1 /******************************************************************************
2 *
3 * Copyright 1999-2012 Broadcom Corporation
4 *
5 * Licensed under the Apache License, Version 2.0 (the "License");
6 * you may not use this file except in compliance with the License.
7 * You may obtain a copy of the License at:
8 *
9 * http://www.apache.org/licenses/LICENSE-2.0
10 *
11 * Unless required by applicable law or agreed to in writing, software
12 * distributed under the License is distributed on an "AS IS" BASIS,
13 * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
14 * See the License for the specific language governing permissions and
15 * limitations under the License.
16 *
17 ******************************************************************************/
18
19 /******************************************************************************
20 *
21 * this file contains GATT authentication handling functions
22 *
23 ******************************************************************************/
24 #include <string.h>
25
26 #include "bt_target.h"
27 #include "gatt_api.h"
28 #include "gatt_int.h"
29 #include "osi/include/allocator.h"
30 #include "osi/include/osi.h"
31 #include "stack/btm/btm_ble_int.h"
32 #include "stack/btm/btm_ble_int_types.h"
33 #include "stack/btm/btm_sec.h"
34 #include "stack/include/bt_hdr.h"
35 #include "types/raw_address.h"
36
37 #include <base/logging.h>
38
39 using base::StringPrintf;
40
41 /*******************************************************************************
42 *
43 * Function gatt_sign_data
44 *
45 * Description This function sign the data for write command.
46 *
47 * Returns true if encrypted, otherwise false.
48 *
49 ******************************************************************************/
gatt_sign_data(tGATT_CLCB * p_clcb)50 static bool gatt_sign_data(tGATT_CLCB* p_clcb) {
51 tGATT_VALUE* p_attr = (tGATT_VALUE*)p_clcb->p_attr_buf;
52 uint8_t *p_data = NULL, *p;
53 uint16_t payload_size = p_clcb->p_tcb->payload_size;
54 bool status = false;
55 uint8_t* p_signature;
56
57 /* do not need to mark channel securoty activity for data signing */
58 gatt_set_sec_act(p_clcb->p_tcb, GATT_SEC_OK);
59
60 p_data =
61 (uint8_t*)osi_malloc(p_attr->len + 3); /* 3 = 2 byte handle + opcode */
62
63 p = p_data;
64 UINT8_TO_STREAM(p, GATT_SIGN_CMD_WRITE);
65 UINT16_TO_STREAM(p, p_attr->handle);
66 ARRAY_TO_STREAM(p, p_attr->value, p_attr->len);
67
68 /* sign data length should be attribulte value length plus 2B handle + 1B op
69 * code */
70 if ((payload_size - GATT_AUTH_SIGN_LEN - 3) < p_attr->len)
71 p_attr->len = payload_size - GATT_AUTH_SIGN_LEN - 3;
72
73 p_signature = p_attr->value + p_attr->len;
74 if (BTM_BleDataSignature(
75 p_clcb->p_tcb->peer_bda, p_data,
76 (uint16_t)(p_attr->len + 3), /* 3 = 2 byte handle + opcode */
77 p_signature)) {
78 p_attr->len += BTM_BLE_AUTH_SIGN_LEN;
79 gatt_set_ch_state(p_clcb->p_tcb, GATT_CH_OPEN);
80 gatt_act_write(p_clcb, GATT_SEC_SIGN_DATA);
81 } else {
82 gatt_end_operation(p_clcb, GATT_INTERNAL_ERROR, NULL);
83 }
84
85 osi_free(p_data);
86
87 return status;
88 }
89
90 /*******************************************************************************
91 *
92 * Function gatt_verify_signature
93 *
94 * Description This function start to verify the sign data when receiving
95 * the data from peer device.
96 *
97 * Returns
98 *
99 ******************************************************************************/
gatt_verify_signature(tGATT_TCB & tcb,uint16_t cid,BT_HDR * p_buf)100 void gatt_verify_signature(tGATT_TCB& tcb, uint16_t cid, BT_HDR* p_buf) {
101 uint16_t cmd_len;
102 uint8_t op_code;
103 uint8_t *p, *p_orig = (uint8_t*)(p_buf + 1) + p_buf->offset;
104 uint32_t counter;
105
106 if (p_buf->len < GATT_AUTH_SIGN_LEN + 4) {
107 LOG(ERROR) << StringPrintf("%s: Data length %u less than expected %u",
108 __func__, p_buf->len, GATT_AUTH_SIGN_LEN + 4);
109 return;
110 }
111 cmd_len = p_buf->len - GATT_AUTH_SIGN_LEN + 4;
112 p = p_orig + cmd_len - 4;
113 STREAM_TO_UINT32(counter, p);
114
115 if (!BTM_BleVerifySignature(tcb.peer_bda, p_orig, cmd_len, counter, p)) {
116 /* if this is a bad signature, assume from attacker, ignore it */
117 LOG(ERROR) << StringPrintf("Signature Verification Failed, data ignored");
118 return;
119 }
120
121 STREAM_TO_UINT8(op_code, p_orig);
122 gatt_server_handle_client_req(tcb, cid, op_code, (uint16_t)(p_buf->len - 1),
123 p_orig);
124 }
125 /*******************************************************************************
126 *
127 * Function gatt_sec_check_complete
128 *
129 * Description security check complete and proceed to data sending action.
130 *
131 * Returns void.
132 *
133 ******************************************************************************/
gatt_sec_check_complete(bool sec_check_ok,tGATT_CLCB * p_clcb,uint8_t sec_act)134 static void gatt_sec_check_complete(bool sec_check_ok, tGATT_CLCB* p_clcb,
135 uint8_t sec_act) {
136 if (p_clcb && p_clcb->p_tcb && p_clcb->p_tcb->pending_enc_clcb.empty()) {
137 gatt_set_sec_act(p_clcb->p_tcb, GATT_SEC_NONE);
138 }
139
140 if (!sec_check_ok) {
141 gatt_end_operation(p_clcb, GATT_AUTH_FAIL, NULL);
142 } else if (p_clcb->operation == GATTC_OPTYPE_WRITE) {
143 gatt_act_write(p_clcb, sec_act);
144 } else if (p_clcb->operation == GATTC_OPTYPE_READ) {
145 gatt_act_read(p_clcb, p_clcb->counter);
146 }
147 }
148 /*******************************************************************************
149 *
150 * Function gatt_enc_cmpl_cback
151 *
152 * Description link encryption complete callback.
153 *
154 * Returns
155 *
156 ******************************************************************************/
gatt_enc_cmpl_cback(const RawAddress * bd_addr,tBT_TRANSPORT transport,UNUSED_ATTR void * p_ref_data,tBTM_STATUS result)157 static void gatt_enc_cmpl_cback(const RawAddress* bd_addr,
158 tBT_TRANSPORT transport,
159 UNUSED_ATTR void* p_ref_data,
160 tBTM_STATUS result) {
161 VLOG(1) << StringPrintf("gatt_enc_cmpl_cback");
162 tGATT_TCB* p_tcb = gatt_find_tcb_by_addr(*bd_addr, transport);
163 if (!p_tcb) {
164 LOG(ERROR) << StringPrintf("%s: enc callback for unknown bd_addr",
165 __func__);
166 return;
167 }
168
169 if (gatt_get_sec_act(p_tcb) == GATT_SEC_ENC_PENDING) return;
170
171 if (p_tcb->pending_enc_clcb.empty()) {
172 LOG(ERROR) << StringPrintf("%s: no operation waiting for encrypting",
173 __func__);
174 return;
175 }
176
177 tGATT_CLCB* p_clcb = p_tcb->pending_enc_clcb.front();
178 p_tcb->pending_enc_clcb.pop_front();
179
180 if (p_clcb != NULL) {
181 bool status = false;
182 if (result == BTM_SUCCESS) {
183 if (gatt_get_sec_act(p_tcb) == GATT_SEC_ENCRYPT_MITM) {
184 status = BTM_IsLinkKeyAuthed(*bd_addr, transport);
185 } else {
186 status = true;
187 }
188 }
189
190 gatt_sec_check_complete(status, p_clcb, p_tcb->sec_act);
191 }
192
193 /* start all other pending operation in queue */
194 std::deque<tGATT_CLCB*> new_pending_clcbs;
195 while (!p_tcb->pending_enc_clcb.empty()) {
196 tGATT_CLCB* p_clcb = p_tcb->pending_enc_clcb.front();
197 p_tcb->pending_enc_clcb.pop_front();
198 if (p_clcb != NULL && gatt_security_check_start(p_clcb))
199 new_pending_clcbs.push_back(p_clcb);
200 }
201 p_tcb->pending_enc_clcb = new_pending_clcbs;
202 }
203
204 /*******************************************************************************
205 *
206 * Function gatt_notify_enc_cmpl
207 *
208 * Description link encryption complete notification for all encryption
209 * process initiated outside GATT.
210 *
211 * Returns
212 *
213 ******************************************************************************/
gatt_notify_enc_cmpl(const RawAddress & bd_addr)214 void gatt_notify_enc_cmpl(const RawAddress& bd_addr) {
215 tGATT_TCB* p_tcb = gatt_find_tcb_by_addr(bd_addr, BT_TRANSPORT_LE);
216 if (!p_tcb) {
217 VLOG(1) << StringPrintf(
218 "notify GATT for encryption completion of unknown device");
219 return;
220 }
221
222 for (uint8_t i = 0; i < GATT_MAX_APPS; i++) {
223 if (gatt_cb.cl_rcb[i].in_use && gatt_cb.cl_rcb[i].app_cb.p_enc_cmpl_cb) {
224 (*gatt_cb.cl_rcb[i].app_cb.p_enc_cmpl_cb)(gatt_cb.cl_rcb[i].gatt_if,
225 bd_addr);
226 }
227 }
228
229 if (gatt_get_sec_act(p_tcb) == GATT_SEC_ENC_PENDING) {
230 gatt_set_sec_act(p_tcb, GATT_SEC_NONE);
231
232 std::deque<tGATT_CLCB*> new_pending_clcbs;
233 while (!p_tcb->pending_enc_clcb.empty()) {
234 tGATT_CLCB* p_clcb = p_tcb->pending_enc_clcb.front();
235 p_tcb->pending_enc_clcb.pop_front();
236 if (p_clcb != NULL && gatt_security_check_start(p_clcb))
237 new_pending_clcbs.push_back(p_clcb);
238 }
239 p_tcb->pending_enc_clcb = new_pending_clcbs;
240 }
241 }
242 /*******************************************************************************
243 *
244 * Function gatt_set_sec_act
245 *
246 * Description This function set the sec_act in clcb
247 *
248 * Returns none
249 *
250 ******************************************************************************/
gatt_set_sec_act(tGATT_TCB * p_tcb,tGATT_SEC_ACTION sec_act)251 void gatt_set_sec_act(tGATT_TCB* p_tcb, tGATT_SEC_ACTION sec_act) {
252 if (p_tcb) {
253 p_tcb->sec_act = sec_act;
254 }
255 }
256 /*******************************************************************************
257 *
258 * Function gatt_get_sec_act
259 *
260 * Description This function get the sec_act in clcb
261 *
262 * Returns none
263 *
264 ******************************************************************************/
gatt_get_sec_act(tGATT_TCB * p_tcb)265 tGATT_SEC_ACTION gatt_get_sec_act(tGATT_TCB* p_tcb) {
266 tGATT_SEC_ACTION sec_act = GATT_SEC_NONE;
267 if (p_tcb) {
268 sec_act = p_tcb->sec_act;
269 }
270 return sec_act;
271 }
272 /**
273 * This routine determine the security action based on auth_request and current
274 * link status. Returns tGATT_SEC_ACTION (security action)
275 */
gatt_determine_sec_act(tGATT_CLCB * p_clcb)276 tGATT_SEC_ACTION gatt_determine_sec_act(tGATT_CLCB* p_clcb) {
277 tGATT_SEC_ACTION act = GATT_SEC_OK;
278 tGATT_TCB* p_tcb = p_clcb->p_tcb;
279 tGATT_AUTH_REQ auth_req = p_clcb->auth_req;
280 bool is_link_encrypted = false;
281 bool is_link_key_known = false;
282 bool is_key_mitm = false;
283 uint8_t key_type;
284 tBTM_BLE_SEC_REQ_ACT sec_act = BTM_BLE_SEC_REQ_ACT_NONE;
285
286 if (auth_req == GATT_AUTH_REQ_NONE) return act;
287
288 btm_ble_link_sec_check(p_tcb->peer_bda, auth_req, &sec_act);
289
290 /* if a encryption is pending, need to wait */
291 if (sec_act == BTM_BLE_SEC_REQ_ACT_DISCARD && auth_req != GATT_AUTH_REQ_NONE)
292 return GATT_SEC_ENC_PENDING;
293
294 is_link_key_known =
295 BTM_IsLinkKeyKnown(p_tcb->peer_bda, p_clcb->p_tcb->transport);
296 is_link_encrypted =
297 BTM_IsEncrypted(p_tcb->peer_bda, p_clcb->p_tcb->transport);
298 is_key_mitm = BTM_IsLinkKeyAuthed(p_tcb->peer_bda, p_clcb->p_tcb->transport);
299
300 /* first check link key upgrade required or not */
301 switch (auth_req) {
302 case GATT_AUTH_REQ_MITM:
303 case GATT_AUTH_REQ_SIGNED_MITM:
304 if (!is_key_mitm) act = GATT_SEC_ENCRYPT_MITM;
305 break;
306
307 case GATT_AUTH_REQ_NO_MITM:
308 case GATT_AUTH_REQ_SIGNED_NO_MITM:
309 if (!is_link_key_known) act = GATT_SEC_ENCRYPT_NO_MITM;
310 break;
311 default:
312 break;
313 }
314
315 /* now check link needs to be encrypted or not if the link key upgrade is not
316 * required */
317 if (act == GATT_SEC_OK) {
318 if (p_tcb->transport == BT_TRANSPORT_LE &&
319 (p_clcb->operation == GATTC_OPTYPE_WRITE) &&
320 (p_clcb->op_subtype == GATT_WRITE_NO_RSP)) {
321 /* this is a write command request
322 check data signing required or not */
323 if (!is_link_encrypted) {
324 btm_ble_get_enc_key_type(p_tcb->peer_bda, &key_type);
325
326 if ((key_type & BTM_LE_KEY_LCSRK) &&
327 ((auth_req == GATT_AUTH_REQ_SIGNED_NO_MITM) ||
328 (auth_req == GATT_AUTH_REQ_SIGNED_MITM))) {
329 act = GATT_SEC_SIGN_DATA;
330 } else {
331 act = GATT_SEC_ENCRYPT;
332 }
333 }
334 } else {
335 if (!is_link_encrypted) {
336 act = GATT_SEC_ENCRYPT;
337 }
338 }
339 }
340
341 return act;
342 }
343
344 /*******************************************************************************
345 *
346 * Function gatt_get_link_encrypt_status
347 *
348 * Description This routine get the encryption status of the specified link
349 *
350 *
351 * Returns tGATT_STATUS link encryption status
352 *
353 ******************************************************************************/
gatt_get_link_encrypt_status(tGATT_TCB & tcb)354 tGATT_STATUS gatt_get_link_encrypt_status(tGATT_TCB& tcb) {
355 tGATT_STATUS encrypt_status = GATT_NOT_ENCRYPTED;
356
357 bool encrypted = BTM_IsEncrypted(tcb.peer_bda, tcb.transport);
358 bool link_key_known = BTM_IsLinkKeyKnown(tcb.peer_bda, tcb.transport);
359 bool link_key_authed = BTM_IsLinkKeyAuthed(tcb.peer_bda, tcb.transport);
360
361 if (encrypted && link_key_known) {
362 encrypt_status = GATT_ENCRYPED_NO_MITM;
363 if (link_key_authed) {
364 encrypt_status = GATT_ENCRYPED_MITM;
365 }
366 }
367
368 VLOG(1) << StringPrintf("gatt_get_link_encrypt_status status=0x%x",
369 encrypt_status);
370 return encrypt_status;
371 }
372
373 /*******************************************************************************
374 *
375 * Function gatt_convert_sec_action
376 *
377 * Description Convert GATT security action enum into equivalent
378 * BTM BLE security action enum
379 *
380 * Returns bool true - conversation is successful
381 *
382 ******************************************************************************/
gatt_convert_sec_action(tGATT_SEC_ACTION gatt_sec_act,tBTM_BLE_SEC_ACT * p_btm_sec_act)383 static bool gatt_convert_sec_action(tGATT_SEC_ACTION gatt_sec_act,
384 tBTM_BLE_SEC_ACT* p_btm_sec_act) {
385 bool status = true;
386 switch (gatt_sec_act) {
387 case GATT_SEC_ENCRYPT:
388 *p_btm_sec_act = BTM_BLE_SEC_ENCRYPT;
389 break;
390 case GATT_SEC_ENCRYPT_NO_MITM:
391 *p_btm_sec_act = BTM_BLE_SEC_ENCRYPT_NO_MITM;
392 break;
393 case GATT_SEC_ENCRYPT_MITM:
394 *p_btm_sec_act = BTM_BLE_SEC_ENCRYPT_MITM;
395 break;
396 default:
397 status = false;
398 break;
399 }
400
401 return status;
402 }
403
404 /** check link security, return true if p_clcb should be added back to queue */
gatt_security_check_start(tGATT_CLCB * p_clcb)405 bool gatt_security_check_start(tGATT_CLCB* p_clcb) {
406 tGATT_TCB* p_tcb = p_clcb->p_tcb;
407 tGATT_SEC_ACTION sec_act_old = gatt_get_sec_act(p_tcb);
408
409 tGATT_SEC_ACTION gatt_sec_act = gatt_determine_sec_act(p_clcb);
410
411 if (sec_act_old == GATT_SEC_NONE) gatt_set_sec_act(p_tcb, gatt_sec_act);
412
413 switch (gatt_sec_act) {
414 case GATT_SEC_SIGN_DATA:
415 VLOG(1) << StringPrintf("%s: Do data signing", __func__);
416 gatt_sign_data(p_clcb);
417 break;
418 case GATT_SEC_ENCRYPT:
419 case GATT_SEC_ENCRYPT_NO_MITM:
420 case GATT_SEC_ENCRYPT_MITM:
421 if (sec_act_old < GATT_SEC_ENCRYPT) {
422 VLOG(1) << StringPrintf("%s: Encrypt now or key upgreade first",
423 __func__);
424 tBTM_BLE_SEC_ACT btm_ble_sec_act;
425 gatt_convert_sec_action(gatt_sec_act, &btm_ble_sec_act);
426 tBTM_STATUS btm_status =
427 BTM_SetEncryption(p_tcb->peer_bda, p_tcb->transport,
428 gatt_enc_cmpl_cback, NULL, btm_ble_sec_act);
429 if ((btm_status != BTM_SUCCESS) && (btm_status != BTM_CMD_STARTED)) {
430 LOG(ERROR) << StringPrintf(
431 "%s BTM_SetEncryption failed btm_status=%d", __func__,
432 btm_status);
433 gatt_set_sec_act(p_tcb, GATT_SEC_NONE);
434 gatt_set_ch_state(p_tcb, GATT_CH_OPEN);
435
436 gatt_end_operation(p_clcb, GATT_INSUF_ENCRYPTION, NULL);
437 return false;
438 }
439 }
440 return true;
441 case GATT_SEC_ENC_PENDING:
442 /* wait for link encrypotion to finish */
443 return true;
444 default:
445 gatt_sec_check_complete(true, p_clcb, gatt_sec_act);
446 break;
447 }
448
449 return false;
450 }
451