• Home
  • Line#
  • Scopes#
  • Navigate#
  • Raw
  • Download
1 /******************************************************************************
2  *
3  *  Copyright (C) 1999-2012 Broadcom Corporation
4  *
5  *  Licensed under the Apache License, Version 2.0 (the "License");
6  *  you may not use this file except in compliance with the License.
7  *  You may obtain a copy of the License at:
8  *
9  *  http://www.apache.org/licenses/LICENSE-2.0
10  *
11  *  Unless required by applicable law or agreed to in writing, software
12  *  distributed under the License is distributed on an "AS IS" BASIS,
13  *  WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
14  *  See the License for the specific language governing permissions and
15  *  limitations under the License.
16  *
17  ******************************************************************************/
18 
19 /******************************************************************************
20  *
21  *  This file contains functions for BLE device control utilities, and LE
22  *  security functions.
23  *
24  ******************************************************************************/
25 
26 #include <string.h>
27 
28 #include "bt_types.h"
29 #include "hcimsgs.h"
30 #include "btu.h"
31 #include "btm_int.h"
32 #include "btm_ble_api.h"
33 #include "smp_api.h"
34 #include "l2c_int.h"
35 #include "gap_api.h"
36 
37 #if SMP_INCLUDED == TRUE
38 extern BOOLEAN AES_CMAC ( BT_OCTET16 key, UINT8 *input, UINT16 length, UINT16 tlen, UINT8 *p_signature);
39 extern void smp_link_encrypted(BD_ADDR bda, UINT8 encr_enable);
40 extern BOOLEAN smp_proc_ltk_request(BD_ADDR bda);
41 #endif
42 extern void gatt_notify_enc_cmpl(BD_ADDR bd_addr);
43 
44 /*******************************************************************************/
45 /* External Function to be called by other modules                             */
46 /*******************************************************************************/
47 /********************************************************
48 **
49 ** Function         BTM_SecAddBleDevice
50 **
51 ** Description      Add/modify device.  This function will be normally called
52 **                  during host startup to restore all required information
53 **                  for a LE device stored in the NVRAM.
54 **
55 ** Parameters:      bd_addr          - BD address of the peer
56 **                  bd_name          - Name of the peer device.  NULL if unknown.
57 **                  dev_type         - Remote device's device type.
58 **                  addr_type        - LE device address type.
59 **
60 ** Returns          TRUE if added OK, else FALSE
61 **
62 *******************************************************************************/
BTM_SecAddBleDevice(BD_ADDR bd_addr,BD_NAME bd_name,tBT_DEVICE_TYPE dev_type,tBLE_ADDR_TYPE addr_type)63 BOOLEAN BTM_SecAddBleDevice (BD_ADDR bd_addr, BD_NAME bd_name, tBT_DEVICE_TYPE dev_type,
64                              tBLE_ADDR_TYPE addr_type)
65 {
66 #if BLE_INCLUDED == TRUE
67     tBTM_SEC_DEV_REC  *p_dev_rec;
68     UINT8               i = 0;
69     tBTM_INQ_INFO      *p_info=NULL;
70 
71     BTM_TRACE_DEBUG1 ("BTM_SecAddBleDevice dev_type=0x%x", dev_type);
72     p_dev_rec = btm_find_dev (bd_addr);
73 
74     if (!p_dev_rec)
75     {
76         BTM_TRACE_DEBUG0("Add a new device");
77 
78         /* There is no device record, allocate one.
79          * If we can not find an empty spot for this one, let it fail. */
80         for (i = 0; i < BTM_SEC_MAX_DEVICE_RECORDS; i++)
81         {
82             if (!(btm_cb.sec_dev_rec[i].sec_flags & BTM_SEC_IN_USE))
83             {
84                 BTM_TRACE_DEBUG1 ("allocate a new dev rec idx=0x%x ", i );
85                 p_dev_rec = &btm_cb.sec_dev_rec[i];
86 
87                 /* Mark this record as in use and initialize */
88                 memset (p_dev_rec, 0, sizeof (tBTM_SEC_DEV_REC));
89                 p_dev_rec->sec_flags = BTM_SEC_IN_USE;
90                 memcpy (p_dev_rec->bd_addr, bd_addr, BD_ADDR_LEN);
91                 p_dev_rec->hci_handle = BTM_GetHCIConnHandle (bd_addr);
92 
93                 /* update conn params, use default value for background connection params */
94                 p_dev_rec->conn_params.min_conn_int     =
95                 p_dev_rec->conn_params.max_conn_int     =
96                 p_dev_rec->conn_params.supervision_tout =
97                 p_dev_rec->conn_params.slave_latency    = BTM_BLE_CONN_PARAM_UNDEF;
98 
99                 BTM_TRACE_DEBUG1 ("hci_handl=0x%x ",  p_dev_rec->hci_handle );
100                 break;
101             }
102         }
103 
104         if (!p_dev_rec)
105             return(FALSE);
106     }
107     else
108     {
109         BTM_TRACE_DEBUG0("Device already exist");
110     }
111 
112     memset(p_dev_rec->sec_bd_name, 0, sizeof(tBTM_BD_NAME));
113 
114     if (bd_name && bd_name[0])
115     {
116         p_dev_rec->sec_flags |= BTM_SEC_NAME_KNOWN;
117         BCM_STRNCPY_S ((char *)p_dev_rec->sec_bd_name, sizeof (p_dev_rec->sec_bd_name),
118                        (char *)bd_name, BTM_MAX_REM_BD_NAME_LEN);
119     }
120     p_dev_rec->device_type = dev_type;
121     p_dev_rec->ble.ble_addr_type = addr_type;
122     BTM_TRACE_DEBUG3 ("p_dev_rec->device_type =0x%x  addr_type=0x%x sec_flags=0x%x",
123                       dev_type,  addr_type, p_dev_rec->sec_flags);
124 
125     /* sync up with the Inq Data base*/
126     p_info = BTM_InqDbRead(bd_addr);
127     if (p_info)
128     {
129         p_info->results.ble_addr_type = p_dev_rec->ble.ble_addr_type ;
130         p_info->results.device_type = p_dev_rec->device_type;
131         BTM_TRACE_DEBUG2 ("InqDb  device_type =0x%x  addr_type=0x%x",
132                           p_info->results.device_type, p_info->results.ble_addr_type);
133     }
134 
135 #endif
136     return(TRUE);
137 }
138 
139 /*******************************************************************************
140 **
141 ** Function         BTM_SecAddBleKey
142 **
143 ** Description      Add/modify LE device information.  This function will be
144 **                  normally called during host startup to restore all required
145 **                  information stored in the NVRAM.
146 **
147 ** Parameters:      bd_addr          - BD address of the peer
148 **                  p_le_key         - LE key values.
149 **                  key_type         - LE SMP key type.
150 *
151 ** Returns          TRUE if added OK, else FALSE
152 **
153 *******************************************************************************/
BTM_SecAddBleKey(BD_ADDR bd_addr,tBTM_LE_KEY_VALUE * p_le_key,tBTM_LE_KEY_TYPE key_type)154 BOOLEAN BTM_SecAddBleKey (BD_ADDR bd_addr, tBTM_LE_KEY_VALUE *p_le_key, tBTM_LE_KEY_TYPE key_type)
155 {
156 #if (BLE_INCLUDED == TRUE && SMP_INCLUDED == TRUE)
157     tBTM_SEC_DEV_REC  *p_dev_rec;
158     BTM_TRACE_DEBUG0 ("BTM_SecAddBleKey");
159     p_dev_rec = btm_find_dev (bd_addr);
160     if (!p_dev_rec || !p_le_key ||
161         (key_type != BTM_LE_KEY_PENC && key_type != BTM_LE_KEY_PID &&
162          key_type != BTM_LE_KEY_PCSRK && key_type != BTM_LE_KEY_LENC &&
163          key_type != BTM_LE_KEY_LCSRK))
164     {
165         BTM_TRACE_WARNING3 ("BTM_SecAddBleKey()  Wrong Type, or No Device record \
166                         for bdaddr: %08x%04x, Type: %d",
167                             (bd_addr[0]<<24)+(bd_addr[1]<<16)+(bd_addr[2]<<8)+bd_addr[3],
168                             (bd_addr[4]<<8)+bd_addr[5], key_type);
169         return(FALSE);
170     }
171 
172     BTM_TRACE_DEBUG3 ("BTM_SecAddLeKey()  BDA: %08x%04x, Type: 0x%02x",
173                       (bd_addr[0]<<24)+(bd_addr[1]<<16)+(bd_addr[2]<<8)+bd_addr[3],
174                       (bd_addr[4]<<8)+bd_addr[5], key_type);
175 
176     if (key_type == BTM_LE_KEY_PENC || key_type == BTM_LE_KEY_PID ||
177         key_type == BTM_LE_KEY_PCSRK || key_type == BTM_LE_KEY_LENC ||
178         key_type == BTM_LE_KEY_LCSRK)
179     {
180         btm_sec_save_le_key (bd_addr, key_type, p_le_key, FALSE);
181     }
182 
183 #endif
184 
185     return(TRUE);
186 }
187 
188 /*******************************************************************************
189 **
190 ** Function         BTM_BleLoadLocalKeys
191 **
192 ** Description      Local local identity key, encryption root or sign counter.
193 **
194 ** Parameters:      key_type: type of key, can be BTM_BLE_KEY_TYPE_ID, BTM_BLE_KEY_TYPE_ER
195 **                            or BTM_BLE_KEY_TYPE_COUNTER.
196 **                  p_key: pointer to the key.
197 *
198 ** Returns          non2.
199 **
200 *******************************************************************************/
BTM_BleLoadLocalKeys(UINT8 key_type,tBTM_BLE_LOCAL_KEYS * p_key)201 void BTM_BleLoadLocalKeys(UINT8 key_type, tBTM_BLE_LOCAL_KEYS *p_key)
202 {
203 #if BLE_INCLUDED == TRUE
204     tBTM_DEVCB *p_devcb = &btm_cb.devcb;
205     BTM_TRACE_DEBUG0 ("BTM_BleLoadLocalKeys");
206     if (p_key != NULL)
207     {
208         switch (key_type)
209         {
210             case BTM_BLE_KEY_TYPE_ID:
211                 memcpy(&p_devcb->id_keys, &p_key->id_keys, sizeof(tBTM_BLE_LOCAL_ID_KEYS));
212                 break;
213 
214             case BTM_BLE_KEY_TYPE_ER:
215                 memcpy(p_devcb->er, p_key->er, sizeof(BT_OCTET16));
216                 break;
217 
218             default:
219                 BTM_TRACE_ERROR1("unknow local key type: %d", key_type);
220                 break;
221         }
222     }
223 #endif
224 }
225 
226 /*******************************************************************************
227 **
228 ** Function         BTM_GetDeviceEncRoot
229 **
230 ** Description      This function is called to read the local device encryption
231 **                  root.
232 **
233 ** Returns          void
234 **                  the local device ER is copied into er
235 **
236 *******************************************************************************/
BTM_GetDeviceEncRoot(BT_OCTET16 er)237 void BTM_GetDeviceEncRoot (BT_OCTET16 er)
238 {
239     BTM_TRACE_DEBUG0 ("BTM_GetDeviceEncRoot");
240 
241 #if BLE_INCLUDED == TRUE
242     memcpy (er, btm_cb.devcb.er, BT_OCTET16_LEN);
243 #endif
244 }
245 
246 /*******************************************************************************
247 **
248 ** Function         BTM_GetDeviceIDRoot
249 **
250 ** Description      This function is called to read the local device identity
251 **                  root.
252 **
253 ** Returns          void
254 **                  the local device IR is copied into irk
255 **
256 *******************************************************************************/
BTM_GetDeviceIDRoot(BT_OCTET16 irk)257 void BTM_GetDeviceIDRoot (BT_OCTET16 irk)
258 {
259     BTM_TRACE_DEBUG0 ("BTM_GetDeviceIDRoot ");
260 
261 #if BLE_INCLUDED == TRUE
262     memcpy (irk, btm_cb.devcb.id_keys.irk, BT_OCTET16_LEN);
263 #endif
264 }
265 
266 /*******************************************************************************
267 **
268 ** Function         BTM_GetDeviceDHK
269 **
270 ** Description      This function is called to read the local device DHK.
271 **
272 ** Returns          void
273 **                  the local device DHK is copied into dhk
274 **
275 *******************************************************************************/
BTM_GetDeviceDHK(BT_OCTET16 dhk)276 void BTM_GetDeviceDHK (BT_OCTET16 dhk)
277 {
278 #if BLE_INCLUDED == TRUE
279     BTM_TRACE_DEBUG0 ("BTM_GetDeviceDHK");
280     memcpy (dhk, btm_cb.devcb.id_keys.dhk, BT_OCTET16_LEN);
281 #endif
282 }
283 
284 /*******************************************************************************
285 **
286 ** Function         BTM_ReadConnectionAddr
287 **
288 ** Description      This function is called to get the local device address information
289 **                  .
290 **
291 ** Returns          void
292 **
293 *******************************************************************************/
BTM_ReadConnectionAddr(BD_ADDR remote_bda,BD_ADDR local_conn_addr,tBLE_ADDR_TYPE * p_addr_type)294 void BTM_ReadConnectionAddr (BD_ADDR remote_bda, BD_ADDR local_conn_addr, tBLE_ADDR_TYPE *p_addr_type)
295 {
296 #if BLE_INCLUDED == TRUE
297     tACL_CONN       *p_acl = btm_bda_to_acl(remote_bda);
298 
299     if (p_acl == NULL)
300     {
301         BTM_TRACE_ERROR0("No connection exist!");
302         return;
303     }
304     memcpy(local_conn_addr, p_acl->conn_addr, BD_ADDR_LEN);
305     * p_addr_type = p_acl->conn_addr_type;
306 
307     BTM_TRACE_DEBUG2 ("BTM_ReadConnectionAddr address type: %d addr: 0x%02x",
308                     p_acl->conn_addr_type, p_acl->conn_addr[0]);
309 
310 #endif
311 }
312 
313 /*******************************************************************************
314 **
315 ** Function         BTM_ReadRemoteConnectionAddr
316 **
317 ** Description      This function is read the remote device address currently used
318 **                  .
319 **
320 ** Returns          void
321 **
322 *******************************************************************************/
BTM_ReadRemoteConnectionAddr(BD_ADDR pseudo_addr,BD_ADDR conn_addr,tBLE_ADDR_TYPE * p_addr_type)323 BOOLEAN BTM_ReadRemoteConnectionAddr(BD_ADDR pseudo_addr, BD_ADDR conn_addr, tBLE_ADDR_TYPE *p_addr_type)
324 {
325     BOOLEAN         st = TRUE;
326 #if BLE_INCLUDED == TRUE
327     tBTM_SEC_DEV_REC *p_dev_rec = btm_find_dev(pseudo_addr);
328 
329     memcpy(conn_addr, pseudo_addr, BD_ADDR_LEN);
330     *p_addr_type = p_dev_rec->ble.ble_addr_type;
331 #endif
332     return st;
333 }
334 /*******************************************************************************
335 **
336 ** Function         BTM_SecurityGrant
337 **
338 ** Description      This function is called to grant security process.
339 **
340 ** Parameters       bd_addr - peer device bd address.
341 **                  res     - result of the operation BTM_SUCCESS if success.
342 **                            Otherwise, BTM_REPEATED_ATTEMPTS is too many attempts.
343 **
344 ** Returns          None
345 **
346 *******************************************************************************/
BTM_SecurityGrant(BD_ADDR bd_addr,UINT8 res)347 void BTM_SecurityGrant(BD_ADDR bd_addr, UINT8 res)
348 {
349 #if (BLE_INCLUDED == TRUE && SMP_INCLUDED == TRUE)
350     tSMP_STATUS res_smp = (res == BTM_SUCCESS) ? SMP_SUCCESS : SMP_REPEATED_ATTEMPTS;
351     BTM_TRACE_DEBUG0 ("BTM_SecurityGrant");
352     SMP_SecurityGrant(bd_addr, res_smp);
353 #endif
354 }
355 
356 /*******************************************************************************
357 **
358 ** Function         BTM_BlePasskeyReply
359 **
360 ** Description      This function is called after Security Manager submitted
361 **                  passkey request to the application.
362 **
363 ** Parameters:      bd_addr      - Address of the device for which passkey was requested
364 **                  res          - result of the operation BTM_SUCCESS if success
365 **                  key_len      - length in bytes of the Passkey
366 **                  p_passkey        - pointer to array with the passkey
367 **                  trusted_mask - bitwise OR of trusted services (array of UINT32)
368 **
369 *******************************************************************************/
BTM_BlePasskeyReply(BD_ADDR bd_addr,UINT8 res,UINT32 passkey)370 void BTM_BlePasskeyReply (BD_ADDR bd_addr, UINT8 res, UINT32 passkey)
371 {
372 #if (BLE_INCLUDED == TRUE && SMP_INCLUDED == TRUE)
373     tBTM_SEC_DEV_REC  *p_dev_rec = btm_find_dev (bd_addr);
374     tSMP_STATUS      res_smp = (res == BTM_SUCCESS) ? SMP_SUCCESS : SMP_PASSKEY_ENTRY_FAIL;
375 
376     if (p_dev_rec == NULL)
377     {
378         BTM_TRACE_ERROR0("Passkey reply to Unknown device");
379         return;
380     }
381 
382     p_dev_rec->sec_flags   |= BTM_SEC_LINK_KEY_AUTHED;
383     BTM_TRACE_DEBUG0 ("BTM_BlePasskeyReply");
384     SMP_PasskeyReply(bd_addr, res_smp, passkey);
385 #endif
386 }
387 
388 /*******************************************************************************
389 **
390 ** Function         BTM_BleOobDataReply
391 **
392 ** Description      This function is called to provide the OOB data for
393 **                  SMP in response to BTM_LE_OOB_REQ_EVT
394 **
395 ** Parameters:      bd_addr     - Address of the peer device
396 **                  res         - result of the operation SMP_SUCCESS if success
397 **                  p_data      - simple pairing Randomizer  C.
398 **
399 *******************************************************************************/
BTM_BleOobDataReply(BD_ADDR bd_addr,UINT8 res,UINT8 len,UINT8 * p_data)400 void BTM_BleOobDataReply(BD_ADDR bd_addr, UINT8 res, UINT8 len, UINT8 *p_data)
401 {
402 #if (BLE_INCLUDED == TRUE && SMP_INCLUDED == TRUE)
403     tSMP_STATUS res_smp = (res == BTM_SUCCESS) ? SMP_SUCCESS : SMP_OOB_FAIL;
404     tBTM_SEC_DEV_REC  *p_dev_rec = btm_find_dev (bd_addr);
405 
406     BTM_TRACE_DEBUG0 ("BTM_BleOobDataReply");
407 
408     if (p_dev_rec == NULL)
409     {
410         BTM_TRACE_ERROR0("BTM_BleOobDataReply() to Unknown device");
411         return;
412     }
413 
414     p_dev_rec->sec_flags |= BTM_SEC_LINK_KEY_AUTHED;
415     SMP_OobDataReply(bd_addr, res_smp, len, p_data);
416 #endif
417 }
418 
419 /******************************************************************************
420 **
421 ** Function         BTM_BleSetConnScanParams
422 **
423 ** Description      Set scan parameter used in BLE connection request
424 **
425 ** Parameters:      scan_interval: scan interval
426 **                  scan_window: scan window
427 **
428 ** Returns          void
429 **
430 *******************************************************************************/
BTM_BleSetConnScanParams(UINT16 scan_interval,UINT16 scan_window)431 void BTM_BleSetConnScanParams (UINT16 scan_interval, UINT16 scan_window)
432 {
433 #if (BLE_INCLUDED == TRUE && SMP_INCLUDED == TRUE)
434     tBTM_BLE_CB *p_ble_cb = &btm_cb.ble_ctr_cb;
435     BOOLEAN     new_param = FALSE;
436 
437     if (BTM_BLE_VALID_PRAM(scan_interval, BTM_BLE_SCAN_INT_MIN, BTM_BLE_SCAN_INT_MAX) &&
438         BTM_BLE_VALID_PRAM(scan_window, BTM_BLE_SCAN_WIN_MIN, BTM_BLE_SCAN_WIN_MAX))
439     {
440         btu_stop_timer(&p_ble_cb->scan_param_idle_timer);
441 
442         if (p_ble_cb->scan_int != scan_interval)
443         {
444             p_ble_cb->scan_int = scan_interval;
445             new_param = TRUE;
446         }
447 
448         if (p_ble_cb->scan_win != scan_window)
449         {
450             p_ble_cb->scan_win = scan_window;
451             new_param = TRUE;
452         }
453 
454         if (new_param && p_ble_cb->conn_state == BLE_BG_CONN)
455         {
456             btm_ble_suspend_bg_conn();
457         }
458     }
459     else
460     {
461         BTM_TRACE_ERROR0("Illegal Connection Scan Parameters");
462     }
463 #endif
464 }
465 
466 /********************************************************
467 **
468 ** Function         BTM_BleSetPrefConnParams
469 **
470 ** Description      Set a peripheral's preferred connection parameters
471 **
472 ** Parameters:      bd_addr          - BD address of the peripheral
473 **                  scan_interval: scan interval
474 **                  scan_window: scan window
475 **                  min_conn_int     - minimum preferred connection interval
476 **                  max_conn_int     - maximum preferred connection interval
477 **                  slave_latency    - preferred slave latency
478 **                  supervision_tout - preferred supervision timeout
479 **
480 ** Returns          void
481 **
482 *******************************************************************************/
BTM_BleSetPrefConnParams(BD_ADDR bd_addr,UINT16 min_conn_int,UINT16 max_conn_int,UINT16 slave_latency,UINT16 supervision_tout)483 void BTM_BleSetPrefConnParams (BD_ADDR bd_addr,
484                                UINT16 min_conn_int, UINT16 max_conn_int,
485                                UINT16 slave_latency, UINT16 supervision_tout)
486 {
487 #if BLE_INCLUDED == TRUE
488     tBTM_SEC_DEV_REC  *p_dev_rec = btm_find_dev (bd_addr);
489 
490     BTM_TRACE_API4 ("BTM_BleSetPrefConnParams min: %u  max: %u  latency: %u  \
491                     tout: %u",
492                     min_conn_int, max_conn_int, slave_latency, supervision_tout);
493 
494     if (BTM_BLE_VALID_PRAM(min_conn_int, BTM_BLE_CONN_INT_MIN, BTM_BLE_CONN_INT_MAX) &&
495         BTM_BLE_VALID_PRAM(max_conn_int, BTM_BLE_CONN_INT_MIN, BTM_BLE_CONN_INT_MAX) &&
496         BTM_BLE_VALID_PRAM(supervision_tout, BTM_BLE_CONN_SUP_TOUT_MIN, BTM_BLE_CONN_SUP_TOUT_MAX) &&
497         (slave_latency <= BTM_BLE_CONN_LATENCY_MAX || slave_latency == BTM_BLE_CONN_PARAM_UNDEF))
498     {
499         if (p_dev_rec)
500         {
501             /* expect conn int and stout and slave latency to be updated all together */
502             if (min_conn_int != BTM_BLE_CONN_PARAM_UNDEF || max_conn_int != BTM_BLE_CONN_PARAM_UNDEF)
503             {
504                 if (min_conn_int != BTM_BLE_CONN_PARAM_UNDEF)
505                     p_dev_rec->conn_params.min_conn_int = min_conn_int;
506                 else
507                     p_dev_rec->conn_params.min_conn_int = max_conn_int;
508 
509                 if (max_conn_int != BTM_BLE_CONN_PARAM_UNDEF)
510                     p_dev_rec->conn_params.max_conn_int = max_conn_int;
511                 else
512                     p_dev_rec->conn_params.max_conn_int = min_conn_int;
513 
514                 if (slave_latency != BTM_BLE_CONN_PARAM_UNDEF)
515                     p_dev_rec->conn_params.slave_latency = slave_latency;
516                 else
517                     p_dev_rec->conn_params.slave_latency = BTM_BLE_CONN_SLAVE_LATENCY_DEF;
518 
519                 if (supervision_tout != BTM_BLE_CONN_PARAM_UNDEF)
520                     p_dev_rec->conn_params.supervision_tout = supervision_tout;
521                 else
522                     p_dev_rec->conn_params.slave_latency = BTM_BLE_CONN_TIMEOUT_DEF;
523 
524             }
525 
526         }
527         else
528         {
529             BTM_TRACE_ERROR0("Unknown Device, setting rejected");
530         }
531     }
532     else
533     {
534         BTM_TRACE_ERROR0("Illegal Connection Parameters");
535     }
536 #endif  /* BLE_INCLUDED */
537 }
538 
539 /*******************************************************************************
540 **
541 ** Function         BTM_ReadDevInfo
542 **
543 ** Description      This function is called to read the device/address type
544 **                  of BD address.
545 **
546 ** Parameter        remote_bda: remote device address
547 **                  p_dev_type: output parameter to read the device type.
548 **                  p_addr_type: output parameter to read the address type.
549 **
550 *******************************************************************************/
BTM_ReadDevInfo(BD_ADDR remote_bda,tBT_DEVICE_TYPE * p_dev_type,tBLE_ADDR_TYPE * p_addr_type)551 void BTM_ReadDevInfo (BD_ADDR remote_bda, tBT_DEVICE_TYPE *p_dev_type, tBLE_ADDR_TYPE *p_addr_type)
552 {
553 #if BLE_INCLUDED == TRUE
554     tBTM_SEC_DEV_REC  *p_dev_rec = btm_find_dev (remote_bda);
555     tBTM_INQ_INFO     *p_inq_info = BTM_InqDbRead(remote_bda);
556 
557     *p_dev_type = BT_DEVICE_TYPE_BREDR;
558     *p_addr_type = BLE_ADDR_PUBLIC;
559 
560     if (!p_dev_rec)
561     {
562         /* Check with the BT manager if details about remote device are known */
563         if (p_inq_info != NULL)
564         {
565             *p_dev_type = p_inq_info->results.device_type ;
566             *p_addr_type = p_inq_info->results.ble_addr_type;
567         }
568         /* unknown device, assume BR/EDR */
569     }
570     else /* there is a security device record exisitng */
571     {
572         /* new inquiry result, overwrite device type in security device record */
573         if (p_inq_info)
574         {
575             p_dev_rec->device_type          = p_inq_info->results.device_type;
576             p_dev_rec->ble.ble_addr_type    = p_inq_info->results.ble_addr_type;
577         }
578         *p_dev_type = p_dev_rec->device_type;
579         *p_addr_type = p_dev_rec->ble.ble_addr_type;
580 
581     }
582 
583     BTM_TRACE_DEBUG2 ("btm_find_dev_type - device_type = %d addr_type = %d", *p_dev_type , *p_addr_type);
584 #endif
585 
586     return;
587 }
588 
589 #if BLE_INCLUDED == TRUE
590 
591 /*******************************************************************************
592 **
593 ** Function         BTM_BleReceiverTest
594 **
595 ** Description      This function is called to start the LE Receiver test
596 **
597 ** Parameter       rx_freq - Frequency Range
598 **               p_cmd_cmpl_cback - Command Complete callback
599 **
600 *******************************************************************************/
BTM_BleReceiverTest(UINT8 rx_freq,tBTM_CMPL_CB * p_cmd_cmpl_cback)601 void BTM_BleReceiverTest(UINT8 rx_freq, tBTM_CMPL_CB *p_cmd_cmpl_cback)
602 {
603      btm_cb.devcb.p_le_test_cmd_cmpl_cb = p_cmd_cmpl_cback;
604 
605      if (btsnd_hcic_ble_receiver_test(rx_freq) == FALSE)
606      {
607           BTM_TRACE_ERROR1("%s: Unable to Trigger LE receiver test", __FUNCTION__);
608      }
609 }
610 
611 /*******************************************************************************
612 **
613 ** Function         BTM_BleTransmitterTest
614 **
615 ** Description      This function is called to start the LE Transmitter test
616 **
617 ** Parameter       tx_freq - Frequency Range
618 **                       test_data_len - Length in bytes of payload data in each packet
619 **                       packet_payload - Pattern to use in the payload
620 **                       p_cmd_cmpl_cback - Command Complete callback
621 **
622 *******************************************************************************/
BTM_BleTransmitterTest(UINT8 tx_freq,UINT8 test_data_len,UINT8 packet_payload,tBTM_CMPL_CB * p_cmd_cmpl_cback)623 void BTM_BleTransmitterTest(UINT8 tx_freq, UINT8 test_data_len,
624                                  UINT8 packet_payload, tBTM_CMPL_CB *p_cmd_cmpl_cback)
625 {
626      btm_cb.devcb.p_le_test_cmd_cmpl_cb = p_cmd_cmpl_cback;
627      if (btsnd_hcic_ble_transmitter_test(tx_freq, test_data_len, packet_payload) == FALSE)
628      {
629           BTM_TRACE_ERROR1("%s: Unable to Trigger LE transmitter test", __FUNCTION__);
630      }
631 }
632 
633 /*******************************************************************************
634 **
635 ** Function         BTM_BleTestEnd
636 **
637 ** Description      This function is called to stop the in-progress TX or RX test
638 **
639 ** Parameter       p_cmd_cmpl_cback - Command complete callback
640 **
641 *******************************************************************************/
BTM_BleTestEnd(tBTM_CMPL_CB * p_cmd_cmpl_cback)642 void BTM_BleTestEnd(tBTM_CMPL_CB *p_cmd_cmpl_cback)
643 {
644      btm_cb.devcb.p_le_test_cmd_cmpl_cb = p_cmd_cmpl_cback;
645 
646      if (btsnd_hcic_ble_test_end() == FALSE)
647      {
648           BTM_TRACE_ERROR1("%s: Unable to End the LE TX/RX test", __FUNCTION__);
649      }
650 }
651 
652 #endif
653 
654 /*******************************************************************************
655 ** Internal Functions
656 *******************************************************************************/
657 #if BLE_INCLUDED == TRUE
658 
btm_ble_test_command_complete(UINT8 * p)659 void btm_ble_test_command_complete(UINT8 *p)
660 {
661     tBTM_CMPL_CB   *p_cb = btm_cb.devcb.p_le_test_cmd_cmpl_cb;
662     UINT8           status;
663 
664     btm_cb.devcb.p_le_test_cmd_cmpl_cb = NULL;
665 
666     if (p_cb)
667     {
668         (*p_cb)(p);
669     }
670 }
671 
672 /*******************************************************************************
673 **
674 ** Function         btm_ble_check_link_type
675 **
676 ** Description      This function is to check the link type is BLE or BR/EDR.
677 **
678 ** Returns          TRUE if BLE link; FALSE if BR/EDR.
679 **
680 *******************************************************************************/
btm_ble_check_link_type(BD_ADDR bd_addr)681 BOOLEAN btm_ble_check_link_type (BD_ADDR bd_addr)
682 {
683     tACL_CONN         *p;
684     BTM_TRACE_DEBUG0 ("btm_ble_check_link_type");
685     if ((p = btm_bda_to_acl(bd_addr)) != NULL)
686         return p->is_le_link;
687     else
688         return FALSE;
689 }
690 
691 /*******************************************************************************
692 **
693 ** Function         btm_ble_rand_enc_complete
694 **
695 ** Description      This function is the callback functions for HCI_Rand command
696 **                  and HCI_Encrypt command is completed.
697 **                  This message is received from the HCI.
698 **
699 ** Returns          void
700 **
701 *******************************************************************************/
btm_ble_rand_enc_complete(UINT8 * p,UINT16 op_code,tBTM_RAND_ENC_CB * p_enc_cplt_cback)702 void btm_ble_rand_enc_complete (UINT8 *p, UINT16 op_code, tBTM_RAND_ENC_CB *p_enc_cplt_cback)
703 {
704     tBTM_RAND_ENC   params;
705     UINT8           *p_dest = params.param_buf;
706 
707     BTM_TRACE_DEBUG0 ("btm_ble_rand_enc_complete");
708 
709     memset(&params, 0, sizeof(tBTM_RAND_ENC));
710 
711     /* If there was a callback address for vcs complete, call it */
712     if (p_enc_cplt_cback && p)
713     {
714         /* Pass paramters to the callback function */
715         STREAM_TO_UINT8(params.status, p); /* command status */
716 
717         if (params.status == HCI_SUCCESS)
718         {
719             params.opcode = op_code;
720 
721             if (op_code == HCI_BLE_RAND)
722                 params.param_len = BT_OCTET8_LEN;
723             else
724                 params.param_len = BT_OCTET16_LEN;
725 
726             memcpy(p_dest, p, params.param_len);  /* Fetch return info from HCI event message */
727         }
728         if (p_enc_cplt_cback)
729             (*p_enc_cplt_cback)(&params);  /* Call the Encryption complete callback function */
730     }
731 }
732 
733 
734     #if (SMP_INCLUDED == TRUE)
735 
736 /*******************************************************************************
737 **
738 ** Function         btm_ble_get_enc_key_type
739 **
740 ** Description      This function is to increment local sign counter
741 ** Returns         None
742 **
743 *******************************************************************************/
btm_ble_increment_sign_ctr(BD_ADDR bd_addr,BOOLEAN is_local)744 void btm_ble_increment_sign_ctr(BD_ADDR bd_addr, BOOLEAN is_local )
745 {
746     tBTM_SEC_DEV_REC *p_dev_rec;
747 
748     BTM_TRACE_DEBUG1 ("btm_ble_increment_sign_ctr is_local=%d", is_local);
749 
750     if ((p_dev_rec = btm_find_dev (bd_addr)) != NULL)
751     {
752         if (is_local)
753             p_dev_rec->ble.keys.local_counter++;
754         else
755             p_dev_rec->ble.keys.counter++;
756         BTM_TRACE_DEBUG3 ("is_local=%d local sign counter=%d peer sign counter=%d",
757                           is_local,
758                           p_dev_rec->ble.keys.local_counter,
759                           p_dev_rec->ble.keys.counter);
760     }
761 }
762 
763 /*******************************************************************************
764 **
765 ** Function         btm_ble_get_enc_key_type
766 **
767 ** Description      This function is to get the BLE key type that has been exchanged
768 **                  in betweem local device and peer device.
769 **
770 ** Returns          p_key_type: output parameter to carry the key type value.
771 **
772 *******************************************************************************/
btm_ble_get_enc_key_type(BD_ADDR bd_addr,UINT8 * p_key_types)773 BOOLEAN btm_ble_get_enc_key_type(BD_ADDR bd_addr, UINT8 *p_key_types)
774 {
775     tBTM_SEC_DEV_REC *p_dev_rec;
776 
777     BTM_TRACE_DEBUG0 ("btm_ble_get_enc_key_type");
778 
779     if ((p_dev_rec = btm_find_dev (bd_addr)) != NULL)
780     {
781         *p_key_types = p_dev_rec->ble.key_type;
782         return TRUE;
783     }
784     return FALSE;
785 }
786 
787 /*******************************************************************************
788 **
789 ** Function         btm_get_local_div
790 **
791 ** Description      This function is called to read the local DIV
792 **
793 ** Returns          TURE - if a valid DIV is availavle
794 *******************************************************************************/
btm_get_local_div(BD_ADDR bd_addr,UINT16 * p_div)795 BOOLEAN btm_get_local_div (BD_ADDR bd_addr, UINT16 *p_div)
796 {
797     tBTM_SEC_DEV_REC   *p_dev_rec;
798     BOOLEAN            status = FALSE;
799     BTM_TRACE_DEBUG0 ("btm_get_local_div");
800 
801     BTM_TRACE_DEBUG6("bd_addr:%02x-%02x-%02x-%02x-%02x-%02x",
802                      bd_addr[0],bd_addr[1],
803                      bd_addr[2],bd_addr[3],
804                      bd_addr[4],bd_addr[5]);
805 
806     p_dev_rec = btm_find_dev (bd_addr);
807 
808     if (p_dev_rec && p_dev_rec->ble.keys.div)
809     {
810         status = TRUE;
811         *p_div = p_dev_rec->ble.keys.div;
812     }
813     BTM_TRACE_DEBUG2 ("btm_get_local_div status=%d (1-OK) DIV=0x%x", status, *p_div);
814     return status;
815 }
816 
817 /*******************************************************************************
818 **
819 ** Function         btm_sec_save_le_key
820 **
821 ** Description      This function is called by the SMP to update
822 **                  an  BLE key.  SMP is internal, whereas all the keys shall
823 **                  be sent to the application.  The function is also called
824 **                  when application passes ble key stored in NVRAM to the btm_sec.
825 **                  pass_to_application parameter is false in this case.
826 **
827 ** Returns          void
828 **
829 *******************************************************************************/
btm_sec_save_le_key(BD_ADDR bd_addr,tBTM_LE_KEY_TYPE key_type,tBTM_LE_KEY_VALUE * p_keys,BOOLEAN pass_to_application)830 void btm_sec_save_le_key(BD_ADDR bd_addr, tBTM_LE_KEY_TYPE key_type, tBTM_LE_KEY_VALUE *p_keys,
831                          BOOLEAN pass_to_application)
832 {
833     tBTM_SEC_DEV_REC *p_rec;
834     tBTM_LE_EVT_DATA    cb_data;
835     UINT8 i;
836 
837     BTM_TRACE_DEBUG2 ("btm_sec_save_le_key key_type=0x%x pass_to_application=%d",key_type, pass_to_application);
838     /* Store the updated key in the device database */
839 
840     BTM_TRACE_DEBUG6("bd_addr:%02x-%02x-%02x-%02x-%02x-%02x",
841                      bd_addr[0],bd_addr[1],
842                      bd_addr[2],bd_addr[3],
843                      bd_addr[4],bd_addr[5]);
844 
845     if ((p_rec = btm_find_dev (bd_addr)) != NULL && p_keys)
846     {
847         switch (key_type)
848         {
849             case BTM_LE_KEY_PENC:
850                 memcpy(p_rec->ble.keys.ltk, p_keys->penc_key.ltk, BT_OCTET16_LEN);
851                 memcpy(p_rec->ble.keys.rand, p_keys->penc_key.rand, BT_OCTET8_LEN);
852                 p_rec->ble.keys.sec_level = p_keys->penc_key.sec_level;
853                 p_rec->ble.keys.ediv = p_keys->penc_key.ediv;
854                 p_rec->ble.keys.key_size = p_keys->penc_key.key_size;
855                 p_rec->ble.key_type |= BTM_LE_KEY_PENC;
856                 p_rec->sec_flags |= BTM_SEC_LINK_KEY_KNOWN;
857                 if (p_keys->penc_key.sec_level == SMP_SEC_AUTHENTICATED)
858                     p_rec->sec_flags |= BTM_SEC_LINK_KEY_AUTHED;
859                 else
860                     p_rec->sec_flags &= ~BTM_SEC_LINK_KEY_AUTHED;
861                 BTM_TRACE_DEBUG3("BTM_LE_KEY_PENC key_type=0x%x sec_flags=0x%x sec_leve=0x%x",
862                                  p_rec->ble.key_type,
863                                  p_rec->sec_flags,
864                                  p_rec->ble.keys.sec_level);
865                 break;
866 
867             case BTM_LE_KEY_PID:
868                 for (i=0; i<BT_OCTET16_LEN; i++)
869                 {
870                     p_rec->ble.keys.irk[i] = p_keys->pid_key.irk[i];
871                 }
872 
873                  //memcpy( p_rec->ble.keys.irk, p_keys->pid_key, BT_OCTET16_LEN); todo will crash the system
874                 memcpy(p_rec->ble.static_addr, p_keys->pid_key.static_addr, BD_ADDR_LEN);
875                 p_rec->ble.static_addr_type = p_keys->pid_key.addr_type;
876                 p_rec->ble.key_type |= BTM_LE_KEY_PID;
877                 BTM_TRACE_DEBUG1("BTM_LE_KEY_PID key_type=0x%x save peer IRK",  p_rec->ble.key_type);
878                 break;
879 
880             case BTM_LE_KEY_PCSRK:
881                 memcpy(p_rec->ble.keys.csrk, p_keys->pcsrk_key.csrk, BT_OCTET16_LEN);
882                 p_rec->ble.keys.srk_sec_level = p_keys->pcsrk_key.sec_level;
883                 p_rec->ble.keys.counter  = p_keys->pcsrk_key.counter;
884                 p_rec->ble.key_type |= BTM_LE_KEY_PCSRK;
885                 p_rec->sec_flags |=  BTM_SEC_LINK_KEY_KNOWN;
886                 if ( p_keys->pcsrk_key.sec_level== SMP_SEC_AUTHENTICATED)
887                     p_rec->sec_flags |= BTM_SEC_LINK_KEY_AUTHED;
888                 else
889                     p_rec->sec_flags &= ~BTM_SEC_LINK_KEY_AUTHED;
890 
891                 BTM_TRACE_DEBUG4("BTM_LE_KEY_PCSRK key_type=0x%x sec_flags=0x%x sec_level=0x%x peer_counter=%d",
892                                  p_rec->ble.key_type,
893                                  p_rec->sec_flags,
894                                  p_rec->ble.keys.srk_sec_level,
895                                  p_rec->ble.keys.counter );
896                 break;
897 
898             case BTM_LE_KEY_LENC:
899                 p_rec->ble.keys.div = p_keys->lenc_key.div; /* update DIV */
900                 p_rec->ble.keys.sec_level = p_keys->lenc_key.sec_level;
901                 p_rec->ble.keys.key_size = p_keys->lenc_key.key_size;
902                 p_rec->ble.key_type |= BTM_LE_KEY_LENC;
903 
904                 BTM_TRACE_DEBUG4("BTM_LE_KEY_LENC key_type=0x%x DIV=0x%x key_size=0x%x sec_level=0x%x",
905                                  p_rec->ble.key_type,
906                                  p_rec->ble.keys.div,
907                                  p_rec->ble.keys.key_size,
908                                  p_rec->ble.keys.sec_level );
909                 break;
910 
911             case BTM_LE_KEY_LCSRK:/* local CSRK has been delivered */
912                 p_rec->ble.keys.div = p_keys->lcsrk_key.div; /* update DIV */
913                 p_rec->ble.keys.local_csrk_sec_level = p_keys->lcsrk_key.sec_level;
914                 p_rec->ble.keys.local_counter  = p_keys->lcsrk_key.counter;
915                 p_rec->ble.key_type |= BTM_LE_KEY_LCSRK;
916                 BTM_TRACE_DEBUG4("BTM_LE_KEY_LCSRK key_type=0x%x DIV=0x%x scrk_sec_level=0x%x local_counter=%d",
917                                  p_rec->ble.key_type,
918                                  p_rec->ble.keys.div,
919                                  p_rec->ble.keys.local_csrk_sec_level,
920                                  p_rec->ble.keys.local_counter );
921                 break;
922 
923             default:
924                 BTM_TRACE_WARNING1("btm_sec_save_le_key (Bad key_type 0x%02x)", key_type);
925                 return;
926         }
927 
928         BTM_TRACE_DEBUG3 ("BLE key type 0x%02x updated for BDA: %08x%04x (btm_sec_save_le_key)", key_type,
929                           (bd_addr[0]<<24)+(bd_addr[1]<<16)+(bd_addr[2]<<8)+bd_addr[3],
930                           (bd_addr[4]<<8)+bd_addr[5]);
931 
932         /* Notify the application that one of the BLE keys has been updated
933            If link key is in progress, it will get sent later.*/
934         if (pass_to_application && btm_cb.api.p_le_callback)
935         {
936             cb_data.key.p_key_value = p_keys;
937             cb_data.key.key_type = key_type;
938             (*btm_cb.api.p_le_callback) (BTM_LE_KEY_EVT, bd_addr, &cb_data);
939         }
940         return;
941     }
942 
943     BTM_TRACE_WARNING3 ("BLE key type 0x%02x called for Unknown BDA or type: %08x%04x !! (btm_sec_save_le_key)", key_type,
944                         (bd_addr[0]<<24)+(bd_addr[1]<<16)+(bd_addr[2]<<8)+bd_addr[3],
945                         (bd_addr[4]<<8)+bd_addr[5]);
946 
947     if (p_rec)
948     {
949         BTM_TRACE_DEBUG1 ("sec_flags=0x%x", p_rec->sec_flags);
950     }
951 }
952 
953 /*******************************************************************************
954 **
955 ** Function         btm_ble_update_sec_key_size
956 **
957 ** Description      update the current lin kencryption key size
958 **
959 ** Returns          void
960 **
961 *******************************************************************************/
btm_ble_update_sec_key_size(BD_ADDR bd_addr,UINT8 enc_key_size)962 void btm_ble_update_sec_key_size(BD_ADDR bd_addr, UINT8 enc_key_size)
963 {
964     tBTM_SEC_DEV_REC *p_rec;
965 
966     BTM_TRACE_DEBUG1("btm_ble_update_sec_key_size enc_key_size = %d", enc_key_size);
967 
968     if ((p_rec = btm_find_dev (bd_addr)) != NULL )
969     {
970         p_rec->enc_key_size = enc_key_size;
971     }
972 }
973 
974 /*******************************************************************************
975 **
976 ** Function         btm_ble_read_sec_key_size
977 **
978 ** Description      update the current lin kencryption key size
979 **
980 ** Returns          void
981 **
982 *******************************************************************************/
btm_ble_read_sec_key_size(BD_ADDR bd_addr)983 UINT8 btm_ble_read_sec_key_size(BD_ADDR bd_addr)
984 {
985     tBTM_SEC_DEV_REC *p_rec;
986 
987     if ((p_rec = btm_find_dev (bd_addr)) != NULL )
988     {
989         return p_rec->enc_key_size;
990     }
991     else
992         return 0;
993 }
994 
995 /*******************************************************************************
996 **
997 ** Function         btm_ble_link_sec_check
998 **
999 ** Description      Check BLE link security level match.
1000 **
1001 ** Returns          TRUE: check is OK and the *p_sec_req_act contain the action
1002 **
1003 *******************************************************************************/
btm_ble_link_sec_check(BD_ADDR bd_addr,tBTM_LE_AUTH_REQ auth_req,tBTM_BLE_SEC_REQ_ACT * p_sec_req_act)1004 void btm_ble_link_sec_check(BD_ADDR bd_addr, tBTM_LE_AUTH_REQ auth_req, tBTM_BLE_SEC_REQ_ACT *p_sec_req_act)
1005 {
1006     tBTM_SEC_DEV_REC *p_dev_rec = btm_find_dev (bd_addr);
1007     UINT8 req_sec_level, cur_sec_level;
1008 
1009     BTM_TRACE_DEBUG1 ("btm_ble_link_sec_check auth_req =0x%x", auth_req);
1010 
1011     if (p_dev_rec == NULL)
1012     {
1013         BTM_TRACE_ERROR0 ("btm_ble_link_sec_check received for unknown device");
1014         return;
1015     }
1016 
1017     if (p_dev_rec->sec_state == BTM_SEC_STATE_ENCRYPTING ||
1018         p_dev_rec->sec_state == BTM_SEC_STATE_AUTHENTICATING)
1019     {
1020         /* race condition: discard the security request while master is encrypting the link */
1021         *p_sec_req_act = BTM_BLE_SEC_REQ_ACT_DISCARD;
1022     }
1023     else
1024     {
1025         req_sec_level = BTM_LE_SEC_UNAUTHENTICATE;
1026         if ((auth_req == (BTM_LE_AUTH_REQ_BOND|BTM_LE_AUTH_REQ_MITM)) ||
1027             (auth_req == (BTM_LE_AUTH_REQ_MITM)) )
1028         {
1029             req_sec_level = BTM_LE_SEC_AUTHENTICATED;
1030         }
1031 
1032         BTM_TRACE_DEBUG1 ("dev_rec sec_flags=0x%x", p_dev_rec->sec_flags);
1033 
1034         /* currently encrpted  */
1035         if (p_dev_rec->sec_flags & BTM_SEC_ENCRYPTED)
1036         {
1037             if (p_dev_rec->sec_flags & BTM_SEC_LINK_KEY_AUTHED)
1038                 cur_sec_level = BTM_LE_SEC_AUTHENTICATED;
1039             else
1040                 cur_sec_level = BTM_LE_SEC_UNAUTHENTICATE;
1041         }
1042         else /* unencrypted link */
1043         {
1044             /* if bonded, get the key security level */
1045             if (p_dev_rec->ble.key_type & BTM_LE_KEY_PENC)
1046                 cur_sec_level = p_dev_rec->ble.keys.sec_level;
1047             else
1048                 cur_sec_level = BTM_LE_SEC_NONE;
1049         }
1050 
1051         if (cur_sec_level >= req_sec_level)
1052         {
1053             if (cur_sec_level == BTM_LE_SEC_NONE)
1054             {
1055                 *p_sec_req_act = BTM_BLE_SEC_REQ_ACT_NONE;
1056             }
1057             else
1058             {
1059                 /* To avoid re-encryption on an encrypted link for an equal condition encryption */
1060                 /* if link has been encrypted, do nothing, go straight to furhter action
1061                 if (p_dev_rec->sec_flags & BTM_SEC_ENCRYPTED)
1062                     *p_sec_req_act = BTM_BLE_SEC_REQ_ACT_DISCARD;
1063                 else
1064                 */
1065                 *p_sec_req_act = BTM_BLE_SEC_REQ_ACT_ENCRYPT;
1066             }
1067         }
1068         else
1069         {
1070             *p_sec_req_act =  BTM_BLE_SEC_REQ_ACT_PAIR; /* start the pariring process to upgrade the keys*/
1071         }
1072     }
1073 
1074     BTM_TRACE_DEBUG3("cur_sec_level=%d req_sec_level=%d sec_req_act=%d",
1075                      cur_sec_level,
1076                      req_sec_level,
1077                      *p_sec_req_act);
1078 
1079 }
1080 
1081 /*******************************************************************************
1082 **
1083 ** Function         btm_ble_set_encryption
1084 **
1085 ** Description      This function is called to ensure that LE connection is
1086 **                  encrypted.  Should be called only on an open connection.
1087 **                  Typically only needed for connections that first want to
1088 **                  bring up unencrypted links, then later encrypt them.
1089 **
1090 ** Returns          void
1091 **                  the local device ER is copied into er
1092 **
1093 *******************************************************************************/
btm_ble_set_encryption(BD_ADDR bd_addr,void * p_ref_data,UINT8 link_role)1094 tBTM_STATUS btm_ble_set_encryption (BD_ADDR bd_addr, void *p_ref_data, UINT8 link_role)
1095 {
1096     tBTM_STATUS         cmd = BTM_NO_RESOURCES;
1097     tBTM_BLE_SEC_ACT    sec_act = *(tBTM_BLE_SEC_ACT *)p_ref_data ;
1098     tBTM_SEC_DEV_REC    *p_rec = btm_find_dev (bd_addr);
1099 
1100     if (p_rec == NULL)
1101     {
1102         BTM_TRACE_WARNING1 ("btm_ble_set_encryption (NULL device record!! sec_act=0x%x", sec_act);
1103         return(BTM_WRONG_MODE);
1104     }
1105 
1106     BTM_TRACE_DEBUG2 ("btm_ble_set_encryption sec_act=0x%x role_master=%d", sec_act, p_rec->role_master);
1107 
1108     if (sec_act == BTM_BLE_SEC_ENCRYPT_MITM)
1109     {
1110         p_rec->security_required |= BTM_SEC_IN_MITM;
1111     }
1112 
1113     switch (sec_act)
1114     {
1115         case BTM_BLE_SEC_ENCRYPT:
1116             if (link_role == BTM_ROLE_MASTER)
1117             {
1118                 /* start link layer encryption using the security info stored */
1119                 if (btm_ble_start_encrypt(bd_addr, FALSE, NULL))
1120                 {
1121                     p_rec->sec_state = BTM_SEC_STATE_ENCRYPTING;
1122                     cmd = BTM_CMD_STARTED;
1123                 }
1124                 break;
1125             }
1126             /* if salve role then fall through to call SMP_Pair below which will send a
1127                sec_request to request the master to encrypt the link */
1128         case BTM_BLE_SEC_ENCRYPT_NO_MITM:
1129         case BTM_BLE_SEC_ENCRYPT_MITM:
1130 
1131             if (SMP_Pair(bd_addr) == SMP_STARTED)
1132             {
1133                 cmd = BTM_CMD_STARTED;
1134                 p_rec->sec_state = BTM_SEC_STATE_AUTHENTICATING;
1135             }
1136             break;
1137 
1138         default:
1139             cmd = BTM_SUCCESS;
1140             break;
1141     }
1142     return cmd;
1143 }
1144 
1145 /*******************************************************************************
1146 **
1147 ** Function         btm_ble_ltk_request
1148 **
1149 ** Description      This function is called when encryption request is received
1150 **                  on a slave device.
1151 **
1152 **
1153 ** Returns          void
1154 **
1155 *******************************************************************************/
btm_ble_ltk_request(UINT16 handle,UINT8 rand[8],UINT16 ediv)1156 void btm_ble_ltk_request(UINT16 handle, UINT8 rand[8], UINT16 ediv)
1157 {
1158     tBTM_CB *p_cb = &btm_cb;
1159     tBTM_SEC_DEV_REC *p_dev_rec = btm_find_dev_by_handle (handle);
1160     BT_OCTET8 dummy_stk = {0};
1161 
1162     BTM_TRACE_DEBUG0 ("btm_ble_ltk_request");
1163 
1164     p_cb->ediv = ediv;
1165 
1166     memcpy(p_cb->enc_rand, rand, BT_OCTET8_LEN);
1167 
1168     if (!smp_proc_ltk_request(p_dev_rec->bd_addr))
1169         btm_ble_ltk_request_reply(p_dev_rec->bd_addr, FALSE, dummy_stk);
1170 
1171 
1172 }
1173 
1174 /*******************************************************************************
1175 **
1176 ** Function         btm_ble_start_encrypt
1177 **
1178 ** Description      This function is called to start LE encryption.
1179 **
1180 **
1181 ** Returns          void
1182 **
1183 *******************************************************************************/
btm_ble_start_encrypt(BD_ADDR bda,BOOLEAN use_stk,BT_OCTET16 stk)1184 BOOLEAN btm_ble_start_encrypt(BD_ADDR bda, BOOLEAN use_stk, BT_OCTET16 stk)
1185 {
1186     tBTM_CB *p_cb = &btm_cb;
1187     tBTM_SEC_DEV_REC    *p_rec = btm_find_dev (bda);
1188     BT_OCTET8    dummy_rand = {0};
1189 
1190     BTM_TRACE_DEBUG0 ("btm_ble_start_encrypt");
1191 
1192     if (!p_rec ||
1193         (p_rec && p_rec->sec_state == BTM_SEC_STATE_ENCRYPTING))
1194         return FALSE;
1195 
1196     if (p_rec->sec_state == BTM_SEC_STATE_IDLE)
1197         p_rec->sec_state = BTM_SEC_STATE_ENCRYPTING;
1198     p_cb->enc_handle = p_rec->hci_handle;
1199 
1200     if (use_stk)
1201     {
1202         if (!btsnd_hcic_ble_start_enc(p_rec->hci_handle, dummy_rand, 0, stk))
1203             return FALSE;
1204     }
1205     else if (p_rec->ble.key_type & BTM_LE_KEY_PENC)
1206     {
1207         if (!btsnd_hcic_ble_start_enc(p_rec->hci_handle, p_rec->ble.keys.rand,
1208                                       p_rec->ble.keys.ediv, p_rec->ble.keys.ltk))
1209             return FALSE;
1210     }
1211     else
1212     {
1213         return FALSE;
1214     }
1215 
1216     return TRUE;
1217 }
1218 
1219 /*******************************************************************************
1220 **
1221 ** Function         btm_ble_link_encrypted
1222 **
1223 ** Description      This function is called when LE link encrption status is changed.
1224 **
1225 ** Returns          void
1226 **
1227 *******************************************************************************/
btm_ble_link_encrypted(BD_ADDR bd_addr,UINT8 encr_enable)1228 void btm_ble_link_encrypted(BD_ADDR bd_addr, UINT8 encr_enable)
1229 {
1230     tBTM_SEC_DEV_REC    *p_dev_rec = btm_find_dev (bd_addr);
1231     BOOLEAN             enc_cback;
1232 
1233     if (!p_dev_rec)
1234     {
1235         BTM_TRACE_WARNING1 ("btm_ble_link_encrypted (No Device Found!) encr_enable=%d", encr_enable);
1236         return;
1237     }
1238 
1239     BTM_TRACE_DEBUG1 ("btm_ble_link_encrypted encr_enable=%d", encr_enable);
1240 
1241     enc_cback = (p_dev_rec->sec_state == BTM_SEC_STATE_ENCRYPTING);
1242 
1243     smp_link_encrypted(bd_addr, encr_enable);
1244 
1245     BTM_TRACE_DEBUG1(" p_dev_rec->sec_flags=0x%x", p_dev_rec->sec_flags);
1246 
1247     if (encr_enable && p_dev_rec->enc_key_size == 0)
1248         p_dev_rec->enc_key_size = p_dev_rec->ble.keys.key_size;
1249 
1250     p_dev_rec->sec_state = BTM_SEC_STATE_IDLE;
1251     if (p_dev_rec->p_callback && enc_cback)
1252     {
1253         if (encr_enable)
1254             btm_sec_dev_rec_cback_event(p_dev_rec, BTM_SUCCESS);
1255         else if (p_dev_rec->role_master)
1256             btm_sec_dev_rec_cback_event(p_dev_rec, BTM_ERR_PROCESSING);
1257 
1258     }
1259     /* to notify GATT to send data if any request is pending */
1260     gatt_notify_enc_cmpl(p_dev_rec->bd_addr);
1261 }
1262 
1263 /*******************************************************************************
1264 ** Function         btm_enc_proc_ltk
1265 ** Description      send LTK reply when it's ready.
1266 *******************************************************************************/
btm_enc_proc_ltk(tSMP_ENC * p)1267 static void btm_enc_proc_ltk(tSMP_ENC *p)
1268 {
1269     UINT8   i;
1270     BTM_TRACE_DEBUG0 ("btm_enc_proc_ltk");
1271     if (p && p->param_len == BT_OCTET16_LEN)
1272     {
1273         for (i = 0; i < (BT_OCTET16_LEN - btm_cb.key_size); i ++)
1274             p->param_buf[BT_OCTET16_LEN - i - 1] = 0;
1275         btsnd_hcic_ble_ltk_req_reply(btm_cb.enc_handle, p->param_buf);
1276     }
1277 }
1278 
1279 /*******************************************************************************
1280 ** Function         btm_enc_proc_slave_y
1281 ** Description      calculate LTK when Y is ready
1282 *******************************************************************************/
btm_enc_proc_slave_y(tSMP_ENC * p)1283 static void btm_enc_proc_slave_y(tSMP_ENC *p)
1284 {
1285     UINT16  div, y;
1286     UINT8   *pp = p->param_buf;
1287     tBTM_CB *p_cb = &btm_cb;
1288     tSMP_ENC output;
1289     tBTM_SEC_DEV_REC *p_dev_rec;
1290 
1291     BTM_TRACE_DEBUG0 ("btm_enc_proc_slave_y");
1292     if (p != NULL)
1293     {
1294         STREAM_TO_UINT16(y, pp);
1295 
1296         div = p_cb->ediv ^ y;
1297         p_dev_rec = btm_find_dev_by_handle (p_cb->enc_handle);
1298 
1299         if ( p_dev_rec &&
1300              p_dev_rec->ble.keys.div == div )
1301         {
1302             BTM_TRACE_DEBUG0 ("LTK request OK");
1303             /* calculating LTK , LTK = E er(div) */
1304             SMP_Encrypt(p_cb->devcb.er, BT_OCTET16_LEN, (UINT8 *)&div, 2, &output);
1305             btm_enc_proc_ltk(&output);
1306         }
1307         else
1308         {
1309             BTM_TRACE_DEBUG0 ("LTK request failed - send negative reply");
1310             btsnd_hcic_ble_ltk_req_neg_reply(p_cb->enc_handle);
1311             if (p_dev_rec)
1312                 btm_ble_link_encrypted(p_dev_rec->bd_addr, 0);
1313 
1314         }
1315     }
1316 }
1317 
1318 /*******************************************************************************
1319 **
1320 ** Function         btm_ble_ltk_request_reply
1321 **
1322 ** Description      This function is called to send a LTK request reply on a slave
1323 **                  device.
1324 **
1325 ** Returns          void
1326 **
1327 *******************************************************************************/
btm_ble_ltk_request_reply(BD_ADDR bda,BOOLEAN use_stk,BT_OCTET16 stk)1328 void btm_ble_ltk_request_reply(BD_ADDR bda,  BOOLEAN use_stk, BT_OCTET16 stk)
1329 {
1330     tBTM_SEC_DEV_REC    *p_rec = btm_find_dev (bda);
1331     tBTM_CB *p_cb = &btm_cb;
1332     tSMP_ENC output;
1333 
1334     if (p_rec == NULL)
1335     {
1336         BTM_TRACE_ERROR0("btm_ble_ltk_request_reply received for unknown device");
1337         return;
1338     }
1339 
1340     BTM_TRACE_DEBUG0 ("btm_ble_ltk_request_reply");
1341     p_cb->enc_handle = p_rec->hci_handle;
1342     p_cb->key_size = p_rec->ble.keys.key_size;
1343 
1344     BTM_TRACE_ERROR1("key size = %d", p_rec->ble.keys.key_size);
1345     if (use_stk)
1346     {
1347         btsnd_hcic_ble_ltk_req_reply(btm_cb.enc_handle, stk);
1348     }
1349     else /* calculate LTK using peer device  */
1350     {
1351         /* generate Y= Encrypt(DHK, Rand) received from encrypt request  */
1352         SMP_Encrypt(p_cb->devcb.id_keys.dhk, BT_OCTET16_LEN, p_cb->enc_rand,
1353                     BT_OCTET8_LEN, &output);
1354         btm_enc_proc_slave_y(&output);
1355     }
1356 }
1357 
1358 /*******************************************************************************
1359 **
1360 ** Function         btm_ble_io_capabilities_req
1361 **
1362 ** Description      This function is called to handle SMP get IO capability request.
1363 **
1364 ** Returns          void
1365 **
1366 *******************************************************************************/
btm_ble_io_capabilities_req(tBTM_SEC_DEV_REC * p_dev_rec,tBTM_LE_IO_REQ * p_data)1367 UINT8 btm_ble_io_capabilities_req(tBTM_SEC_DEV_REC *p_dev_rec, tBTM_LE_IO_REQ *p_data)
1368 {
1369     UINT8           callback_rc = BTM_SUCCESS;
1370     BTM_TRACE_DEBUG0 ("btm_ble_io_capabilities_req");
1371     if (btm_cb.api.p_le_callback)
1372     {
1373         /* the callback function implementation may change the IO capability... */
1374         callback_rc = (*btm_cb.api.p_le_callback) (BTM_LE_IO_REQ_EVT, p_dev_rec->bd_addr, (tBTM_LE_EVT_DATA *)p_data);
1375     }
1376 #if BTM_OOB_INCLUDED == TRUE
1377     if ((callback_rc == BTM_SUCCESS) || (BTM_OOB_UNKNOWN != p_data->oob_data))
1378 #else
1379     if (callback_rc == BTM_SUCCESS)
1380 #endif
1381     {
1382         p_data->auth_req &= BTM_LE_AUTH_REQ_MASK;
1383 
1384         BTM_TRACE_DEBUG2 ("btm_ble_io_capabilities_req 1: p_dev_rec->security_required = %d auth_req:%d",
1385                           p_dev_rec->security_required, p_data->auth_req);
1386         BTM_TRACE_DEBUG2 ("btm_ble_io_capabilities_req 2: i_keys=0x%x r_keys=0x%x (bit 0-LTK 1-IRK 2-CSRK)",
1387                           p_data->init_keys,
1388                           p_data->resp_keys);
1389 
1390         /* if authentication requires MITM protection, put on the mask */
1391         if (p_dev_rec->security_required & BTM_SEC_IN_MITM)
1392             p_data->auth_req |= BTM_LE_AUTH_REQ_MITM;
1393 
1394         if (!(p_data->auth_req & SMP_AUTH_BOND))
1395         {
1396             BTM_TRACE_DEBUG0("Non bonding: No keys should be exchanged");
1397             p_data->init_keys = 0;
1398             p_data->resp_keys = 0;
1399         }
1400 
1401         BTM_TRACE_DEBUG1 ("btm_ble_io_capabilities_req 3: auth_req:%d", p_data->auth_req);
1402         BTM_TRACE_DEBUG2 ("btm_ble_io_capabilities_req 4: i_keys=0x%x r_keys=0x%x",
1403                           p_data->init_keys,
1404                           p_data->resp_keys);
1405 
1406         BTM_TRACE_DEBUG2 ("btm_ble_io_capabilities_req 5: p_data->io_cap = %d auth_req:%d",
1407                           p_data->io_cap, p_data->auth_req);
1408 
1409         /* remove MITM protection requirement if IO cap does not allow it */
1410         if ((p_data->io_cap == BTM_IO_CAP_NONE) && p_data->oob_data == SMP_OOB_NONE)
1411             p_data->auth_req &= ~BTM_LE_AUTH_REQ_MITM;
1412 
1413         BTM_TRACE_DEBUG3 ("btm_ble_io_capabilities_req 6: IO_CAP:%d oob_data:%d auth_req:%d",
1414                           p_data->io_cap, p_data->oob_data, p_data->auth_req);
1415     }
1416     return callback_rc;
1417 }
1418 
1419 /*******************************************************************************
1420 **
1421 ** Function         btm_ble_connected
1422 **
1423 ** Description      This function is when a LE connection to the peer device is
1424 **                  establsihed
1425 **
1426 ** Returns          void
1427 **
1428 *******************************************************************************/
btm_ble_connected(UINT8 * bda,UINT16 handle,UINT8 enc_mode,UINT8 role,tBLE_ADDR_TYPE addr_type,BOOLEAN addr_matched)1429 void btm_ble_connected (UINT8 *bda, UINT16 handle, UINT8 enc_mode, UINT8 role,
1430                         tBLE_ADDR_TYPE addr_type, BOOLEAN addr_matched)
1431 {
1432     tBTM_SEC_DEV_REC *p_dev_rec = btm_find_dev (bda);
1433     tBTM_BLE_CB *p_cb = &btm_cb.ble_ctr_cb;
1434 
1435     BTM_TRACE_EVENT0 ("btm_ble_connected");
1436 
1437     /* Commenting out trace due to obf/compilation problems.
1438     */
1439 #if (BT_USE_TRACES == TRUE)
1440     if (p_dev_rec)
1441     {
1442         BTM_TRACE_EVENT4 ("Security Manager: btm_sec_connected :  handle:%d  enc_mode:%d  bda:%x RName:%s",
1443                           handle,  enc_mode,
1444                           (bda[2]<<24)+(bda[3]<<16)+(bda[4]<<8)+bda[5],
1445                           p_dev_rec->sec_bd_name);
1446 
1447         BTM_TRACE_DEBUG1 ("btm_ble_connected sec_flags=0x%x",p_dev_rec->sec_flags);
1448     }
1449     else
1450     {
1451         BTM_TRACE_EVENT3 ("Security Manager: btm_sec_connected:   handle:%d  enc_mode:%d  bda:%x ",
1452                           handle,  enc_mode,
1453                           (bda[2]<<24)+(bda[3]<<16)+(bda[4]<<8)+bda[5]);
1454     }
1455 #endif
1456 
1457     if (!p_dev_rec)
1458     {
1459         /* There is no device record for new connection.  Allocate one */
1460         p_dev_rec = btm_sec_alloc_dev (bda);
1461     }
1462     else    /* Update the timestamp for this device */
1463     {
1464         p_dev_rec->timestamp = btm_cb.dev_rec_count++;
1465     }
1466 
1467     /* update device information */
1468     p_dev_rec->device_type |= BT_DEVICE_TYPE_BLE;
1469     p_dev_rec->hci_handle = handle;
1470     p_dev_rec->ble.ble_addr_type = addr_type;
1471 
1472     if (role == HCI_ROLE_MASTER)
1473         p_dev_rec->role_master = TRUE;
1474 
1475     if (role == HCI_ROLE_SLAVE)
1476         p_cb->inq_var.adv_mode  = BTM_BLE_ADV_DISABLE;
1477     p_cb->inq_var.directed_conn = FALSE;
1478 
1479     return;
1480 }
1481 
1482 /*****************************************************************************
1483 **  Function        btm_ble_conn_complete
1484 **
1485 **  Description     LE connection complete.
1486 **
1487 ******************************************************************************/
btm_ble_conn_complete(UINT8 * p,UINT16 evt_len)1488 void btm_ble_conn_complete(UINT8 *p, UINT16 evt_len)
1489 {
1490     UINT8       role, status, bda_type;
1491     UINT16      handle;
1492     BD_ADDR     bda;
1493     UINT16      conn_interval, conn_latency, conn_timeout;
1494     BOOLEAN     match = FALSE;
1495 
1496     STREAM_TO_UINT8   (status, p);
1497     STREAM_TO_UINT16   (handle, p);
1498     STREAM_TO_UINT8    (role, p);
1499     STREAM_TO_UINT8    (bda_type, p);
1500     STREAM_TO_BDADDR   (bda, p);
1501 
1502     if (status == 0)
1503     {
1504         STREAM_TO_UINT16   (conn_interval, p);
1505         STREAM_TO_UINT16   (conn_latency, p);
1506         STREAM_TO_UINT16   (conn_timeout, p);
1507         handle = HCID_GET_HANDLE (handle);
1508 
1509         btm_ble_connected(bda, handle, HCI_ENCRYPT_MODE_DISABLED, role, bda_type, match);
1510         l2cble_conn_comp (handle, role, bda, bda_type, conn_interval,
1511                               conn_latency, conn_timeout);
1512     }
1513     else
1514     {
1515         role = HCI_ROLE_UNKNOWN;
1516 
1517         if (status == HCI_ERR_DIRECTED_ADVERTISING_TIMEOUT)
1518             btm_ble_dir_adv_tout();
1519     }
1520     btm_ble_update_mode_operation(role, bda, TRUE);
1521 }
1522 
1523 /*****************************************************************************
1524 **  Function        btm_proc_smp_cback
1525 **
1526 **  Description     This function is the SMP callback handler.
1527 **
1528 ******************************************************************************/
btm_proc_smp_cback(tSMP_EVT event,BD_ADDR bd_addr,tSMP_EVT_DATA * p_data)1529 UINT8 btm_proc_smp_cback(tSMP_EVT event, BD_ADDR bd_addr, tSMP_EVT_DATA *p_data)
1530 {
1531     tBTM_SEC_DEV_REC    *p_dev_rec = btm_find_dev (bd_addr);
1532     UINT8 res = 0;
1533 
1534     BTM_TRACE_DEBUG1 ("btm_proc_smp_cback event = %d", event);
1535 
1536     if (p_dev_rec != NULL)
1537     {
1538         switch (event)
1539         {
1540             case SMP_IO_CAP_REQ_EVT:
1541                 btm_ble_io_capabilities_req(p_dev_rec, (tBTM_LE_IO_REQ *)&p_data->io_req);
1542                 break;
1543 
1544             case SMP_PASSKEY_REQ_EVT:
1545             case SMP_PASSKEY_NOTIF_EVT:
1546             case SMP_OOB_REQ_EVT:
1547                 p_dev_rec->sec_flags |= BTM_SEC_LINK_KEY_AUTHED;
1548             case SMP_SEC_REQUEST_EVT:
1549             case SMP_COMPLT_EVT:
1550                 if (btm_cb.api.p_le_callback)
1551                 {
1552                     /* the callback function implementation may change the IO capability... */
1553                     BTM_TRACE_DEBUG1 ("btm_cb.api.p_le_callback=0x%x", btm_cb.api.p_le_callback );
1554                    (*btm_cb.api.p_le_callback) (event, bd_addr, (tBTM_LE_EVT_DATA *)p_data);
1555                 }
1556 
1557                 if (event == SMP_COMPLT_EVT)
1558                 {
1559                     BTM_TRACE_DEBUG2 ("evt=SMP_COMPLT_EVT before update sec_level=0x%x sec_flags=0x%x", p_data->cmplt.sec_level , p_dev_rec->sec_flags );
1560 
1561                     res = (p_data->cmplt.reason == SMP_SUCCESS) ? BTM_SUCCESS : BTM_ERR_PROCESSING;
1562 
1563                     BTM_TRACE_DEBUG3 ("after update result=%d sec_level=0x%x sec_flags=0x%x",
1564                                       res, p_data->cmplt.sec_level , p_dev_rec->sec_flags );
1565 
1566                     btm_sec_dev_rec_cback_event(p_dev_rec, res);
1567 
1568                     if (p_data->cmplt.is_pair_cancel && btm_cb.api.p_bond_cancel_cmpl_callback )
1569                     {
1570                         BTM_TRACE_DEBUG0 ("Pairing Cancel completed");
1571                         (*btm_cb.api.p_bond_cancel_cmpl_callback)(BTM_SUCCESS);
1572                     }
1573 #if BTM_BLE_CONFORMANCE_TESTING == TRUE
1574                     if (res != BTM_SUCCESS)
1575                     {
1576                         if (!btm_cb.devcb.no_disc_if_pair_fail)
1577                         {
1578                             BTM_TRACE_DEBUG0 ("Pairing failed - Remove ACL");
1579                             btm_remove_acl(bd_addr);
1580                         }
1581                         else
1582                         {
1583                             BTM_TRACE_DEBUG0 ("Pairing failed - Not Removing ACL");
1584                             p_dev_rec->sec_state = BTM_SEC_STATE_IDLE;
1585                         }
1586                     }
1587 #else
1588                     if (res != BTM_SUCCESS)
1589                         btm_remove_acl(bd_addr);
1590 #endif
1591 
1592                     BTM_TRACE_DEBUG3 ("btm_cb pairing_state=%x pairing_flags=%x pin_code_len=%x",
1593                                       btm_cb.pairing_state,
1594                                       btm_cb.pairing_flags,
1595                                       btm_cb.pin_code_len  );
1596                     BTM_TRACE_DEBUG6 ("btm_cb.pairing_bda %02x:%02x:%02x:%02x:%02x:%02x",
1597                                       btm_cb.pairing_bda[0], btm_cb.pairing_bda[1], btm_cb.pairing_bda[2],
1598                                       btm_cb.pairing_bda[3], btm_cb.pairing_bda[4], btm_cb.pairing_bda[5]);
1599 
1600                     memset (btm_cb.pairing_bda, 0xff, BD_ADDR_LEN);
1601                     btm_cb.pairing_flags = 0;
1602                 }
1603                 break;
1604 
1605             default:
1606                 BTM_TRACE_DEBUG1 ("unknown event = %d", event);
1607                 break;
1608 
1609 
1610         }
1611     }
1612     else
1613     {
1614         BTM_TRACE_ERROR0("btm_proc_smp_cback received for unknown device");
1615     }
1616 
1617     return 0;
1618 }
1619 
1620     #endif  /* SMP_INCLUDED */
1621 #endif  /* BLE_INCLUDED */
1622 
1623 
1624 /*******************************************************************************
1625 **
1626 ** Function         BTM_BleDataSignature
1627 **
1628 ** Description      This function is called to sign the data using AES128 CMAC
1629 **                  algorith.
1630 **
1631 ** Parameter        bd_addr: target device the data to be signed for.
1632 **                  p_text: singing data
1633 **                  len: length of the data to be signed.
1634 **                  signature: output parameter where data signature is going to
1635 **                             be stored.
1636 **
1637 ** Returns          TRUE if signing sucessul, otherwise FALSE.
1638 **
1639 *******************************************************************************/
BTM_BleDataSignature(BD_ADDR bd_addr,UINT8 * p_text,UINT16 len,BLE_SIGNATURE signature)1640 BOOLEAN BTM_BleDataSignature (BD_ADDR bd_addr, UINT8 *p_text, UINT16 len,
1641                               BLE_SIGNATURE signature)
1642 {
1643     BOOLEAN     ret = FALSE;
1644 #if (BLE_INCLUDED == TRUE && SMP_INCLUDED == TRUE)
1645     tBTM_SEC_DEV_REC    *p_rec = btm_find_dev (bd_addr);
1646     UINT8   *p_buf, *pp;
1647 
1648     BT_OCTET16  er;
1649     UINT16      div;
1650     UINT8       temp[4]; /* for (r || DIV)  r=1*/
1651     UINT16      r=1;
1652     UINT8       *p=temp, *p_mac = (UINT8 *)signature;
1653     tSMP_ENC    output;
1654     BT_OCTET16  local_csrk;
1655 
1656     BTM_TRACE_DEBUG0 ("BTM_BleDataSignature");
1657     if (p_rec == NULL)
1658     {
1659         BTM_TRACE_ERROR0("data signing can not be done from unknow device");
1660     }
1661     else
1662     {
1663         if ((p_buf = (UINT8 *)GKI_getbuf((UINT16)(len + 4))) != NULL)
1664         {
1665             BTM_TRACE_DEBUG0("Start to generate Local CSRK");
1666             /* prepare plain text */
1667             if (p_text)
1668             {
1669                 memcpy(p_buf, p_text, len);
1670                 pp = (p_buf + len);
1671             }
1672 
1673 #if BTM_BLE_CONFORMANCE_TESTING == TRUE
1674             if ( btm_cb.devcb.enable_test_local_sign_cntr)
1675             {
1676                 BTM_TRACE_DEBUG1 ("Use Test local counter value from script counter_val=%d", btm_cb.devcb.test_local_sign_cntr);
1677                 UINT32_TO_STREAM(pp, btm_cb.devcb.test_local_sign_cntr);
1678             }
1679             else
1680             {
1681                 UINT32_TO_STREAM(pp, p_rec->ble.keys.local_counter);
1682             }
1683 #else
1684             UINT32_TO_STREAM(pp, p_rec->ble.keys.local_counter);
1685 #endif
1686             /* compute local csrk */
1687             if (btm_get_local_div(bd_addr, &div))
1688             {
1689                 BTM_TRACE_DEBUG1 ("compute_csrk div=%x", div);
1690                 BTM_GetDeviceEncRoot(er);
1691 
1692                 /* CSRK = d1(ER, DIV, 1) */
1693                 UINT16_TO_STREAM(p, div);
1694                 UINT16_TO_STREAM(p, r);
1695 
1696                 if (!SMP_Encrypt(er, BT_OCTET16_LEN, temp, 4, &output))
1697                 {
1698                     BTM_TRACE_ERROR0("Local CSRK generation failed ");
1699                 }
1700                 else
1701                 {
1702                     BTM_TRACE_DEBUG0("local CSRK generation success");
1703                     memcpy((void *)local_csrk, output.param_buf, BT_OCTET16_LEN);
1704 
1705 
1706 #if BTM_BLE_CONFORMANCE_TESTING == TRUE
1707                     if (btm_cb.devcb.enable_test_local_sign_cntr)
1708                     {
1709                         UINT32_TO_STREAM(p_mac, btm_cb.devcb.test_local_sign_cntr);
1710                     }
1711                     else
1712                     {
1713                         UINT32_TO_STREAM(p_mac, p_rec->ble.keys.local_counter);
1714                     }
1715 #else
1716                     UINT32_TO_STREAM(p_mac, p_rec->ble.keys.local_counter);
1717 #endif
1718 
1719                     if ((ret = AES_CMAC(local_csrk, p_buf, (UINT16)(len + 4), BTM_CMAC_TLEN_SIZE, p_mac)) == TRUE)
1720                     {
1721                         btm_ble_increment_sign_ctr(bd_addr, TRUE);
1722 
1723 #if BTM_BLE_CONFORMANCE_TESTING == TRUE
1724                         if ( btm_cb.devcb.enable_test_mac_val)
1725                         {
1726                             BTM_TRACE_DEBUG0 ("Use MAC value from script");
1727                             memcpy(p_mac, btm_cb.devcb.test_mac, BTM_CMAC_TLEN_SIZE);
1728                         }
1729 #endif
1730                     }
1731                     BTM_TRACE_DEBUG1("BTM_BleDataSignature p_mac = %d", p_mac);
1732                     BTM_TRACE_DEBUG4("p_mac[0] = 0x%02x p_mac[1] = 0x%02x p_mac[2] = 0x%02x p_mac[3] = 0x%02x",
1733                                      *p_mac, *(p_mac + 1), *(p_mac + 2), *(p_mac + 3));
1734                     BTM_TRACE_DEBUG4("p_mac[4] = 0x%02x p_mac[5] = 0x%02x p_mac[6] = 0x%02x p_mac[7] = 0x%02x",
1735                                      *(p_mac + 4), *(p_mac + 5), *(p_mac + 6), *(p_mac + 7));
1736 
1737                     GKI_freebuf(p_buf);
1738                 }
1739             }
1740         }
1741     }
1742 #endif  /* BLE_INCLUDED */
1743     return ret;
1744 }
1745 
1746 /*******************************************************************************
1747 **
1748 ** Function         BTM_BleVerifySignature
1749 **
1750 ** Description      This function is called to verify the data signature
1751 **
1752 ** Parameter        bd_addr: target device the data to be signed for.
1753 **                  p_orig:  original data before signature.
1754 **                  len: length of the signing data
1755 **                  counter: counter used when doing data signing
1756 **                  p_comp: signature to be compared against.
1757 
1758 ** Returns          TRUE if signature verified correctly; otherwise FALSE.
1759 **
1760 *******************************************************************************/
BTM_BleVerifySignature(BD_ADDR bd_addr,UINT8 * p_orig,UINT16 len,UINT32 counter,UINT8 * p_comp)1761 BOOLEAN BTM_BleVerifySignature (BD_ADDR bd_addr, UINT8 *p_orig, UINT16 len, UINT32 counter,
1762                                 UINT8 *p_comp)
1763 {
1764     BOOLEAN             verified = FALSE;
1765 #if (BLE_INCLUDED == TRUE && SMP_INCLUDED == TRUE)
1766     tBTM_SEC_DEV_REC    *p_rec = btm_find_dev (bd_addr);
1767     UINT8               p_mac[BTM_CMAC_TLEN_SIZE];
1768 
1769     if (p_rec == NULL || (p_rec && !(p_rec->ble.key_type & BTM_LE_KEY_PCSRK)))
1770     {
1771         BTM_TRACE_ERROR0("can not verify signature for unknown device");
1772     }
1773     else if (counter < p_rec->ble.keys.counter)
1774     {
1775         BTM_TRACE_ERROR0("signature received with out dated sign counter");
1776     }
1777     else if (p_orig == NULL)
1778     {
1779         BTM_TRACE_ERROR0("No signature to verify");
1780     }
1781     else
1782     {
1783         BTM_TRACE_DEBUG2 ("BTM_BleVerifySignature rcv_cnt=%d >= expected_cnt=%d", counter, p_rec->ble.keys.counter);
1784 
1785         if (AES_CMAC(p_rec->ble.keys.csrk, p_orig, len, BTM_CMAC_TLEN_SIZE, p_mac))
1786         {
1787             if (memcmp(p_mac, p_comp, BTM_CMAC_TLEN_SIZE) == 0)
1788             {
1789                 btm_ble_increment_sign_ctr(bd_addr, FALSE);
1790                 verified = TRUE;
1791             }
1792         }
1793     }
1794 #endif  /* BLE_INCLUDED */
1795     return verified;
1796 }
1797 
1798 #if BLE_INCLUDED == TRUE
1799 /*******************************************************************************
1800 **  Utility functions for LE device IR/ER generation
1801 *******************************************************************************/
1802 /*******************************************************************************
1803 **
1804 ** Function         btm_notify_new_key
1805 **
1806 ** Description      This function is to notify application new keys have been
1807 **                  generated.
1808 **
1809 ** Returns          void
1810 **
1811 *******************************************************************************/
btm_notify_new_key(UINT8 key_type)1812 static void btm_notify_new_key(UINT8 key_type)
1813 {
1814     tBTM_BLE_LOCAL_KEYS *p_locak_keys = NULL;
1815 
1816     BTM_TRACE_DEBUG1 ("btm_notify_new_key key_type=%d", key_type);
1817 
1818     if (btm_cb.api.p_le_key_callback)
1819     {
1820         switch (key_type)
1821         {
1822             case BTM_BLE_KEY_TYPE_ID:
1823                 BTM_TRACE_DEBUG0 ("BTM_BLE_KEY_TYPE_ID");
1824                 p_locak_keys = (tBTM_BLE_LOCAL_KEYS *)&btm_cb.devcb.id_keys;
1825                 break;
1826 
1827             case BTM_BLE_KEY_TYPE_ER:
1828                 BTM_TRACE_DEBUG0 ("BTM_BLE_KEY_TYPE_ER");
1829                 p_locak_keys = (tBTM_BLE_LOCAL_KEYS *)&btm_cb.devcb.er;
1830                 break;
1831 
1832             default:
1833                 BTM_TRACE_ERROR1("unknown key type: %d", key_type);
1834                 break;
1835         }
1836         if (p_locak_keys != NULL)
1837             (*btm_cb.api.p_le_key_callback) (key_type, p_locak_keys);
1838     }
1839 }
1840 
1841 /*******************************************************************************
1842 **
1843 ** Function         btm_ble_process_er2
1844 **
1845 ** Description      This function is called when ER is generated, store it in
1846 **                  local control block.
1847 **
1848 ** Returns          void
1849 **
1850 *******************************************************************************/
btm_ble_process_er2(tBTM_RAND_ENC * p)1851 static void btm_ble_process_er2(tBTM_RAND_ENC *p)
1852 {
1853     BTM_TRACE_DEBUG0 ("btm_ble_process_er2");
1854 
1855     if (p &&p->opcode == HCI_BLE_RAND)
1856     {
1857         memcpy(&btm_cb.devcb.er[8], p->param_buf, BT_OCTET8_LEN);
1858         btm_notify_new_key(BTM_BLE_KEY_TYPE_ER);
1859     }
1860     else
1861     {
1862         BTM_TRACE_ERROR0("Generating ER2 exception.");
1863         memset(&btm_cb.devcb.er, 0, sizeof(BT_OCTET16));
1864     }
1865 }
1866 
1867 /*******************************************************************************
1868 **
1869 ** Function         btm_ble_process_er
1870 **
1871 ** Description      This function is called when ER is generated, store it in
1872 **                  local control block.
1873 **
1874 ** Returns          void
1875 **
1876 *******************************************************************************/
btm_ble_process_er(tBTM_RAND_ENC * p)1877 static void btm_ble_process_er(tBTM_RAND_ENC *p)
1878 {
1879     BTM_TRACE_DEBUG0 ("btm_ble_process_er");
1880 
1881     if (p &&p->opcode == HCI_BLE_RAND)
1882     {
1883         memcpy(&btm_cb.devcb.er[0], p->param_buf, BT_OCTET8_LEN);
1884 
1885         if (!btsnd_hcic_ble_rand((void *)btm_ble_process_er2))
1886         {
1887             memset(&btm_cb.devcb.er, 0, sizeof(BT_OCTET16));
1888             BTM_TRACE_ERROR0("Generating ER2 failed.");
1889         }
1890     }
1891     else
1892     {
1893         BTM_TRACE_ERROR0("Generating ER1 exception.");
1894     }
1895 }
1896 
1897 /*******************************************************************************
1898 **
1899 ** Function         btm_ble_process_irk
1900 **
1901 ** Description      This function is called when IRK is generated, store it in
1902 **                  local control block.
1903 **
1904 ** Returns          void
1905 **
1906 *******************************************************************************/
btm_ble_process_irk(tSMP_ENC * p)1907 static void btm_ble_process_irk(tSMP_ENC *p)
1908 {
1909     BTM_TRACE_DEBUG0 ("btm_ble_process_irk");
1910     if (p &&p->opcode == HCI_BLE_ENCRYPT)
1911     {
1912         memcpy(btm_cb.devcb.id_keys.irk, p->param_buf, BT_OCTET16_LEN);
1913         btm_notify_new_key(BTM_BLE_KEY_TYPE_ID);
1914     }
1915     else
1916     {
1917         BTM_TRACE_ERROR0("Generating IRK exception.");
1918     }
1919 
1920     /* proceed generate ER */
1921     if (!btsnd_hcic_ble_rand((void *)btm_ble_process_er))
1922     {
1923         BTM_TRACE_ERROR0("Generating ER failed.");
1924     }
1925 }
1926 
1927 /*******************************************************************************
1928 **
1929 ** Function         btm_ble_process_dhk
1930 **
1931 ** Description      This function is called when DHK is calculated, store it in
1932 **                  local control block, and proceed to generate ER, a 128-bits
1933 **                  random number.
1934 **
1935 ** Returns          void
1936 **
1937 *******************************************************************************/
btm_ble_process_dhk(tSMP_ENC * p)1938 static void btm_ble_process_dhk(tSMP_ENC *p)
1939 {
1940 #if SMP_INCLUDED == TRUE
1941     UINT8 btm_ble_irk_pt = 0x01;
1942     tSMP_ENC output;
1943 
1944     BTM_TRACE_DEBUG0 ("btm_ble_process_dhk");
1945 
1946     if (p && p->opcode == HCI_BLE_ENCRYPT)
1947     {
1948         memcpy(btm_cb.devcb.id_keys.dhk, p->param_buf, BT_OCTET16_LEN);
1949         BTM_TRACE_DEBUG0("BLE DHK generated.");
1950 
1951         /* IRK = D1(IR, 1) */
1952         if (!SMP_Encrypt(btm_cb.devcb.id_keys.ir, BT_OCTET16_LEN, &btm_ble_irk_pt,
1953                          1,   &output))
1954         {
1955             /* reset all identity root related key */
1956             memset(&btm_cb.devcb.id_keys, 0, sizeof(tBTM_BLE_LOCAL_ID_KEYS));
1957         }
1958         else
1959         {
1960             btm_ble_process_irk(&output);
1961         }
1962     }
1963     else
1964     {
1965         /* reset all identity root related key */
1966         memset(&btm_cb.devcb.id_keys, 0, sizeof(tBTM_BLE_LOCAL_ID_KEYS));
1967     }
1968 #endif
1969 }
1970 
1971 /*******************************************************************************
1972 **
1973 ** Function         btm_ble_process_ir2
1974 **
1975 ** Description      This function is called when IR is generated, proceed to calculate
1976 **                  DHK = Eir({0x03, 0, 0 ...})
1977 **
1978 **
1979 ** Returns          void
1980 **
1981 *******************************************************************************/
btm_ble_process_ir2(tBTM_RAND_ENC * p)1982 static void btm_ble_process_ir2(tBTM_RAND_ENC *p)
1983 {
1984 #if SMP_INCLUDED == TRUE
1985     UINT8 btm_ble_dhk_pt = 0x03;
1986     tSMP_ENC output;
1987 
1988     BTM_TRACE_DEBUG0 ("btm_ble_process_ir2");
1989 
1990     if (p && p->opcode == HCI_BLE_RAND)
1991     {
1992         /* remembering in control block */
1993         memcpy(&btm_cb.devcb.id_keys.ir[8], p->param_buf, BT_OCTET8_LEN);
1994         /* generate DHK= Eir({0x03, 0x00, 0x00 ...}) */
1995 
1996 
1997         SMP_Encrypt(btm_cb.devcb.id_keys.ir, BT_OCTET16_LEN, &btm_ble_dhk_pt,
1998                     1, &output);
1999         btm_ble_process_dhk(&output);
2000 
2001         BTM_TRACE_DEBUG0("BLE IR generated.");
2002     }
2003     else
2004     {
2005         memset(&btm_cb.devcb.id_keys, 0, sizeof(tBTM_BLE_LOCAL_ID_KEYS));
2006     }
2007 #endif
2008 }
2009 
2010 /*******************************************************************************
2011 **
2012 ** Function         btm_ble_process_ir
2013 **
2014 ** Description      This function is called when IR is generated, proceed to calculate
2015 **                  DHK = Eir({0x02, 0, 0 ...})
2016 **
2017 **
2018 ** Returns          void
2019 **
2020 *******************************************************************************/
btm_ble_process_ir(tBTM_RAND_ENC * p)2021 static void btm_ble_process_ir(tBTM_RAND_ENC *p)
2022 {
2023     BTM_TRACE_DEBUG0 ("btm_ble_process_ir");
2024 
2025     if (p && p->opcode == HCI_BLE_RAND)
2026     {
2027         /* remembering in control block */
2028         memcpy(btm_cb.devcb.id_keys.ir, p->param_buf, BT_OCTET8_LEN);
2029 
2030         if (!btsnd_hcic_ble_rand((void *)btm_ble_process_ir2))
2031         {
2032             BTM_TRACE_ERROR0("Generating IR2 failed.");
2033             memset(&btm_cb.devcb.id_keys, 0, sizeof(tBTM_BLE_LOCAL_ID_KEYS));
2034         }
2035     }
2036 }
2037 
2038 /*******************************************************************************
2039 **
2040 ** Function         btm_ble_reset_id
2041 **
2042 ** Description      This function is called to reset LE device identity.
2043 **
2044 ** Returns          void
2045 **
2046 *******************************************************************************/
btm_ble_reset_id(void)2047 void btm_ble_reset_id( void )
2048 {
2049     BTM_TRACE_DEBUG0 ("btm_ble_reset_id");
2050 
2051     /* regenrate Identity Root*/
2052     if (!btsnd_hcic_ble_rand((void *)btm_ble_process_ir))
2053     {
2054         BTM_TRACE_DEBUG0("Generating IR failed.");
2055     }
2056 }
2057 
2058     #if BTM_BLE_CONFORMANCE_TESTING == TRUE
2059 /*******************************************************************************
2060 **
2061 ** Function         btm_ble_set_no_disc_if_pair_fail
2062 **
2063 ** Description      This function indicates that whether no disconnect of the ACL
2064 **                  should be used if pairing failed
2065 **
2066 ** Returns          void
2067 **
2068 *******************************************************************************/
btm_ble_set_no_disc_if_pair_fail(BOOLEAN disable_disc)2069 void btm_ble_set_no_disc_if_pair_fail(BOOLEAN disable_disc )
2070 {
2071     BTM_TRACE_DEBUG1 ("btm_ble_set_disc_enable_if_pair_fail disable_disc=%d", disable_disc);
2072     btm_cb.devcb.no_disc_if_pair_fail = disable_disc;
2073 }
2074 
2075 /*******************************************************************************
2076 **
2077 ** Function         btm_ble_set_test_mac_value
2078 **
2079 ** Description      This function set test MAC value
2080 **
2081 ** Returns          void
2082 **
2083 *******************************************************************************/
btm_ble_set_test_mac_value(BOOLEAN enable,UINT8 * p_test_mac_val)2084 void btm_ble_set_test_mac_value(BOOLEAN enable, UINT8 *p_test_mac_val )
2085 {
2086     BTM_TRACE_DEBUG1 ("btm_ble_set_test_mac_value enable=%d", enable);
2087     btm_cb.devcb.enable_test_mac_val = enable;
2088     memcpy(btm_cb.devcb.test_mac, p_test_mac_val, BT_OCTET8_LEN);
2089 }
2090 
2091 /*******************************************************************************
2092 **
2093 ** Function         btm_ble_set_test_local_sign_cntr_value
2094 **
2095 ** Description      This function set test local sign counter value
2096 **
2097 ** Returns          void
2098 **
2099 *******************************************************************************/
btm_ble_set_test_local_sign_cntr_value(BOOLEAN enable,UINT32 test_local_sign_cntr)2100 void btm_ble_set_test_local_sign_cntr_value(BOOLEAN enable, UINT32 test_local_sign_cntr )
2101 {
2102     BTM_TRACE_DEBUG2 ("btm_ble_set_test_local_sign_cntr_value enable=%d local_sign_cntr=%d",
2103                       enable, test_local_sign_cntr);
2104     btm_cb.devcb.enable_test_local_sign_cntr = enable;
2105     btm_cb.devcb.test_local_sign_cntr =  test_local_sign_cntr;
2106 }
2107 
2108 /*******************************************************************************
2109 **
2110 ** Function         btm_set_random_address
2111 **
2112 ** Description      This function set a random address to local controller.
2113 **
2114 ** Returns          void
2115 **
2116 *******************************************************************************/
btm_set_random_address(BD_ADDR random_bda)2117 void btm_set_random_address(BD_ADDR random_bda)
2118 {
2119     tBTM_LE_RANDOM_CB *p_cb = &btm_cb.ble_ctr_cb.addr_mgnt_cb;
2120     BOOLEAN     adv_mode = btm_cb.ble_ctr_cb.inq_var.adv_mode ;
2121 
2122     BTM_TRACE_DEBUG0 ("btm_set_random_address");
2123 
2124     if (adv_mode  == BTM_BLE_ADV_ENABLE)
2125         btsnd_hcic_ble_set_adv_enable (BTM_BLE_ADV_DISABLE);
2126 
2127     memcpy(p_cb->private_addr, random_bda, BD_ADDR_LEN);
2128     btsnd_hcic_ble_set_random_addr(p_cb->private_addr);
2129 
2130     if (adv_mode  == BTM_BLE_ADV_ENABLE)
2131         btsnd_hcic_ble_set_adv_enable (BTM_BLE_ADV_ENABLE);
2132 
2133 
2134 }
2135 #endif /* BTM_BLE_CONFORMANCE_TESTING */
2136 
2137 
2138 #endif /* BLE_INCLUDED */
2139