MITM;
394 break;
395 default:
396 status = false;
397 break;
398 }
399
400 return status;
401 }
402
403 /** check link security, return true if p_clcb should be added back to queue */
gatt_security_check_start(tGATT_CLCB * p_clcb)404 bool gatt_security_check_start(tGATT_CLCB* p_clcb) {
405 tGATT_TCB* p_tcb = p_clcb->p_tcb;
406 tGATT_SEC_ACTION sec_act_old = gatt_get_sec_act(p_tcb);
407
408 tGATT_SEC_ACTION gatt_sec_act = gatt_determine_sec_act(p_clcb);
409
410 if (sec_act_old == GATT_SEC_NONE) gatt_set_sec_act(p_tcb, gatt_sec_act);
411
412 switch (gatt_sec_act) {
413 case GATT_SEC_SIGN_DATA:
414 VLOG(1) << StringPrintf("%s: Do data signing", __func__);
415 gatt_sign_data(p_clcb);
416 break;
417 case GATT_SEC_ENCRYPT:
418 case GATT_SEC_ENCRYPT_NO_MITM:
419 case GATT_SEC_ENCRYPT_MITM:
420 if (sec_act_old < GATT_SEC_ENCRYPT) {
421 VLOG(1) << StringPrintf("%s: Encrypt now or key upgreade first",
422 __func__);
423 tBTM_BLE_SEC_ACT btm_ble_sec_act;
424 gatt_convert_sec_action(gatt_sec_act, &btm_ble_sec_act);
425 tBTM_STATUS btm_status =
426 BTM_SetEncryption(p_tcb->peer_bda, p_tcb->transport,
427 gatt_enc_cmpl_cback, NULL, btm_ble_sec_act);
428 if ((btm_status != BTM_SUCCESS) && (btm_status != BTM_CMD_STARTED)) {
429 LOG(ERROR) << StringPrintf(
430 "%s BTM_SetEncryption failed btm_status=%d", __func__,
431 btm_status);
432 gatt_set_sec_act(p_tcb, GATT_SEC_NONE);
433 gatt_set_ch_state(p_tcb, GATT_CH_OPEN);
434
435 gatt_end_operation(p_clcb, GATT_INSUF_ENCRYPTION, NULL);
436 return false;
437 }
438 }
439 return true;
440 case GATT_SEC_ENC_PENDING:
441 /* wait for link encrypotion to finish */
442 return true;
443 default:
444 gatt_sec_check_complete(true, p_clcb, gatt_sec_act);
445 break;
446 }
447
448 return false;
449 }
450