• Home
  • Line#
  • Scopes#
  • Navigate#
  • Raw
  • Download
1 /******************************************************************************
2  *
3  *  Copyright (C) 1999-2012 Broadcom Corporation
4  *
5  *  Licensed under the Apache License, Version 2.0 (the "License");
6  *  you may not use this file except in compliance with the License.
7  *  You may obtain a copy of the License at:
8  *
9  *  http://www.apache.org/licenses/LICENSE-2.0
10  *
11  *  Unless required by applicable law or agreed to in writing, software
12  *  distributed under the License is distributed on an "AS IS" BASIS,
13  *  WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
14  *  See the License for the specific language governing permissions and
15  *  limitations under the License.
16  *
17  ******************************************************************************/
18 
19 /******************************************************************************
20  *
21  *  This file contains functions for the Bluetooth Security Manager
22  *
23  ******************************************************************************/
24 
25 #include <string.h>
26 #include "bt_types.h"
27 #include "hcimsgs.h"
28 #include "btu.h"
29 #include "btm_int.h"
30 #include "l2c_int.h"
31 
32 #if (BT_USE_TRACES == TRUE && BT_TRACE_VERBOSE == FALSE)
33 /* needed for sprintf() */
34 #include <stdio.h>
35 #endif
36 
37 #if BLE_INCLUDED == TRUE
38     #include "gatt_int.h"
39 #endif
40 
41 #define BTM_SEC_MAX_COLLISION_DELAY     (GKI_SECS_TO_TICKS(5))
42 
43 #ifdef APPL_AUTH_WRITE_EXCEPTION
44 BOOLEAN (APPL_AUTH_WRITE_EXCEPTION)(BD_ADDR bd_addr);
45 #endif
46 
47 /********************************************************************************/
48 /*              L O C A L    F U N C T I O N     P R O T O T Y P E S            */
49 /********************************************************************************/
50 static tBTM_SEC_SERV_REC *btm_sec_find_first_serv (BOOLEAN is_originator, UINT16 psm);
51 static tBTM_SEC_SERV_REC *btm_sec_find_next_serv (tBTM_SEC_SERV_REC *p_cur);
52 static tBTM_SEC_SERV_REC *btm_sec_find_mx_serv (UINT8 is_originator, UINT16 psm,
53                                                 UINT32 mx_proto_id,
54                                                 UINT32 mx_chan_id);
55 
56 static tBTM_STATUS btm_sec_execute_procedure (tBTM_SEC_DEV_REC *p_dev_rec);
57 static BOOLEAN  btm_sec_start_get_name (tBTM_SEC_DEV_REC *p_dev_rec);
58 static BOOLEAN  btm_sec_start_authentication (tBTM_SEC_DEV_REC *p_dev_rec);
59 static BOOLEAN  btm_sec_start_encryption (tBTM_SEC_DEV_REC *p_dev_rec);
60 static void     btm_sec_collision_timeout (TIMER_LIST_ENT *p_tle);
61 static void     btm_restore_mode(void);
62 static void     btm_sec_pairing_timeout (TIMER_LIST_ENT *p_tle);
63 static tBTM_STATUS btm_sec_dd_create_conn (tBTM_SEC_DEV_REC *p_dev_rec);
64 static void     btm_sec_change_pairing_state (tBTM_PAIRING_STATE new_state);
65 
66 #if (BT_USE_TRACES == TRUE)
67 static char     *btm_pair_state_descr (tBTM_PAIRING_STATE state);
68 #endif
69 
70 static void     btm_sec_check_pending_reqs(void);
71 static BOOLEAN  btm_sec_queue_mx_request (BD_ADDR bd_addr,  UINT16 psm,  BOOLEAN is_orig,
72                                           UINT32 mx_proto_id, UINT32 mx_chan_id,
73                                           tBTM_SEC_CALLBACK *p_callback, void *p_ref_data);
74 static void     btm_sec_bond_cancel_complete (void);
75 static void     btm_send_link_key_notif (tBTM_SEC_DEV_REC *p_dev_rec);
76 static BOOLEAN  btm_sec_check_prefetch_pin (tBTM_SEC_DEV_REC  *p_dev_rec);
77 
78 static UINT8    btm_sec_start_authorization (tBTM_SEC_DEV_REC *p_dev_rec);
79 BOOLEAN         btm_sec_are_all_trusted(UINT32 p_mask[]);
80 
81 static tBTM_STATUS btm_sec_send_hci_disconnect (tBTM_SEC_DEV_REC *p_dev_rec, UINT8 reason);
82 tBTM_SEC_DEV_REC *btm_sec_find_dev_by_sec_state (UINT8 state);
83 
84 static BOOLEAN  btm_sec_set_security_level ( CONNECTION_TYPE conn_type, char *p_name, UINT8 service_id,
85                                             UINT16 sec_level, UINT16 psm, UINT32 mx_proto_id,
86                                             UINT32 mx_chan_id);
87 
88 /* TRUE - authenticated link key is possible */
89 static const BOOLEAN btm_sec_io_map [BTM_IO_CAP_MAX][BTM_IO_CAP_MAX] =
90 {
91     /*   OUT,    IO,     IN,     NONE */
92 /* OUT  */ {FALSE,  FALSE,  TRUE,   FALSE},
93 /* IO   */ {FALSE,  TRUE,   TRUE,   FALSE},
94 /* IN   */ {TRUE,   TRUE,   TRUE,   FALSE},
95 /* NONE */ {FALSE,  FALSE,  FALSE,  FALSE}
96 };
97 /*  BTM_IO_CAP_OUT      0   DisplayOnly */
98 /*  BTM_IO_CAP_IO       1   DisplayYesNo */
99 /*  BTM_IO_CAP_IN       2   KeyboardOnly */
100 /*  BTM_IO_CAP_NONE     3   NoInputNoOutput */
101 
102 /*******************************************************************************
103 **
104 ** Function         BTM_SecRegister
105 **
106 ** Description      Application manager calls this function to register for
107 **                  security services.  There can be one and only one application
108 **                  saving link keys.  BTM allows only first registration.
109 **
110 ** Returns          TRUE if registered OK, else FALSE
111 **
112 *******************************************************************************/
BTM_SecRegister(tBTM_APPL_INFO * p_cb_info)113 BOOLEAN  BTM_SecRegister (tBTM_APPL_INFO *p_cb_info)
114 {
115 #if BLE_INCLUDED == TRUE
116     BT_OCTET16      temp_value = {0};
117 #endif
118 
119     BTM_TRACE_EVENT0 ("BTM_Sec: application registered");
120 
121 #if BLE_INCLUDED == TRUE && SMP_INCLUDED == TRUE
122     BTM_TRACE_ERROR1 ("BTM_SecRegister:p_cb_info->p_le_callback == 0x%x ", p_cb_info->p_le_callback);
123 
124     if (p_cb_info->p_le_callback)
125     {
126 #if SMP_INCLUDED == TRUE
127         BTM_TRACE_EVENT0 ("BTM_Sec: SMP_Register( btm_proc_smp_cback )");
128         SMP_Register(btm_proc_smp_cback);
129 #endif
130         /* if no IR is loaded, need to regenerate all the keys */
131         if (memcmp(btm_cb.devcb.id_keys.ir, &temp_value, sizeof(BT_OCTET16)) == 0)
132         {
133             btm_ble_reset_id();
134         }
135     }
136     else
137     {
138         BTM_TRACE_ERROR0 ("BTM_SecRegister:p_cb_info->p_le_callback == NULL ");
139     }
140 #endif
141 
142 
143 
144     btm_cb.api = *p_cb_info;
145 #if BLE_INCLUDED == TRUE && SMP_INCLUDED == TRUE
146      BTM_TRACE_ERROR1 ("BTM_SecRegister: btm_cb.api.p_le_callback = 0x%x ", btm_cb.api.p_le_callback);
147 #endif
148     BTM_TRACE_EVENT0 ("BTM_Sec: application registered");
149     return(TRUE);
150 }
151 
152 
153 /*******************************************************************************
154 **
155 ** Function         BTM_SecRegisterLinkKeyNotificationCallback
156 **
157 ** Description      Application manager calls this function to register for
158 **                  link key notification.  When there is nobody registered
159 **                  we should avoid changing link key
160 **
161 ** Returns          TRUE if registered OK, else FALSE
162 **
163 *******************************************************************************/
BTM_SecRegisterLinkKeyNotificationCallback(tBTM_LINK_KEY_CALLBACK * p_callback)164 BOOLEAN BTM_SecRegisterLinkKeyNotificationCallback (tBTM_LINK_KEY_CALLBACK *p_callback)
165 {
166     btm_cb.api.p_link_key_callback = p_callback;
167     return(TRUE);
168 }
169 
170 
171 /*******************************************************************************
172 **
173 ** Function         BTM_SecAddRmtNameNotifyCallback
174 **
175 ** Description      Any profile can register to be notified when name of the
176 **                  remote device is resolved.
177 **
178 ** Returns          TRUE if registered OK, else FALSE
179 **
180 *******************************************************************************/
BTM_SecAddRmtNameNotifyCallback(tBTM_RMT_NAME_CALLBACK * p_callback)181 BOOLEAN  BTM_SecAddRmtNameNotifyCallback (tBTM_RMT_NAME_CALLBACK *p_callback)
182 {
183     int i;
184 
185     for (i = 0; i < BTM_SEC_MAX_RMT_NAME_CALLBACKS; i++)
186     {
187         if (btm_cb.p_rmt_name_callback[i] == NULL)
188         {
189             btm_cb.p_rmt_name_callback[i] = p_callback;
190             return(TRUE);
191         }
192     }
193 
194     return(FALSE);
195 }
196 
197 
198 /*******************************************************************************
199 **
200 ** Function         BTM_SecDeleteRmtNameNotifyCallback
201 **
202 ** Description      Any profile can deregister notification when a new Link Key
203 **                  is generated per connection.
204 **
205 ** Returns          TRUE if OK, else FALSE
206 **
207 *******************************************************************************/
BTM_SecDeleteRmtNameNotifyCallback(tBTM_RMT_NAME_CALLBACK * p_callback)208 BOOLEAN  BTM_SecDeleteRmtNameNotifyCallback (tBTM_RMT_NAME_CALLBACK *p_callback)
209 {
210     int i;
211 
212     for (i = 0; i < BTM_SEC_MAX_RMT_NAME_CALLBACKS; i++)
213     {
214         if (btm_cb.p_rmt_name_callback[i] == p_callback)
215         {
216             btm_cb.p_rmt_name_callback[i] = NULL;
217             return(TRUE);
218         }
219     }
220 
221     return(FALSE);
222 }
223 
224 
225 /*******************************************************************************
226 **
227 ** Function         BTM_SecSetConnectFilterCallback
228 **
229 ** Description      Host can register to be asked whenever a HCI connection
230 **                  request is received.  In the registered function host
231 **                  suppose to check connectibility filters.  Yes/No result
232 **                  should be returned syncronously
233 **
234 ** Returns          void
235 **
236 *******************************************************************************/
BTM_SecSetConnectFilterCallback(tBTM_FILTER_CB * p_callback)237 void BTM_SecSetConnectFilterCallback (tBTM_FILTER_CB *p_callback)
238 {
239     btm_cb.p_conn_filter_cb = p_callback;
240 }
241 
242 /*******************************************************************************
243 **
244 ** Function         BTM_GetSecurityMode
245 **
246 ** Description      Get security mode for the device
247 **
248 ** Returns          void
249 **
250 *******************************************************************************/
BTM_GetSecurityMode(void)251 UINT8 BTM_GetSecurityMode (void)
252 {
253     return(btm_cb.security_mode);
254 }
255 
256 /*******************************************************************************
257 **
258 ** Function         BTM_GetSecurityFlags
259 **
260 ** Description      Get security flags for the device
261 **
262 ** Returns          BOOLEAN TRUE or FALSE is device found
263 **
264 *******************************************************************************/
BTM_GetSecurityFlags(BD_ADDR bd_addr,UINT8 * p_sec_flags)265 BOOLEAN BTM_GetSecurityFlags (BD_ADDR bd_addr, UINT8 * p_sec_flags)
266 {
267     tBTM_SEC_DEV_REC *p_dev_rec;
268 
269     if ((p_dev_rec = btm_find_dev (bd_addr)) != NULL)
270     {
271         *p_sec_flags = p_dev_rec->sec_flags;
272         return(TRUE);
273     }
274     BTM_TRACE_ERROR0 ("BTM_GetSecurityFlags false");
275     return(FALSE);
276 }
277 
278 /*******************************************************************************
279 **
280 ** Function         BTM_SetSecurityMode
281 **
282 ** Description      Set security mode for the device
283 **
284 ** Returns          void
285 **
286 *******************************************************************************/
BTM_SetSecurityMode(UINT8 security_mode)287 void BTM_SetSecurityMode (UINT8 security_mode)
288 {
289     UINT8   old_mode = btm_cb.security_mode;
290 
291     UINT8   sp_mode = HCI_SP_MODE_ENABLED;
292     UINT8   sp_debug_mode = HCI_SPD_MODE_DISABLED;
293 
294     switch (security_mode)
295     {
296 #if (BTM_PRE_LISBON_INCLUDED == TRUE)
297         case BTM_SEC_MODE_NONE:
298         case BTM_SEC_MODE_SERVICE:
299         case BTM_SEC_MODE_LINK:
300             break;
301 #endif
302 
303         case BTM_SEC_MODE_SP_DEBUG:
304             sp_debug_mode = HCI_SPD_MODE_ENABLED;
305             break;
306         case BTM_SEC_MODE_SP:
307             /* the default is enabled */
308             break;
309         default:
310             BTM_TRACE_ERROR1 ("BTM_SetSecurityMode: unknown mode:%d", security_mode);
311             return;
312     }
313     btm_cb.security_mode = security_mode;
314 
315     if (HCI_SIMPLE_PAIRING_SUPPORTED(btm_cb.devcb.local_lmp_features[HCI_EXT_FEATURES_PAGE_0]))
316     {
317         /* Lisbon devices and only use BTM_SEC_MODE_SP */
318         btm_cb.security_mode = BTM_SEC_MODE_SP;
319         BTM_TRACE_DEBUG2("BTM_SetSecurityMode: SP:%d, debug:%d", sp_mode, sp_debug_mode);
320         btsnd_hcic_write_simple_pairing_mode(sp_mode);
321         btsnd_hcic_write_simp_pair_debug_mode(sp_debug_mode);
322         return;
323     }
324 
325     /* must be a pre-Lisbon device */
326 #if (BTM_PRE_LISBON_INCLUDED == TRUE)
327     /* If previously security mode was Link Level and now lesser notify */
328     /* controller not to perform authentication, encryption on startup  */
329     if ((old_mode == BTM_SEC_MODE_LINK)
330         && (       security_mode != BTM_SEC_MODE_LINK))
331     {
332         BTM_TRACE_DEBUG0("BTM_SetSecurityMode: Authen Enable -> FALSE");
333         btsnd_hcic_write_auth_enable (FALSE);
334         btsnd_hcic_write_encr_mode (HCI_ENCRYPT_MODE_DISABLED);
335     }
336 
337     /* If previously security is increased to Link Level notify */
338     /* controller to perform authentication, encryption on startup  */
339     if ((old_mode != BTM_SEC_MODE_LINK)
340         && (       security_mode == BTM_SEC_MODE_LINK))
341     {
342         BTM_TRACE_DEBUG0("BTM_SetSecurityMode: Authen Enable -> TRUE");
343         btsnd_hcic_write_auth_enable (TRUE);
344         btsnd_hcic_write_encr_mode (HCI_ENCRYPT_MODE_POINT_TO_POINT);
345     }
346 #endif  /* BTM_PRE_LISBON_INCLUDED == TRUE */
347 }
348 
349 /*******************************************************************************
350 **
351 ** Function         BTM_SetPinType
352 **
353 ** Description      Set PIN type for the device.
354 **
355 ** Returns          void
356 **
357 *******************************************************************************/
BTM_SetPinType(UINT8 pin_type,PIN_CODE pin_code,UINT8 pin_code_len)358 void BTM_SetPinType (UINT8 pin_type, PIN_CODE pin_code, UINT8 pin_code_len)
359 {
360     BTM_TRACE_API3 ("BTM_SetPinType: pin type %d [variable-0, fixed-1], code %s, length %d",
361                     pin_type, (char *) pin_code, pin_code_len);
362 
363     /* If device is not up security mode will be set as a part of startup */
364     if ( (btm_cb.cfg.pin_type != pin_type)
365          && (btm_cb.devcb.state > BTM_DEV_STATE_WAIT_AFTER_RESET) )
366     {
367         btsnd_hcic_write_pin_type (pin_type);
368     }
369 
370     btm_cb.cfg.pin_type     = pin_type;
371     btm_cb.cfg.pin_code_len = pin_code_len;
372     memcpy (btm_cb.cfg.pin_code, pin_code, pin_code_len);
373 }
374 
375 /*******************************************************************************
376 **
377 ** Function         BTM_SetPairableMode
378 **
379 ** Description      Enable or disable pairing
380 **
381 ** Parameters       allow_pairing - (TRUE or FALSE) whether or not the device
382 **                      allows pairing.
383 **                  connect_only_paired - (TRUE or FALSE) whether or not to
384 **                      only allow paired devices to connect.
385 **
386 ** Returns          void
387 **
388 *******************************************************************************/
BTM_SetPairableMode(BOOLEAN allow_pairing,BOOLEAN connect_only_paired)389 void BTM_SetPairableMode (BOOLEAN allow_pairing, BOOLEAN connect_only_paired)
390 {
391     BTM_TRACE_API2 ("BTM_SetPairableMode()  allow_pairing: %u   connect_only_paired: %u", allow_pairing, connect_only_paired);
392 
393     btm_cb.pairing_disabled    = !allow_pairing;
394     btm_cb.connect_only_paired = connect_only_paired;
395 }
396 
397 
398 #define BTM_NO_AVAIL_SEC_SERVICES   ((UINT16) 0xffff)
399 
400 /*******************************************************************************
401 **
402 ** Function         BTM_SetUCDSecurityLevel
403 **
404 ** Description      Register UCD service security level with Security Manager
405 **
406 ** Parameters:      is_originator - TRUE if originating the connection, FALSE if not
407 **                  p_name      - Name of the service relevant only if
408 **                                authorization will show this name to user. ignored
409 **                                if BTM_SEC_SERVICE_NAME_LEN is 0.
410 **                  service_id  - service ID for the service passed to authorization callback
411 **                  sec_level   - bit mask of the security features
412 **                  psm         - L2CAP PSM
413 **                  mx_proto_id - protocol ID of multiplexing proto below
414 **                  mx_chan_id  - channel ID of multiplexing proto below
415 **
416 ** Returns          TRUE if registered OK, else FALSE
417 **
418 *******************************************************************************/
BTM_SetUCDSecurityLevel(BOOLEAN is_originator,char * p_name,UINT8 service_id,UINT16 sec_level,UINT16 psm,UINT32 mx_proto_id,UINT32 mx_chan_id)419 BOOLEAN BTM_SetUCDSecurityLevel (BOOLEAN is_originator, char *p_name, UINT8 service_id,
420                                  UINT16 sec_level, UINT16 psm, UINT32 mx_proto_id,
421                                  UINT32 mx_chan_id)
422 {
423 #if (L2CAP_UCD_INCLUDED == TRUE)
424     CONNECTION_TYPE conn_type;
425 
426     if (is_originator)
427         conn_type = CONNLESS_ORIG;
428     else
429         conn_type = CONNLESS_TERM;
430 
431     return(btm_sec_set_security_level (conn_type, p_name, service_id,
432                                        sec_level, psm, mx_proto_id, mx_chan_id));
433 #else
434     return FALSE;
435 #endif
436 }
437 
438 /*******************************************************************************
439 **
440 ** Function         BTM_SetSecurityLevel
441 **
442 ** Description      Register service security level with Security Manager
443 **
444 ** Parameters:      is_originator - TRUE if originating the connection, FALSE if not
445 **                  p_name      - Name of the service relevant only if
446 **                                authorization will show this name to user. ignored
447 **                                if BTM_SEC_SERVICE_NAME_LEN is 0.
448 **                  service_id  - service ID for the service passed to authorization callback
449 **                  sec_level   - bit mask of the security features
450 **                  psm         - L2CAP PSM
451 **                  mx_proto_id - protocol ID of multiplexing proto below
452 **                  mx_chan_id  - channel ID of multiplexing proto below
453 **
454 ** Returns          TRUE if registered OK, else FALSE
455 **
456 *******************************************************************************/
BTM_SetSecurityLevel(BOOLEAN is_originator,char * p_name,UINT8 service_id,UINT16 sec_level,UINT16 psm,UINT32 mx_proto_id,UINT32 mx_chan_id)457 BOOLEAN BTM_SetSecurityLevel (BOOLEAN is_originator, char *p_name, UINT8 service_id,
458                               UINT16 sec_level, UINT16 psm, UINT32 mx_proto_id,
459                               UINT32 mx_chan_id)
460 {
461 #if (L2CAP_UCD_INCLUDED == TRUE)
462     CONNECTION_TYPE conn_type;
463 
464     if (is_originator)
465         conn_type = CONN_ORIENT_ORIG;
466     else
467         conn_type = CONN_ORIENT_TERM;
468 
469     return(btm_sec_set_security_level (conn_type, p_name, service_id,
470                                        sec_level, psm, mx_proto_id, mx_chan_id));
471 #else
472     return(btm_sec_set_security_level (is_originator, p_name, service_id,
473                                        sec_level, psm, mx_proto_id, mx_chan_id));
474 #endif
475 }
476 
477 /*******************************************************************************
478 **
479 ** Function         btm_sec_set_security_level
480 **
481 ** Description      Register service security level with Security Manager
482 **
483 ** Parameters:      conn_type   - TRUE if originating the connection, FALSE if not
484 **                  p_name      - Name of the service relevant only if
485 **                                authorization will show this name to user. ignored
486 **                                if BTM_SEC_SERVICE_NAME_LEN is 0.
487 **                  service_id  - service ID for the service passed to authorization callback
488 **                  sec_level   - bit mask of the security features
489 **                  psm         - L2CAP PSM
490 **                  mx_proto_id - protocol ID of multiplexing proto below
491 **                  mx_chan_id  - channel ID of multiplexing proto below
492 **
493 ** Returns          TRUE if registered OK, else FALSE
494 **
495 *******************************************************************************/
btm_sec_set_security_level(CONNECTION_TYPE conn_type,char * p_name,UINT8 service_id,UINT16 sec_level,UINT16 psm,UINT32 mx_proto_id,UINT32 mx_chan_id)496 static BOOLEAN btm_sec_set_security_level (CONNECTION_TYPE conn_type, char *p_name, UINT8 service_id,
497                                            UINT16 sec_level, UINT16 psm, UINT32 mx_proto_id,
498                                            UINT32 mx_chan_id)
499 {
500     tBTM_SEC_SERV_REC   *p_srec;
501     UINT16               index;
502     UINT16               first_unused_record = BTM_NO_AVAIL_SEC_SERVICES;
503     BOOLEAN              record_allocated = FALSE;
504     BOOLEAN              is_originator;
505 #if (L2CAP_UCD_INCLUDED == TRUE)
506     BOOLEAN              is_ucd;
507 
508     if (conn_type & CONNECTION_TYPE_ORIG_MASK)
509         is_originator = TRUE;
510     else
511         is_originator = FALSE;
512 
513     if (conn_type & CONNECTION_TYPE_CONNLESS_MASK )
514     {
515         is_ucd = TRUE;
516     }
517     else
518     {
519         is_ucd = FALSE;
520     }
521 #else
522     is_originator = conn_type;
523 #endif
524 
525     /* See if the record can be reused (same service name, psm, mx_proto_id,
526        service_id, and mx_chan_id), or obtain the next unused record */
527 
528     p_srec = &btm_cb.sec_serv_rec[0];
529 
530 
531     for (index = 0; index < BTM_SEC_MAX_SERVICE_RECORDS; index++, p_srec++)
532     {
533         /* Check if there is already a record for this service */
534         if (p_srec->security_flags & BTM_SEC_IN_USE)
535         {
536 #if BTM_SEC_SERVICE_NAME_LEN > 0
537             if (p_srec->psm == psm                  &&
538                 p_srec->mx_proto_id == mx_proto_id  &&
539                 service_id == p_srec->service_id    &&
540                 (!strncmp (p_name, (char *) p_srec->orig_service_name,
541                            BTM_SEC_SERVICE_NAME_LEN) ||
542                  !strncmp (p_name, (char *) p_srec->term_service_name,
543                            BTM_SEC_SERVICE_NAME_LEN)))
544 #else
545             if (p_srec->psm == psm                  &&
546                 p_srec->mx_proto_id == mx_proto_id  &&
547                 service_id == p_srec->service_id)
548 #endif
549             {
550                 record_allocated = TRUE;
551                 break;
552             }
553         }
554         /* Mark the first available service record */
555         else if (!record_allocated)
556         {
557             memset (p_srec, 0, sizeof(tBTM_SEC_SERV_REC));
558             record_allocated = TRUE;
559             first_unused_record = index;
560         }
561     }
562 
563     if (!record_allocated)
564     {
565         BTM_TRACE_WARNING1("BTM_SEC_REG: Out of Service Records (%d)",  BTM_SEC_MAX_SERVICE_RECORDS);
566         return(record_allocated);
567     }
568 
569     /* Process the request if service record is valid */
570     /* If a duplicate service wasn't found, use the first available */
571     if (index >= BTM_SEC_MAX_SERVICE_RECORDS)
572     {
573         index = first_unused_record;
574         p_srec = &btm_cb.sec_serv_rec[index];
575     }
576 
577     p_srec->psm         = psm;
578     p_srec->service_id  = service_id;
579     p_srec->mx_proto_id = mx_proto_id;
580 
581     if (is_originator)
582     {
583         p_srec->orig_mx_chan_id = mx_chan_id;
584 #if BTM_SEC_SERVICE_NAME_LEN > 0
585         BCM_STRNCPY_S ((char *)p_srec->orig_service_name, sizeof(p_srec->orig_service_name), p_name, BTM_SEC_SERVICE_NAME_LEN);
586 #endif
587         /* clear out the old setting, just in case it exists */
588 #if (L2CAP_UCD_INCLUDED == TRUE)
589         if ( is_ucd )
590         {
591             p_srec->ucd_security_flags &=
592             ~(BTM_SEC_OUT_AUTHORIZE | BTM_SEC_OUT_ENCRYPT    | BTM_SEC_OUT_AUTHENTICATE | BTM_SEC_OUT_MITM |
593               BTM_SEC_FORCE_MASTER | BTM_SEC_ATTEMPT_MASTER | BTM_SEC_FORCE_SLAVE | BTM_SEC_ATTEMPT_SLAVE);
594         }
595         else
596 #endif
597         {
598             p_srec->security_flags &=
599             ~(BTM_SEC_OUT_AUTHORIZE | BTM_SEC_OUT_ENCRYPT    | BTM_SEC_OUT_AUTHENTICATE | BTM_SEC_OUT_MITM |
600               BTM_SEC_FORCE_MASTER | BTM_SEC_ATTEMPT_MASTER | BTM_SEC_FORCE_SLAVE | BTM_SEC_ATTEMPT_SLAVE);
601         }
602 
603         /* Parameter validation.  Originator should not set requirements for incoming connections */
604         sec_level &= ~(BTM_SEC_IN_AUTHORIZE | BTM_SEC_IN_ENCRYPT | BTM_SEC_IN_AUTHENTICATE | BTM_SEC_IN_MITM);
605 
606         if (btm_cb.security_mode == BTM_SEC_MODE_SP)
607         {
608             if (sec_level & BTM_SEC_OUT_AUTHENTICATE)
609                 sec_level |= BTM_SEC_OUT_MITM;
610         }
611 
612         /* Make sure the authenticate bit is set, when encrypt bit is set */
613         if (sec_level & BTM_SEC_OUT_ENCRYPT)
614             sec_level |= BTM_SEC_OUT_AUTHENTICATE;
615 
616         /* outgoing connections usually set the security level right before
617          * the connection is initiated.
618          * set it to be the outgoing service */
619 #if (L2CAP_UCD_INCLUDED == TRUE)
620         if ( is_ucd == FALSE )
621 #endif
622         {
623             btm_cb.p_out_serv = p_srec;
624         }
625     }
626     else
627     {
628         p_srec->term_mx_chan_id = mx_chan_id;
629 #if BTM_SEC_SERVICE_NAME_LEN > 0
630         BCM_STRNCPY_S ((char *)p_srec->term_service_name, sizeof(p_srec->term_service_name), p_name, BTM_SEC_SERVICE_NAME_LEN);
631 #endif
632         /* clear out the old setting, just in case it exists */
633 #if (L2CAP_UCD_INCLUDED == TRUE)
634         if ( is_ucd )
635         {
636             p_srec->ucd_security_flags &=
637             ~(BTM_SEC_IN_AUTHORIZE | BTM_SEC_IN_ENCRYPT     | BTM_SEC_IN_AUTHENTICATE | BTM_SEC_IN_MITM |
638               BTM_SEC_FORCE_MASTER | BTM_SEC_ATTEMPT_MASTER | BTM_SEC_FORCE_SLAVE | BTM_SEC_ATTEMPT_SLAVE);
639         }
640         else
641 #endif
642         {
643             p_srec->security_flags &=
644             ~(BTM_SEC_IN_AUTHORIZE | BTM_SEC_IN_ENCRYPT     | BTM_SEC_IN_AUTHENTICATE | BTM_SEC_IN_MITM |
645               BTM_SEC_FORCE_MASTER | BTM_SEC_ATTEMPT_MASTER | BTM_SEC_FORCE_SLAVE | BTM_SEC_ATTEMPT_SLAVE);
646         }
647 
648         /* Parameter validation.  Acceptor should not set requirements for outgoing connections */
649         sec_level &= ~(BTM_SEC_OUT_AUTHORIZE | BTM_SEC_OUT_ENCRYPT | BTM_SEC_OUT_AUTHENTICATE | BTM_SEC_OUT_MITM);
650 
651         if (btm_cb.security_mode == BTM_SEC_MODE_SP)
652         {
653             if (sec_level & BTM_SEC_IN_AUTHENTICATE)
654                 sec_level |= BTM_SEC_IN_MITM;
655         }
656 
657         /* Make sure the authenticate bit is set, when encrypt bit is set */
658         if (sec_level & BTM_SEC_IN_ENCRYPT)
659             sec_level |= BTM_SEC_IN_AUTHENTICATE;
660     }
661 
662 #if (L2CAP_UCD_INCLUDED == TRUE)
663     if ( is_ucd )
664     {
665         p_srec->security_flags     |= (UINT16)(BTM_SEC_IN_USE);
666         p_srec->ucd_security_flags |= (UINT16)(sec_level | BTM_SEC_IN_USE);
667     }
668     else
669     {
670         p_srec->security_flags |= (UINT16)(sec_level | BTM_SEC_IN_USE);
671     }
672 
673     BTM_TRACE_API6("BTM_SEC_REG[%d]: id %d, conn_type 0x%x, psm 0x%04x, proto_id %d, chan_id %d",
674                    index, service_id, conn_type, psm, mx_proto_id, mx_chan_id);
675 
676     BTM_TRACE_API2("               : security_flags: 0x%04x, ucd_security_flags: 0x%04x",
677                    p_srec->security_flags, p_srec->ucd_security_flags);
678 
679 #if BTM_SEC_SERVICE_NAME_LEN > 0
680     BTM_TRACE_API2("               : service name [%s] (up to %d chars saved)",
681                    p_name, BTM_SEC_SERVICE_NAME_LEN);
682 #endif
683 #else
684     p_srec->security_flags |= (UINT16)(sec_level | BTM_SEC_IN_USE);
685 
686     BTM_TRACE_API6("BTM_SEC_REG[%d]: id %d, is_orig %d, psm 0x%04x, proto_id %d, chan_id %d",
687                    index, service_id, is_originator, psm, mx_proto_id, mx_chan_id);
688 
689 #if BTM_SEC_SERVICE_NAME_LEN > 0
690     BTM_TRACE_API3("               : sec: 0x%x, service name [%s] (up to %d chars saved)",
691                    p_srec->security_flags, p_name, BTM_SEC_SERVICE_NAME_LEN);
692 #endif
693 #endif
694 
695 
696     return(record_allocated);
697 }
698 
699 /*******************************************************************************
700 **
701 ** Function         BTM_SecClrService
702 **
703 ** Description      Removes specified service record(s) from the security database.
704 **                  All service records with the specified name are removed.
705 **                  Typically used only by devices with limited RAM so that it can
706 **                  reuse an old security service record.
707 **
708 **                  Note: Unpredictable results may occur if a service is cleared
709 **                      that is still in use by an application/profile.
710 **
711 ** Parameters       Service ID - Id of the service to remove. ('0' removes all service
712 **                          records (except SDP).
713 **
714 ** Returns          Number of records that were freed.
715 **
716 *******************************************************************************/
BTM_SecClrService(UINT8 service_id)717 UINT8 BTM_SecClrService (UINT8 service_id)
718 {
719     tBTM_SEC_SERV_REC   *p_srec = &btm_cb.sec_serv_rec[0];
720     UINT8   num_freed = 0;
721     int     i;
722 
723     for (i = 0; i < BTM_SEC_MAX_SERVICE_RECORDS; i++, p_srec++)
724     {
725         /* Delete services with specified name (if in use and not SDP) */
726         if ((p_srec->security_flags & BTM_SEC_IN_USE) && (p_srec->psm != BT_PSM_SDP) &&
727             (!service_id || (service_id == p_srec->service_id)))
728         {
729             BTM_TRACE_API2("BTM_SEC_CLR[%d]: id %d", i, service_id);
730             p_srec->security_flags = 0;
731 #if (L2CAP_UCD_INCLUDED == TRUE)
732             p_srec->ucd_security_flags = 0;
733 #endif
734             num_freed++;
735         }
736     }
737 
738     return(num_freed);
739 }
740 
741 /*******************************************************************************
742 **
743 ** Function         btm_sec_clr_service_by_psm
744 **
745 ** Description      Removes specified service record from the security database.
746 **                  All service records with the specified psm are removed.
747 **                  Typically used by L2CAP to free up the service record used
748 **                  by dynamic PSM clients when the channel is closed.
749 **                  The given psm must be a virtual psm.
750 **
751 ** Parameters       Service ID - Id of the service to remove. ('0' removes all service
752 **                          records (except SDP).
753 **
754 ** Returns          Number of records that were freed.
755 **
756 *******************************************************************************/
btm_sec_clr_service_by_psm(UINT16 psm)757 UINT8 btm_sec_clr_service_by_psm (UINT16 psm)
758 {
759     tBTM_SEC_SERV_REC   *p_srec = &btm_cb.sec_serv_rec[0];
760     UINT8   num_freed = 0;
761     int     i;
762 
763     for (i = 0; i < BTM_SEC_MAX_SERVICE_RECORDS; i++, p_srec++)
764     {
765         /* Delete services with specified name (if in use and not SDP) */
766         if ((p_srec->security_flags & BTM_SEC_IN_USE) && (p_srec->psm == psm) )
767         {
768             BTM_TRACE_API2("BTM_SEC_CLR[%d]: id %d ", i, p_srec->service_id);
769             p_srec->security_flags = 0;
770             num_freed++;
771         }
772     }
773     BTM_TRACE_API2("btm_sec_clr_service_by_psm psm:0x%x num_freed:%d", psm, num_freed);
774 
775     return(num_freed);
776 }
777 
778 /*******************************************************************************
779 **
780 ** Function         btm_sec_clr_temp_auth_service
781 **
782 ** Description      Removes specified device record's temporary authorization
783 **                  flag from the security database.
784 **
785 ** Parameters       Device address to be cleared
786 **
787 ** Returns          void.
788 **
789 *******************************************************************************/
btm_sec_clr_temp_auth_service(BD_ADDR bda)790 void btm_sec_clr_temp_auth_service (BD_ADDR bda)
791 {
792     tBTM_SEC_DEV_REC   *p_dev_rec;
793 
794     if ((p_dev_rec = btm_find_dev (bda)) == NULL)
795     {
796         BTM_TRACE_WARNING0 ("btm_sec_clr_temp_auth_service() - no dev CB");
797         return;
798     }
799 
800     /* Reset the temporary authorized flag so that next time (untrusted) service is accessed autorization will take place */
801     if (p_dev_rec->last_author_service_id != BTM_SEC_NO_LAST_SERVICE_ID && p_dev_rec->p_cur_service)
802     {
803         BTM_TRACE_DEBUG6 ("btm_sec_clr_auth_service_by_psm [clearing device: %02x:%02x:%02x:%02x:%02x:%02x]",
804                     bda[0], bda[1], bda[2], bda[3], bda[4], bda[5]);
805 
806         p_dev_rec->last_author_service_id = BTM_SEC_NO_LAST_SERVICE_ID;
807     }
808 }
809 
810 /*******************************************************************************
811 **
812 **
813 ** Function         BTM_SecClrUCDService
814 **
815 ** Description
816 **
817 ** Parameters       Service ID - Id of the service to remove.
818 **                               ('0' removes all service records )
819 **
820 ** Returns          Number of records that were cleared.
821 **
822 *******************************************************************************/
BTM_SecClrUCDService(UINT8 service_id)823 UINT8 BTM_SecClrUCDService (UINT8 service_id)
824 {
825 #if (L2CAP_UCD_INCLUDED == TRUE)
826     tBTM_SEC_SERV_REC   *p_srec = &btm_cb.sec_serv_rec[0];
827     UINT8   num_cleared = 0;
828     int     i;
829 
830     for (i = 0; i < BTM_SEC_MAX_SERVICE_RECORDS; i++, p_srec++)
831     {
832         /* Delete services with specified name (if in use and not SDP) */
833         if ((p_srec->security_flags & BTM_SEC_IN_USE) &&
834             (!service_id || (service_id == (UINT32)p_srec->service_id)))
835         {
836             BTM_TRACE_API2("BTM_UCD_SEC_CLR[%d]: id %d", i, service_id);
837             p_srec->ucd_security_flags = 0;
838             num_cleared++;
839         }
840     }
841 
842     return(num_cleared);
843 #else
844     return(0);
845 #endif
846 }
847 
848 /*******************************************************************************
849 **
850 ** Function         BTM_PINCodeReply
851 **
852 ** Description      This function is called after Security Manager submitted
853 **                  PIN code request to the UI.
854 **
855 ** Parameters:      bd_addr      - Address of the device for which PIN was requested
856 **                  res          - result of the operation BTM_SUCCESS if success
857 **                  pin_len      - length in bytes of the PIN Code
858 **                  p_pin        - pointer to array with the PIN Code
859 **                  trusted_mask - bitwise OR of trusted services (array of UINT32)
860 **
861 *******************************************************************************/
BTM_PINCodeReply(BD_ADDR bd_addr,UINT8 res,UINT8 pin_len,UINT8 * p_pin,UINT32 trusted_mask[])862 void BTM_PINCodeReply (BD_ADDR bd_addr, UINT8 res, UINT8 pin_len, UINT8 *p_pin, UINT32 trusted_mask[])
863 {
864     tBTM_SEC_DEV_REC *p_dev_rec;
865 
866     BTM_TRACE_API4 ("BTM_PINCodeReply(): PairState: %s   PairFlags: 0x%02x  PinLen:%d  Result:%d",
867                     btm_pair_state_descr(btm_cb.pairing_state), btm_cb.pairing_flags, pin_len, res);
868 
869     /* If timeout already expired or has been canceled, ignore the reply */
870     if (btm_cb.pairing_state != BTM_PAIR_STATE_WAIT_LOCAL_PIN)
871     {
872         BTM_TRACE_WARNING1 ("BTM_PINCodeReply() - Wrong State: %d", btm_cb.pairing_state);
873         return;
874     }
875 
876     if (memcmp (bd_addr, btm_cb.pairing_bda, BD_ADDR_LEN) != 0)
877     {
878         BTM_TRACE_ERROR0 ("BTM_PINCodeReply() - Wrong BD Addr");
879         return;
880     }
881 
882     if ((p_dev_rec = btm_find_dev (bd_addr)) == NULL)
883     {
884         BTM_TRACE_ERROR0 ("BTM_PINCodeReply() - no dev CB");
885         return;
886     }
887 
888     if ( (pin_len > PIN_CODE_LEN) || (pin_len == 0) || (p_pin == NULL) )
889         res = BTM_ILLEGAL_VALUE;
890 
891     if (res != BTM_SUCCESS)
892     {
893         /* if peer started dd OR we started dd and pre-fetch pin was not used send negative reply */
894         if ((btm_cb.pairing_flags & BTM_PAIR_FLAGS_PEER_STARTED_DD) ||
895             ((btm_cb.pairing_flags & BTM_PAIR_FLAGS_WE_STARTED_DD) &&
896             (btm_cb.pairing_flags & BTM_PAIR_FLAGS_DISC_WHEN_DONE)) )
897         {
898             /* use BTM_PAIR_STATE_WAIT_AUTH_COMPLETE to report authentication failed event */
899             btm_sec_change_pairing_state (BTM_PAIR_STATE_WAIT_AUTH_COMPLETE);
900             btm_cb.acl_disc_reason = HCI_ERR_HOST_REJECT_SECURITY;
901 
902             btsnd_hcic_pin_code_neg_reply (bd_addr);
903         }
904         else
905         {
906             p_dev_rec->security_required = BTM_SEC_NONE;
907             btm_sec_change_pairing_state (BTM_PAIR_STATE_IDLE);
908         }
909         return;
910     }
911     if (trusted_mask)
912         BTM_SEC_COPY_TRUSTED_DEVICE(trusted_mask, p_dev_rec->trusted_mask);
913     p_dev_rec->sec_flags   |= BTM_SEC_LINK_KEY_AUTHED;
914 
915     if ( (btm_cb.pairing_flags & BTM_PAIR_FLAGS_WE_STARTED_DD)
916          &&  (p_dev_rec->hci_handle == BTM_SEC_INVALID_HANDLE)
917          &&  (btm_cb.security_mode_changed == FALSE) )
918     {
919         /* This is start of the dedicated bonding if local device is 2.0 */
920         btm_cb.pin_code_len = pin_len;
921         memcpy (btm_cb.pin_code, p_pin, pin_len);
922 
923         btm_cb.security_mode_changed = TRUE;
924 #ifdef APPL_AUTH_WRITE_EXCEPTION
925         if(!(APPL_AUTH_WRITE_EXCEPTION)(p_dev_rec->bd_addr))
926 #endif
927         btsnd_hcic_write_auth_enable (TRUE);
928 
929         btm_cb.acl_disc_reason = 0xff ;
930 
931         /* if we rejected incoming connection request, we have to wait HCI_Connection_Complete event */
932         /*  before originating  */
933         if (btm_cb.pairing_flags & BTM_PAIR_FLAGS_REJECTED_CONNECT)
934         {
935             BTM_TRACE_WARNING0 ("BTM_PINCodeReply(): waiting HCI_Connection_Complete after rejected incoming connection");
936             /* we change state little bit early so btm_sec_connected() will originate connection */
937             /*   when existing ACL link is down completely */
938             btm_sec_change_pairing_state (BTM_PAIR_STATE_WAIT_PIN_REQ);
939         }
940         /* if we already accepted incoming connection from pairing device */
941         else if (p_dev_rec->sm4 & BTM_SM4_CONN_PEND)
942         {
943             BTM_TRACE_WARNING0 ("BTM_PINCodeReply(): link is connecting so wait pin code request from peer");
944             btm_sec_change_pairing_state (BTM_PAIR_STATE_WAIT_PIN_REQ);
945         }
946         else if (btm_sec_dd_create_conn(p_dev_rec) != BTM_CMD_STARTED)
947         {
948             btm_sec_change_pairing_state (BTM_PAIR_STATE_IDLE);
949             p_dev_rec->sec_flags &= ~BTM_SEC_LINK_KEY_AUTHED;
950 
951             (*btm_cb.api.p_auth_complete_callback) (p_dev_rec->bd_addr,  p_dev_rec->dev_class,
952                                                     p_dev_rec->sec_bd_name, HCI_ERR_AUTH_FAILURE);
953         }
954         return;
955     }
956 
957     btm_sec_change_pairing_state (BTM_PAIR_STATE_WAIT_AUTH_COMPLETE);
958     btm_cb.acl_disc_reason = HCI_SUCCESS;
959 
960 #ifdef PORCHE_PAIRING_CONFLICT
961     BTM_TRACE_EVENT2("BTM_PINCodeReply(): Saving pin_len: %d btm_cb.pin_code_len: %d", pin_len, btm_cb.pin_code_len);
962     /* if this was not pre-fetched, save the PIN */
963     if (btm_cb.pin_code_len == 0)
964         memcpy (btm_cb.pin_code, p_pin, pin_len);
965     btm_cb.pin_code_len_saved = pin_len;
966 #endif
967     btsnd_hcic_pin_code_req_reply (bd_addr, pin_len, p_pin);
968 }
969 
970 
971 /*******************************************************************************
972 **
973 ** Function         BTM_DeviceAuthorized
974 **
975 ** Description      This function is called after Security Manager submitted
976 **                  authorization request to the UI.
977 **
978 ** Parameters:      bd_addr     - Address of the device for which PIN was requested
979 **                  res         - result of the operation BTM_SUCCESS if success
980 **
981 *******************************************************************************/
BTM_DeviceAuthorized(BD_ADDR bd_addr,UINT8 res,UINT32 trusted_mask[])982 void BTM_DeviceAuthorized (BD_ADDR bd_addr, UINT8 res, UINT32 trusted_mask[])
983 {
984     tBTM_SEC_DEV_REC *p_dev_rec;
985 
986     if ((p_dev_rec = btm_find_dev (bd_addr)) == NULL)
987     {
988         BTM_TRACE_WARNING6 ("Security Manager: Attempting Authorization of Unknown Device Address [%02x%02x%02x%02x%02x%02x]",
989                             bd_addr[0], bd_addr[1], bd_addr[2], bd_addr[3], bd_addr[4], bd_addr[5]);
990         return;
991     }
992 
993     BTM_TRACE_EVENT4 ("Security Manager: authorized status:%d State:%d Trusted:%08x %08x",
994                       res, (p_dev_rec) ? p_dev_rec->sec_state : 0, trusted_mask[0], trusted_mask[1]);
995 
996     if (res == BTM_SUCCESS)
997     {
998         p_dev_rec->sec_flags   |= BTM_SEC_AUTHORIZED;
999         if (trusted_mask)
1000         {
1001             BTM_SEC_COPY_TRUSTED_DEVICE(trusted_mask, p_dev_rec->trusted_mask);
1002         }
1003 
1004         /* Save the currently authorized service in case we are asked again
1005         by another multiplexer layer */
1006         if (!p_dev_rec->is_originator)
1007         {
1008             BTM_TRACE_DEBUG1("BTM_DeviceAuthorized: Setting last_author_service_id to %d",
1009                              p_dev_rec->p_cur_service->service_id);
1010             p_dev_rec->last_author_service_id = p_dev_rec->p_cur_service->service_id;
1011         }
1012     }
1013 
1014     if (p_dev_rec->sec_state != BTM_SEC_STATE_AUTHORIZING)
1015         return;
1016 
1017     p_dev_rec->sec_state = BTM_SEC_STATE_IDLE;
1018 
1019     if (res != BTM_SUCCESS)
1020     {
1021         btm_sec_dev_rec_cback_event (p_dev_rec, res);
1022         return;
1023     }
1024 
1025     if ((res = (UINT8)btm_sec_execute_procedure (p_dev_rec)) != BTM_CMD_STARTED)
1026     {
1027         btm_sec_dev_rec_cback_event (p_dev_rec, res);
1028     }
1029 }
1030 
1031 
1032 
1033 /*******************************************************************************
1034 **
1035 ** Function         BTM_SecBond
1036 **
1037 ** Description      This function is called to perform bonding with peer device.
1038 **                  If the connection is already up, but not secure, pairing
1039 **                  is attempted.  If already paired BTM_SUCCESS is returned.
1040 **
1041 ** Parameters:      bd_addr      - Address of the device to bond
1042 **                  pin_len      - length in bytes of the PIN Code
1043 **                  p_pin        - pointer to array with the PIN Code
1044 **                  trusted_mask - bitwise OR of trusted services (array of UINT32)
1045 **
1046 **  Note: After 2.1 parameters are not used and preserved here not to change API
1047 *******************************************************************************/
BTM_SecBond(BD_ADDR bd_addr,UINT8 pin_len,UINT8 * p_pin,UINT32 trusted_mask[])1048 tBTM_STATUS BTM_SecBond (BD_ADDR bd_addr, UINT8 pin_len, UINT8 *p_pin, UINT32 trusted_mask[])
1049 {
1050     tBTM_SEC_DEV_REC *p_dev_rec;
1051     tBTM_STATUS      status;
1052     UINT8            *p_features;
1053     UINT8            ii;
1054 #if SMP_INCLUDED == TRUE
1055     tACL_CONN   *p=NULL;
1056     BOOLEAN     is_le_slave_role=FALSE;
1057     tBT_DEVICE_TYPE     dev_type;
1058     tBLE_ADDR_TYPE      addr_type;
1059 #endif
1060     BTM_TRACE_API6 ("BTM_SecBond BDA: %02x:%02x:%02x:%02x:%02x:%02x",
1061                     bd_addr[0], bd_addr[1], bd_addr[2], bd_addr[3], bd_addr[4], bd_addr[5]);
1062 
1063     /* Other security process is in progress */
1064     if (btm_cb.pairing_state != BTM_PAIR_STATE_IDLE)
1065     {
1066         BTM_TRACE_ERROR1 ("BTM_SecBond: already busy in state: %s", btm_pair_state_descr(btm_cb.pairing_state));
1067         return(BTM_WRONG_MODE);
1068     }
1069 
1070 
1071     p_dev_rec = btm_find_or_alloc_dev (bd_addr);
1072     BTM_TRACE_DEBUG1 ("before update sec_flags=0x%x", p_dev_rec->sec_flags);
1073 
1074 
1075 #if SMP_INCLUDED == TRUE
1076     p = btm_bda_to_acl(bd_addr);
1077     if (p && p->is_le_link )
1078     {
1079         if (p_dev_rec->sec_state == BTM_SEC_STATE_AUTHENTICATING)
1080         {
1081             BTM_TRACE_ERROR1 ("BTM_SecBond: LE already busy in state: %x", p_dev_rec->sec_state );
1082             return(BTM_WRONG_MODE);
1083         }
1084 
1085         if (p->link_role == BTM_ROLE_SLAVE)
1086         {
1087             is_le_slave_role = TRUE;
1088             BTM_TRACE_DEBUG0 ("LE Link Slave" );
1089         }
1090         else
1091         {
1092             BTM_TRACE_DEBUG0 ("LE Link Maste" );
1093         }
1094     }
1095     else
1096     {
1097         BTM_TRACE_DEBUG0 ("No LE Link" );
1098     }
1099 
1100     if (!is_le_slave_role)
1101     {
1102         /* Finished if connection is active and already paired */
1103         if ( (p_dev_rec->hci_handle != BTM_SEC_INVALID_HANDLE)
1104              &&  (p_dev_rec->sec_flags & BTM_SEC_AUTHENTICATED) )
1105         {
1106             BTM_TRACE_WARNING0("BTM_SecBond -> Already Paired");
1107             return(BTM_SUCCESS);
1108         }
1109     }
1110 #else
1111     /* Finished if connection is active and already paired */
1112     if ( (p_dev_rec->hci_handle != BTM_SEC_INVALID_HANDLE)
1113          &&  (p_dev_rec->sec_flags & BTM_SEC_AUTHENTICATED) )
1114     {
1115         BTM_TRACE_WARNING0("BTM_SecBond -> Already Paired");
1116         return(BTM_SUCCESS);
1117     }
1118 #endif
1119 
1120     /* Tell controller to get rid of the link key if it has one stored */
1121     if ((BTM_DeleteStoredLinkKey (bd_addr, NULL)) != BTM_SUCCESS)
1122         return(BTM_NO_RESOURCES);
1123 
1124     /* Save the PIN code if we got a valid one */
1125     if (p_pin && (pin_len <= PIN_CODE_LEN) && (pin_len != 0))
1126     {
1127         btm_cb.pin_code_len = pin_len;
1128         memcpy (btm_cb.pin_code, p_pin, PIN_CODE_LEN);
1129     }
1130 
1131     memcpy (btm_cb.pairing_bda, bd_addr, BD_ADDR_LEN);
1132 
1133     btm_cb.pairing_flags = BTM_PAIR_FLAGS_WE_STARTED_DD;
1134 
1135     p_dev_rec->security_required = BTM_SEC_OUT_AUTHENTICATE;
1136     p_dev_rec->is_originator     = TRUE;
1137     if (trusted_mask)
1138         BTM_SEC_COPY_TRUSTED_DEVICE(trusted_mask, p_dev_rec->trusted_mask);
1139 
1140 
1141 
1142 #if SMP_INCLUDED == TRUE
1143 
1144     if (!is_le_slave_role)
1145     {
1146         p_dev_rec->sec_flags &= ~(BTM_SEC_LINK_KEY_KNOWN | BTM_SEC_AUTHENTICATED | BTM_SEC_ENCRYPTED
1147                                   | BTM_SEC_ROLE_SWITCHED  | BTM_SEC_LINK_KEY_AUTHED);
1148 
1149     }
1150 
1151     BTM_ReadDevInfo(bd_addr, &dev_type, &addr_type);
1152     /* LE device, do SMP pairing */
1153     if (dev_type == BT_DEVICE_TYPE_BLE)
1154     {
1155         if (SMP_Pair(bd_addr) == SMP_STARTED)
1156         {
1157             p_dev_rec->sec_state = BTM_SEC_STATE_AUTHENTICATING;
1158             return BTM_CMD_STARTED;
1159         }
1160         else
1161             return(BTM_NO_RESOURCES);
1162     }
1163 #else
1164     p_dev_rec->sec_flags &= ~(BTM_SEC_LINK_KEY_KNOWN | BTM_SEC_AUTHENTICATED | BTM_SEC_ENCRYPTED
1165                               | BTM_SEC_ROLE_SWITCHED  | BTM_SEC_LINK_KEY_AUTHED);
1166 #endif
1167 
1168     BTM_TRACE_DEBUG1 ("after update sec_flags=0x%x", p_dev_rec->sec_flags);
1169     if (!HCI_SIMPLE_PAIRING_SUPPORTED(btm_cb.devcb.local_lmp_features[HCI_EXT_FEATURES_PAGE_0]))
1170     {
1171         /* The special case when we authenticate keyboard.  Set pin type to fixed */
1172         /* It would be probably better to do it from the application, but it is */
1173         /* complicated */
1174         if (((p_dev_rec->dev_class[1] & BTM_COD_MAJOR_CLASS_MASK) == BTM_COD_MAJOR_PERIPHERAL)
1175             && (p_dev_rec->dev_class[2] & BTM_COD_MINOR_KEYBOARD)
1176             && (btm_cb.cfg.pin_type != HCI_PIN_TYPE_FIXED))
1177         {
1178             btm_cb.pin_type_changed = TRUE;
1179             btsnd_hcic_write_pin_type (HCI_PIN_TYPE_FIXED);
1180         }
1181     }
1182 
1183     BTM_TRACE_EVENT1("BTM_SecBond: Local device supports SSP=%d",
1184             HCI_SIMPLE_PAIRING_SUPPORTED(btm_cb.devcb.local_lmp_features[HCI_EXT_FEATURES_PAGE_0]));
1185 
1186     for (ii = 0; ii <= HCI_EXT_FEATURES_PAGE_MAX; ii++)
1187     {
1188         p_features = p_dev_rec->features[ii];
1189         BTM_TRACE_EVENT5("  remote_features page[%1d] = %02x-%02x-%02x-%02x",
1190                          ii, p_features[0], p_features[1], p_features[2], p_features[3]);
1191         BTM_TRACE_EVENT4("                              %02x-%02x-%02x-%02x",
1192                              p_features[4], p_features[5], p_features[6], p_features[7]);
1193     }
1194 
1195     BTM_TRACE_EVENT2 ("BTM_SecBond: Remote sm4: 0x%x  HCI Handle: 0x%04x", p_dev_rec->sm4, p_dev_rec->hci_handle);
1196 
1197 #if BTM_SEC_FORCE_RNR_FOR_DBOND == TRUE
1198     p_dev_rec->sec_flags &= ~BTM_SEC_NAME_KNOWN;
1199 #endif
1200 
1201     /* If connection already exists... */
1202     if (p_dev_rec->hci_handle != BTM_SEC_INVALID_HANDLE)
1203     {
1204         if (!btm_sec_start_authentication (p_dev_rec))
1205             return(BTM_NO_RESOURCES);
1206 
1207         btm_sec_change_pairing_state (BTM_PAIR_STATE_WAIT_PIN_REQ);
1208 
1209         /* Mark lcb as bonding */
1210         l2cu_update_lcb_4_bonding (bd_addr, TRUE);
1211         return(BTM_CMD_STARTED);
1212     }
1213 
1214     BTM_TRACE_DEBUG2 ("sec mode: %d sm4:x%x", btm_cb.security_mode, p_dev_rec->sm4);
1215     if (!HCI_SIMPLE_PAIRING_SUPPORTED(btm_cb.devcb.local_lmp_features[HCI_EXT_FEATURES_PAGE_0])
1216         || (p_dev_rec->sm4 == BTM_SM4_KNOWN))
1217     {
1218         if ( btm_sec_check_prefetch_pin (p_dev_rec) )
1219 	        return(BTM_CMD_STARTED);
1220     }
1221     if (BTM_SEC_MODE_SP == btm_cb.security_mode && BTM_SEC_IS_SM4_UNKNOWN(p_dev_rec->sm4))
1222     {
1223         /* local is 2.1 and peer is unknown */
1224         if ((p_dev_rec->sm4 & BTM_SM4_CONN_PEND) == 0)
1225         {
1226             /* we are not accepting connection request from peer
1227              * -> RNR (to learn if peer is 2.1)
1228              * RNR when no ACL causes HCI_RMT_HOST_SUP_FEAT_NOTIFY_EVT */
1229             btm_sec_change_pairing_state (BTM_PAIR_STATE_GET_REM_NAME);
1230             BTM_ReadRemoteDeviceName(bd_addr, NULL);
1231         }
1232         else
1233         {
1234             /* We are accepting connection request from peer */
1235             btm_sec_change_pairing_state (BTM_PAIR_STATE_WAIT_PIN_REQ);
1236         }
1237         BTM_TRACE_DEBUG3 ("State:%s sm4: 0x%x sec_state:%d", btm_pair_state_descr (btm_cb.pairing_state), p_dev_rec->sm4, p_dev_rec->sec_state);
1238         return BTM_CMD_STARTED;
1239     }
1240 
1241     /* both local and peer are 2.1  */
1242     status = btm_sec_dd_create_conn(p_dev_rec);
1243 
1244     if (status != BTM_CMD_STARTED)
1245     {
1246         btm_sec_change_pairing_state (BTM_PAIR_STATE_IDLE);
1247     }
1248 
1249     return status;
1250 }
1251 
1252 
1253 /*******************************************************************************
1254 **
1255 ** Function         BTM_SecBondCancel
1256 **
1257 ** Description      This function is called to cancel ongoing bonding process
1258 **                  with peer device.
1259 **
1260 ** Parameters:      bd_addr      - Address of the peer device
1261 **
1262 *******************************************************************************/
BTM_SecBondCancel(BD_ADDR bd_addr)1263 tBTM_STATUS BTM_SecBondCancel (BD_ADDR bd_addr)
1264 {
1265     tBTM_SEC_DEV_REC *p_dev_rec;
1266 #if SMP_INCLUDED == TRUE
1267     tACL_CONN   *p=NULL;
1268 #endif
1269 
1270     BTM_TRACE_API2 ("BTM_SecBondCancel()  State: %s flags:0x%x",
1271                     btm_pair_state_descr (btm_cb.pairing_state), btm_cb.pairing_flags);
1272 
1273     if (((p_dev_rec = btm_find_dev (bd_addr)) == NULL)
1274         ||  (memcmp (btm_cb.pairing_bda, bd_addr, BD_ADDR_LEN) != 0) )
1275         return BTM_UNKNOWN_ADDR;
1276 
1277 #if SMP_INCLUDED == TRUE
1278     p = btm_bda_to_acl(bd_addr);
1279     if (p && p->is_le_link &&
1280         (p_dev_rec->sec_state == BTM_SEC_STATE_AUTHENTICATING))
1281     {
1282         BTM_TRACE_DEBUG0 ("Cancel LE pairing");
1283         if (SMP_PairCancel(bd_addr))
1284         {
1285             return BTM_CMD_STARTED;
1286         }
1287         else
1288         {
1289             return BTM_WRONG_MODE;
1290         }
1291     }
1292 
1293 #endif
1294     BTM_TRACE_DEBUG2 ("hci_handle:0x%x sec_state:%d", p_dev_rec->hci_handle, p_dev_rec->sec_state );
1295     if (BTM_PAIR_STATE_WAIT_LOCAL_PIN == btm_cb.pairing_state &&
1296         BTM_PAIR_FLAGS_WE_STARTED_DD & btm_cb.pairing_flags)
1297     {
1298         /* pre-fetching pin for dedicated bonding */
1299         btm_sec_bond_cancel_complete();
1300         return BTM_SUCCESS;
1301     }
1302 
1303     /* If this BDA is in a bonding procedure */
1304     if ( (btm_cb.pairing_state != BTM_PAIR_STATE_IDLE)
1305          &&  (btm_cb.pairing_flags & BTM_PAIR_FLAGS_WE_STARTED_DD))
1306     {
1307         /* If the HCI link is up */
1308         if (p_dev_rec->hci_handle != BTM_SEC_INVALID_HANDLE)
1309         {
1310             /* If some other thread disconnecting, we do not send second command */
1311             if (p_dev_rec->sec_state == BTM_SEC_STATE_DISCONNECTING)
1312                 return(BTM_CMD_STARTED);
1313 
1314             /* If the HCI link was set up by Bonding process */
1315             if (btm_cb.pairing_flags & BTM_PAIR_FLAGS_DISC_WHEN_DONE)
1316                 return btm_sec_send_hci_disconnect(p_dev_rec, HCI_ERR_PEER_USER);
1317             else
1318                 l2cu_update_lcb_4_bonding(bd_addr, FALSE);
1319 
1320             return BTM_NOT_AUTHORIZED;
1321         }
1322         else /*HCI link is not up */
1323         {
1324             /* If the HCI link creation was started by Bonding process */
1325             if (btm_cb.pairing_flags & BTM_PAIR_FLAGS_DISC_WHEN_DONE)
1326             {
1327                 if (btsnd_hcic_create_conn_cancel(bd_addr))
1328                     return BTM_CMD_STARTED;
1329 
1330                 return BTM_NO_RESOURCES;
1331             }
1332             if (btm_cb.pairing_state == BTM_PAIR_STATE_GET_REM_NAME)
1333             {
1334                 BTM_CancelRemoteDeviceName();
1335                 btm_cb.pairing_flags |= BTM_PAIR_FLAGS_WE_CANCEL_DD;
1336                 return BTM_CMD_STARTED;
1337             }
1338             return BTM_NOT_AUTHORIZED;
1339         }
1340     }
1341 
1342     return BTM_WRONG_MODE;
1343 }
1344 
1345 /*******************************************************************************
1346 **
1347 ** Function         BTM_SecUseMasterLinkKey
1348 **
1349 ** Description      This function is called to tell master of the piconet to
1350 **                  switch to master link key
1351 **
1352 ** Parameters:      use_master_key - If true Master Link Key shoul be used
1353 **
1354 *******************************************************************************/
BTM_SecUseMasterLinkKey(BOOLEAN use_master_key)1355 tBTM_STATUS BTM_SecUseMasterLinkKey (BOOLEAN use_master_key)
1356 {
1357     return(btsnd_hcic_master_link_key (use_master_key) ?  BTM_SUCCESS :
1358            BTM_NO_RESOURCES);
1359 }
1360 
1361 /*******************************************************************************
1362 **
1363 ** Function         BTM_SetMasterKeyCompCback
1364 **
1365 ** Description      This function is called to register for the master key complete
1366 **                  status event.
1367 **
1368 ** Parameters:      mkey_cback - callback registered with the security manager
1369 **
1370 *******************************************************************************/
BTM_SetMasterKeyCompCback(tBTM_MKEY_CALLBACK * mkey_cback)1371 void BTM_SetMasterKeyCompCback( tBTM_MKEY_CALLBACK *mkey_cback )
1372 {
1373     btm_cb.mkey_cback = mkey_cback;
1374 }
1375 
1376 /*******************************************************************************
1377 **
1378 ** Function         BTM_SecGetDeviceLinkKey
1379 **
1380 ** Description      This function is called to obtain link key for the device
1381 **                  it returns BTM_SUCCESS if link key is available, or
1382 **                  BTM_UNKNOWN_ADDR if Security Manager does not know about
1383 **                  the device or device record does not contain link key info
1384 **
1385 ** Parameters:      bd_addr      - Address of the device
1386 **                  link_key     - Link Key is copied into this array
1387 **
1388 *******************************************************************************/
BTM_SecGetDeviceLinkKey(BD_ADDR bd_addr,LINK_KEY link_key)1389 tBTM_STATUS BTM_SecGetDeviceLinkKey (BD_ADDR bd_addr, LINK_KEY link_key)
1390 {
1391     tBTM_SEC_DEV_REC *p_dev_rec;
1392 
1393     if (((p_dev_rec = btm_find_dev (bd_addr)) != NULL)
1394         && (p_dev_rec->sec_flags & BTM_SEC_LINK_KEY_KNOWN))
1395     {
1396         memcpy (link_key, p_dev_rec->link_key, LINK_KEY_LEN);
1397         return(BTM_SUCCESS);
1398     }
1399     return(BTM_UNKNOWN_ADDR);
1400 }
1401 
1402 
1403 /*******************************************************************************
1404 **
1405 ** Function         BTM_SetEncryption
1406 **
1407 ** Description      This function is called to ensure that connection is
1408 **                  encrypted.  Should be called only on an open connection.
1409 **                  Typically only needed for connections that first want to
1410 **                  bring up unencrypted links, then later encrypt them.
1411 **
1412 ** Parameters:      bd_addr       - Address of the peer device
1413 **                  p_callback    - Pointer to callback function called if
1414 **                                  this function returns PENDING after required
1415 **                                  procedures are completed.  Can be set to NULL
1416 **                                  if status is not desired.
1417 **                  p_ref_data    - pointer to any data the caller wishes to receive
1418 **                                  in the callback function upon completion.
1419 *                                   can be set to NULL if not used.
1420 **
1421 ** Returns          BTM_SUCCESS   - already encrypted
1422 **                  BTM_PENDING   - command will be returned in the callback
1423 **                  BTM_WRONG_MODE- connection not up.
1424 **                  BTM_BUSY      - security procedures are currently active
1425 **                  BTM_MODE_UNSUPPORTED - if security manager not linked in.
1426 **
1427 *******************************************************************************/
BTM_SetEncryption(BD_ADDR bd_addr,tBTM_SEC_CBACK * p_callback,void * p_ref_data)1428 tBTM_STATUS BTM_SetEncryption (BD_ADDR bd_addr, tBTM_SEC_CBACK *p_callback,
1429                                void *p_ref_data)
1430 {
1431     tBTM_SEC_DEV_REC  *p_dev_rec;
1432     tBTM_STATUS       rc;
1433 
1434 #if BLE_INCLUDED == TRUE
1435     tACL_CONN         *p;
1436     p = btm_bda_to_acl(bd_addr);
1437 #endif
1438 
1439     p_dev_rec = btm_find_dev (bd_addr);
1440     if (!p_dev_rec || (p_dev_rec->hci_handle == BTM_SEC_INVALID_HANDLE))
1441     {
1442         /* Connection should be up and runnning */
1443         BTM_TRACE_WARNING0 ("Security Manager: BTM_SetEncryption not connected");
1444 
1445         if (p_callback)
1446             (*p_callback) (bd_addr, p_ref_data, BTM_WRONG_MODE);
1447 
1448         return(BTM_WRONG_MODE);
1449     }
1450 
1451 
1452     if (
1453 #if BLE_INCLUDED == TRUE
1454        !p->is_le_link &&
1455 #endif
1456        (p_dev_rec->sec_flags & (BTM_SEC_AUTHENTICATED | BTM_SEC_ENCRYPTED))
1457        == (BTM_SEC_AUTHENTICATED | BTM_SEC_ENCRYPTED))
1458     {
1459         BTM_TRACE_EVENT0 ("Security Manager: BTM_SetEncryption already encrypted");
1460 
1461         if (p_callback)
1462             (*p_callback) (bd_addr, p_ref_data, BTM_SUCCESS);
1463 
1464         return(BTM_SUCCESS);
1465     }
1466 
1467     if (p_dev_rec->p_callback)
1468     {
1469         /* Connection should be up and runnning */
1470         BTM_TRACE_WARNING0 ("Security Manager: BTM_SetEncryption busy");
1471 
1472         if (p_callback)
1473             (*p_callback) (bd_addr, p_ref_data, BTM_BUSY);
1474 
1475         return(BTM_BUSY);
1476     }
1477 
1478     p_dev_rec->p_callback        = p_callback;
1479     p_dev_rec->p_ref_data        = p_ref_data;
1480     p_dev_rec->security_required |= (BTM_SEC_IN_AUTHENTICATE | BTM_SEC_IN_ENCRYPT);
1481     p_dev_rec->is_originator     = FALSE;
1482 
1483     BTM_TRACE_API4 ("Security Manager: BTM_SetEncryption Handle:%d State:%d Flags:0x%x Required:0x%x",
1484                     p_dev_rec->hci_handle, p_dev_rec->sec_state, p_dev_rec->sec_flags,
1485                     p_dev_rec->security_required);
1486 #if BLE_INCLUDED == TRUE && SMP_INCLUDED == TRUE
1487     if (p->is_le_link)
1488     {
1489         rc = btm_ble_set_encryption(bd_addr, p_ref_data, p->link_role);
1490     }
1491     else
1492 #endif
1493 
1494         rc = btm_sec_execute_procedure (p_dev_rec);
1495 
1496     if ( rc != BTM_CMD_STARTED)
1497     {
1498         if (p_callback)
1499         {
1500             p_dev_rec->p_callback = NULL;
1501             (*p_callback) (bd_addr, p_dev_rec->p_ref_data, rc);
1502         }
1503     }
1504     return(rc);
1505 }
1506 
1507 /*******************************************************************************
1508  * disconnect the ACL link, if it's not done yet.
1509 *******************************************************************************/
btm_sec_send_hci_disconnect(tBTM_SEC_DEV_REC * p_dev_rec,UINT8 reason)1510 static tBTM_STATUS btm_sec_send_hci_disconnect (tBTM_SEC_DEV_REC *p_dev_rec, UINT8 reason)
1511 {
1512     UINT8       old_state = p_dev_rec->sec_state;
1513     tBTM_STATUS status = BTM_CMD_STARTED;
1514 
1515     BTM_TRACE_EVENT2 ("btm_sec_send_hci_disconnect:  handle:0x%x, reason=0x%x",
1516                       p_dev_rec->hci_handle, reason);
1517 
1518     /* if some other thread disconnecting, we do not send second command */
1519     if (BTM_SEC_STATE_DISCONNECTING != old_state)
1520     {
1521         p_dev_rec->sec_state = BTM_SEC_STATE_DISCONNECTING;
1522 
1523 #if BTM_DISC_DURING_RS == TRUE
1524         /* If a Role Switch is in progress, delay the HCI Disconnect to avoid controller problem (4329B1) */
1525         if (p_dev_rec->rs_disc_pending == BTM_SEC_RS_PENDING)
1526         {
1527                  BTM_TRACE_ERROR0("RS in progress - Set DISC Pending flag in btm_sec_send_hci_disconnect to delay disconnect");
1528                  p_dev_rec->rs_disc_pending = BTM_SEC_DISC_PENDING;
1529                  status = BTM_SUCCESS;
1530         }
1531         else
1532 #endif
1533         /* Tear down the HCI link */
1534         if (!btsnd_hcic_disconnect (p_dev_rec->hci_handle, reason))
1535         {
1536             /* could not send disconnect. restore old state */
1537             p_dev_rec->sec_state = old_state;
1538             status = BTM_NO_RESOURCES;
1539         }
1540     }
1541     return (status);
1542 }
1543 
1544 /*******************************************************************************
1545 **
1546 ** Function         BTM_ConfirmReqReply
1547 **
1548 ** Description      This function is called to confirm the numeric value for
1549 **                  Simple Pairing in response to BTM_SP_CFM_REQ_EVT
1550 **
1551 ** Parameters:      res           - result of the operation BTM_SUCCESS if success
1552 **                  bd_addr       - Address of the peer device
1553 **
1554 *******************************************************************************/
BTM_ConfirmReqReply(tBTM_STATUS res,BD_ADDR bd_addr)1555 void BTM_ConfirmReqReply(tBTM_STATUS res, BD_ADDR bd_addr)
1556 {
1557     tBTM_SEC_DEV_REC *p_dev_rec;
1558 
1559     BTM_TRACE_EVENT2 ("BTM_ConfirmReqReply() State: %s  Res: %u",
1560                       btm_pair_state_descr(btm_cb.pairing_state), res);
1561 
1562     /* If timeout already expired or has been canceled, ignore the reply */
1563     if ( (btm_cb.pairing_state != BTM_PAIR_STATE_WAIT_NUMERIC_CONFIRM)
1564          ||  (memcmp (btm_cb.pairing_bda, bd_addr, BD_ADDR_LEN) != 0) )
1565         return;
1566 
1567     btm_sec_change_pairing_state (BTM_PAIR_STATE_WAIT_AUTH_COMPLETE);
1568 
1569     if ( (res == BTM_SUCCESS) || (res == BTM_SUCCESS_NO_SECURITY) )
1570     {
1571         btm_cb.acl_disc_reason = HCI_SUCCESS;
1572 
1573         if (res == BTM_SUCCESS)
1574         {
1575             if ((p_dev_rec = btm_find_dev (bd_addr)) != NULL)
1576                 p_dev_rec->sec_flags |= BTM_SEC_LINK_KEY_AUTHED;
1577         }
1578 
1579         btsnd_hcic_user_conf_reply (bd_addr, TRUE);
1580     }
1581     else
1582     {
1583         /* Report authentication failed event from state BTM_PAIR_STATE_WAIT_AUTH_COMPLETE */
1584         btm_cb.acl_disc_reason = HCI_ERR_HOST_REJECT_SECURITY;
1585         btsnd_hcic_user_conf_reply (bd_addr, FALSE);
1586     }
1587 }
1588 
1589 /*******************************************************************************
1590 **
1591 ** Function         BTM_PasskeyReqReply
1592 **
1593 ** Description      This function is called to provide the passkey for
1594 **                  Simple Pairing in response to BTM_SP_KEY_REQ_EVT
1595 **
1596 ** Parameters:      res     - result of the operation BTM_SUCCESS if success
1597 **                  bd_addr - Address of the peer device
1598 **                  passkey - numeric value in the range of
1599 **                  BTM_MIN_PASSKEY_VAL(0) - BTM_MAX_PASSKEY_VAL(999999(0xF423F)).
1600 **
1601 *******************************************************************************/
1602 #if (BTM_LOCAL_IO_CAPS != BTM_IO_CAP_NONE)
BTM_PasskeyReqReply(tBTM_STATUS res,BD_ADDR bd_addr,UINT32 passkey)1603 void BTM_PasskeyReqReply(tBTM_STATUS res, BD_ADDR bd_addr, UINT32 passkey)
1604 {
1605     tBTM_SEC_DEV_REC *p_dev_rec;
1606 
1607     BTM_TRACE_API2 ("BTM_PasskeyReqReply: State: %s  res:%d",
1608                     btm_pair_state_descr(btm_cb.pairing_state), res);
1609 
1610     if ( (btm_cb.pairing_state == BTM_PAIR_STATE_IDLE)
1611          ||  (memcmp (btm_cb.pairing_bda, bd_addr, BD_ADDR_LEN) != 0) )
1612     {
1613         return;
1614     }
1615 
1616     /* If timeout already expired or has been canceled, ignore the reply */
1617     if ( (btm_cb.pairing_state == BTM_PAIR_STATE_WAIT_AUTH_COMPLETE) && (res != BTM_SUCCESS) )
1618     {
1619         if ((p_dev_rec = btm_find_dev (bd_addr)) != NULL)
1620         {
1621             btm_cb.acl_disc_reason = HCI_ERR_HOST_REJECT_SECURITY;
1622 
1623             if (p_dev_rec->hci_handle != BTM_SEC_INVALID_HANDLE)
1624                 btm_sec_send_hci_disconnect (p_dev_rec, HCI_ERR_AUTH_FAILURE);
1625             else
1626                 BTM_SecBondCancel(bd_addr);
1627 
1628             p_dev_rec->sec_flags &= ~(BTM_SEC_LINK_KEY_AUTHED | BTM_SEC_LINK_KEY_KNOWN);
1629 
1630             btm_sec_change_pairing_state (BTM_PAIR_STATE_IDLE);
1631             return;
1632         }
1633     }
1634     else if (btm_cb.pairing_state != BTM_PAIR_STATE_KEY_ENTRY)
1635         return;
1636 
1637     if (passkey > BTM_MAX_PASSKEY_VAL)
1638         res = BTM_ILLEGAL_VALUE;
1639 
1640     btm_sec_change_pairing_state (BTM_PAIR_STATE_WAIT_AUTH_COMPLETE);
1641 
1642     if (res != BTM_SUCCESS)
1643     {
1644         /* use BTM_PAIR_STATE_WAIT_AUTH_COMPLETE to report authentication failed event */
1645         btm_cb.acl_disc_reason = HCI_ERR_HOST_REJECT_SECURITY;
1646         btsnd_hcic_user_passkey_neg_reply (bd_addr);
1647     }
1648     else
1649     {
1650         btm_cb.acl_disc_reason = HCI_SUCCESS;
1651         btsnd_hcic_user_passkey_reply (bd_addr, passkey);
1652     }
1653 }
1654 #endif
1655 
1656 /*******************************************************************************
1657 **
1658 ** Function         BTM_SendKeypressNotif
1659 **
1660 ** Description      This function is used during the passkey entry model
1661 **                  by a device with KeyboardOnly IO capabilities
1662 **                  (very likely to be a HID Device).
1663 **                  It is called by a HID Device to inform the remote device when
1664 **                  a key has been entered or erased.
1665 **
1666 ** Parameters:      bd_addr - Address of the peer device
1667 **                  type - notification type
1668 **
1669 *******************************************************************************/
1670 #if (BTM_LOCAL_IO_CAPS != BTM_IO_CAP_NONE)
BTM_SendKeypressNotif(BD_ADDR bd_addr,tBTM_SP_KEY_TYPE type)1671 void BTM_SendKeypressNotif(BD_ADDR bd_addr, tBTM_SP_KEY_TYPE type)
1672 {
1673     /* This API only make sense between PASSKEY_REQ and SP complete */
1674     if (btm_cb.pairing_state == BTM_PAIR_STATE_KEY_ENTRY)
1675         btsnd_hcic_send_keypress_notif (bd_addr, type);
1676 }
1677 #endif
1678 
1679 #if BTM_OOB_INCLUDED == TRUE
1680 /*******************************************************************************
1681 **
1682 ** Function         BTM_IoCapRsp
1683 **
1684 ** Description      This function is called in response to BTM_SP_IO_REQ_EVT
1685 **                  When the event data io_req.oob_data is set to BTM_OOB_UNKNOWN
1686 **                  by the tBTM_SP_CALLBACK implementation, this function is
1687 **                  called to provide the actual response
1688 **
1689 ** Parameters:      bd_addr - Address of the peer device
1690 **                  io_cap  - The IO capability of local device.
1691 **                  oob     - BTM_OOB_NONE or BTM_OOB_PRESENT.
1692 **                  auth_req- MITM protection required or not.
1693 **
1694 *******************************************************************************/
BTM_IoCapRsp(BD_ADDR bd_addr,tBTM_IO_CAP io_cap,tBTM_OOB_DATA oob,tBTM_AUTH_REQ auth_req)1695 void BTM_IoCapRsp(BD_ADDR bd_addr, tBTM_IO_CAP io_cap, tBTM_OOB_DATA oob, tBTM_AUTH_REQ auth_req)
1696 {
1697     BTM_TRACE_EVENT3 ("BTM_IoCapRsp: state: %s  oob: %d io_cap: %d",
1698                       btm_pair_state_descr(btm_cb.pairing_state), oob, io_cap);
1699 
1700     if ( (btm_cb.pairing_state != BTM_PAIR_STATE_WAIT_LOCAL_IOCAPS)
1701          ||  (memcmp (btm_cb.pairing_bda, bd_addr, BD_ADDR_LEN) != 0) )
1702         return;
1703 
1704     if (oob < BTM_OOB_UNKNOWN && io_cap < BTM_IO_CAP_MAX)
1705     {
1706         btm_cb.devcb.loc_auth_req   = auth_req;
1707         btm_cb.devcb.loc_io_caps    = io_cap;
1708 
1709         if (btm_cb.pairing_flags & BTM_PAIR_FLAGS_WE_STARTED_DD)
1710             auth_req = (BTM_AUTH_DD_BOND | (auth_req&BTM_AUTH_YN_BIT));
1711 
1712         btsnd_hcic_io_cap_req_reply (bd_addr, io_cap, oob, auth_req);
1713     }
1714 }
1715 
1716 /*******************************************************************************
1717 **
1718 ** Function         BTM_ReadLocalOobData
1719 **
1720 ** Description      This function is called to read the local OOB data from
1721 **                  LM
1722 **
1723 *******************************************************************************/
BTM_ReadLocalOobData(void)1724 tBTM_STATUS BTM_ReadLocalOobData(void)
1725 {
1726     tBTM_STATUS status = BTM_SUCCESS;
1727 
1728     if (btsnd_hcic_read_local_oob_data() == FALSE)
1729         status = BTM_NO_RESOURCES;
1730 
1731     return status;
1732 }
1733 
1734 /*******************************************************************************
1735 **
1736 ** Function         BTM_RemoteOobDataReply
1737 **
1738 ** Description      This function is called to provide the remote OOB data for
1739 **                  Simple Pairing in response to BTM_SP_RMT_OOB_EVT
1740 **
1741 ** Parameters:      bd_addr     - Address of the peer device
1742 **                  c           - simple pairing Hash C.
1743 **                  r           - simple pairing Randomizer  C.
1744 **
1745 *******************************************************************************/
BTM_RemoteOobDataReply(tBTM_STATUS res,BD_ADDR bd_addr,BT_OCTET16 c,BT_OCTET16 r)1746 void BTM_RemoteOobDataReply(tBTM_STATUS res, BD_ADDR bd_addr, BT_OCTET16 c, BT_OCTET16 r)
1747 {
1748     BTM_TRACE_EVENT2 ("BTM_RemoteOobDataReply():  State: %s  res:%d",
1749                       btm_pair_state_descr(btm_cb.pairing_state), res);
1750 
1751     /* If timeout already expired or has been canceled, ignore the reply */
1752     if (btm_cb.pairing_state != BTM_PAIR_STATE_WAIT_LOCAL_OOB_RSP)
1753         return;
1754 
1755     btm_sec_change_pairing_state (BTM_PAIR_STATE_WAIT_AUTH_COMPLETE);
1756 
1757     if (res != BTM_SUCCESS)
1758     {
1759         /* use BTM_PAIR_STATE_WAIT_AUTH_COMPLETE to report authentication failed event */
1760         btm_cb.acl_disc_reason = HCI_ERR_HOST_REJECT_SECURITY;
1761         btsnd_hcic_rem_oob_neg_reply (bd_addr);
1762     }
1763     else
1764     {
1765         btm_cb.acl_disc_reason = HCI_SUCCESS;
1766         btsnd_hcic_rem_oob_reply (bd_addr, c, r);
1767     }
1768 }
1769 
1770 /*******************************************************************************
1771 **
1772 ** Function         BTM_BuildOobData
1773 **
1774 ** Description      This function is called to build the OOB data payload to
1775 **                  be sent over OOB (non-Bluetooth) link
1776 **
1777 ** Parameters:      p_data  - the location for OOB data
1778 **                  max_len - p_data size.
1779 **                  c       - simple pairing Hash C.
1780 **                  r       - simple pairing Randomizer  C.
1781 **                  name_len- 0, local device name would not be included.
1782 **                            otherwise, the local device name is included for
1783 **                            up to this specified length
1784 **
1785 ** Returns          Number of bytes in p_data.
1786 **
1787 *******************************************************************************/
BTM_BuildOobData(UINT8 * p_data,UINT16 max_len,BT_OCTET16 c,BT_OCTET16 r,UINT8 name_len)1788 UINT16 BTM_BuildOobData(UINT8 *p_data, UINT16 max_len, BT_OCTET16 c,
1789                         BT_OCTET16 r, UINT8 name_len)
1790 {
1791     UINT8   *p = p_data;
1792     UINT16  len = 0;
1793     UINT16  delta;
1794 #if BTM_MAX_LOC_BD_NAME_LEN > 0
1795     UINT16  name_size;
1796     UINT8   name_type = BTM_EIR_SHORTENED_LOCAL_NAME_TYPE;
1797 #endif
1798 
1799     if (p_data && max_len >= BTM_OOB_MANDATORY_SIZE)
1800     {
1801         /* add mandatory part */
1802         UINT16_TO_STREAM(p, len);
1803         BDADDR_TO_STREAM(p, btm_cb.devcb.local_addr);
1804 
1805         len = BTM_OOB_MANDATORY_SIZE;
1806         max_len -= len;
1807 
1808         /* now optional part */
1809 
1810         /* add Hash C */
1811         delta = BTM_OOB_HASH_C_SIZE + 2;
1812         if (max_len >= delta)
1813         {
1814             *p++ = BTM_OOB_HASH_C_SIZE + 1;
1815             *p++ = BTM_EIR_OOB_SSP_HASH_C_TYPE;
1816             ARRAY_TO_STREAM(p, c, BTM_OOB_HASH_C_SIZE);
1817             len     += delta;
1818             max_len -= delta;
1819         }
1820 
1821         /* add Rand R */
1822         delta = BTM_OOB_RAND_R_SIZE + 2;
1823         if (max_len >= delta)
1824         {
1825             *p++ = BTM_OOB_RAND_R_SIZE + 1;
1826             *p++ = BTM_EIR_OOB_SSP_RAND_R_TYPE;
1827             ARRAY_TO_STREAM(p, r, BTM_OOB_RAND_R_SIZE);
1828             len     += delta;
1829             max_len -= delta;
1830         }
1831 
1832         /* add class of device */
1833         delta = BTM_OOB_COD_SIZE + 2;
1834         if (max_len >= delta)
1835         {
1836             *p++ = BTM_OOB_COD_SIZE + 1;
1837             *p++ = BTM_EIR_OOB_COD_TYPE;
1838             DEVCLASS_TO_STREAM(p, btm_cb.devcb.dev_class);
1839             len     += delta;
1840             max_len -= delta;
1841         }
1842 #if BTM_MAX_LOC_BD_NAME_LEN > 0
1843         name_size = name_len;
1844         if (name_size > strlen(btm_cb.cfg.bd_name))
1845         {
1846             name_type = BTM_EIR_COMPLETE_LOCAL_NAME_TYPE;
1847             name_size = (UINT16)strlen(btm_cb.cfg.bd_name);
1848         }
1849         delta = name_size + 2;
1850         if (max_len >= delta)
1851         {
1852             *p++ = name_size + 1;
1853             *p++ = name_type;
1854             ARRAY_TO_STREAM (p, btm_cb.cfg.bd_name, name_size);
1855             len     += delta;
1856             max_len -= delta;
1857         }
1858 #endif
1859         /* update len */
1860         p = p_data;
1861         UINT16_TO_STREAM(p, len);
1862     }
1863     return len;
1864 }
1865 
1866 /*******************************************************************************
1867 **
1868 ** Function         BTM_ReadOobData
1869 **
1870 ** Description      This function is called to parse the OOB data payload
1871 **                  received over OOB (non-Bluetooth) link
1872 **
1873 ** Parameters:      p_data  - the location for OOB data
1874 **                  eir_tag - The associated EIR tag to read the data.
1875 **                  *p_len(output) - the length of the data with the given tag.
1876 **
1877 ** Returns          the beginning of the data with the given tag.
1878 **                  NULL, if the tag is not found.
1879 **
1880 *******************************************************************************/
BTM_ReadOobData(UINT8 * p_data,UINT8 eir_tag,UINT8 * p_len)1881 UINT8 * BTM_ReadOobData(UINT8 *p_data, UINT8 eir_tag, UINT8 *p_len)
1882 {
1883     UINT8   *p = p_data;
1884     UINT16  max_len;
1885     UINT8   len, type;
1886     UINT8   *p_ret = NULL;
1887     UINT8   ret_len = 0;
1888 
1889     if (p_data)
1890     {
1891         STREAM_TO_UINT16(max_len, p);
1892         if (max_len >= BTM_OOB_MANDATORY_SIZE)
1893         {
1894             if (BTM_EIR_OOB_BD_ADDR_TYPE == eir_tag)
1895             {
1896                 p_ret = p; /* the location for bd_addr */
1897                 ret_len = BTM_OOB_BD_ADDR_SIZE;
1898             }
1899             else
1900             {
1901                 p += BD_ADDR_LEN;
1902                 max_len -= BTM_OOB_MANDATORY_SIZE;
1903                 /* now the optional data in EIR format */
1904                 while (max_len > 0)
1905                 {
1906                     len     = *p++; /* tag data len + 1 */
1907                     type    = *p++;
1908                     if (eir_tag == type)
1909                     {
1910                         p_ret = p;
1911                         ret_len = len - 1;
1912                         break;
1913                     }
1914                     /* the data size of this tag is len + 1 (tag data len + 2) */
1915                     if (max_len > len)
1916                     {
1917                         max_len -= len;
1918                         max_len--;
1919                         len--;
1920                         p += len;
1921                     }
1922                     else
1923                         max_len = 0;
1924                 }
1925             }
1926         }
1927     }
1928 
1929     if (p_len)
1930         *p_len = ret_len;
1931 
1932     return p_ret;
1933 }
1934 #endif
1935 
1936 /*******************************************************************************
1937 **
1938 ** Function         BTM_SetOutService
1939 **
1940 ** Description      This function is called to set the service for
1941 **                  outgoing connections.
1942 **
1943 **                  If the profile/application calls BTM_SetSecurityLevel
1944 **                  before initiating a connection, this function does not
1945 **                  need to be called.
1946 **
1947 ** Returns          void
1948 **
1949 *******************************************************************************/
BTM_SetOutService(BD_ADDR bd_addr,UINT8 service_id,UINT32 mx_chan_id)1950 void BTM_SetOutService(BD_ADDR bd_addr, UINT8 service_id, UINT32 mx_chan_id)
1951 {
1952     tBTM_SEC_DEV_REC *p_dev_rec;
1953     tBTM_SEC_SERV_REC *p_serv_rec = &btm_cb.sec_serv_rec[0];
1954     int i;
1955 
1956     btm_cb.p_out_serv = p_serv_rec;
1957     p_dev_rec = btm_find_dev (bd_addr);
1958 
1959     for (i = 0; i < BTM_SEC_MAX_SERVICE_RECORDS; i++, p_serv_rec++)
1960     {
1961         if ((p_serv_rec->security_flags & BTM_SEC_IN_USE)
1962             && (p_serv_rec->service_id == service_id)
1963             && (p_serv_rec->orig_mx_chan_id == mx_chan_id))
1964         {
1965             BTM_TRACE_API4("BTM_SetOutService p_out_serv id %d, psm 0x%04x, proto_id %d, chan_id %d",
1966                            p_serv_rec->service_id, p_serv_rec->psm, p_serv_rec->mx_proto_id, p_serv_rec->orig_mx_chan_id);
1967             btm_cb.p_out_serv = p_serv_rec;
1968             if (p_dev_rec)
1969                 p_dev_rec->p_cur_service = p_serv_rec;
1970             break;
1971         }
1972     }
1973 }
1974 
1975 /************************************************************************
1976 **              I N T E R N A L     F U N C T I O N S
1977 *************************************************************************/
1978 /*******************************************************************************
1979 **
1980 ** Function         btm_sec_is_upgrade_possible
1981 **
1982 ** Description      This function returns TRUE if the existing link key
1983 **                  can be upgraded or if the link key does not exist.
1984 **
1985 ** Returns          BOOLEAN
1986 **
1987 *******************************************************************************/
btm_sec_is_upgrade_possible(tBTM_SEC_DEV_REC * p_dev_rec,BOOLEAN is_originator)1988 static BOOLEAN btm_sec_is_upgrade_possible(tBTM_SEC_DEV_REC  *p_dev_rec, BOOLEAN is_originator)
1989 {
1990     UINT16              mtm_check = is_originator ? BTM_SEC_OUT_MITM : BTM_SEC_IN_MITM;
1991     BOOLEAN             is_possible = TRUE;
1992 
1993     if (p_dev_rec->sec_flags & BTM_SEC_LINK_KEY_KNOWN)
1994     {
1995         is_possible = FALSE;
1996         BTM_TRACE_DEBUG5 ("btm_sec_is_upgrade_possible id:%d, link_key_typet:%d, rmt_io_caps:%d, chk flags:x%x, flags:x%x",
1997                           p_dev_rec->p_cur_service->service_id, p_dev_rec->link_key_type, p_dev_rec->rmt_io_caps,
1998                           mtm_check, p_dev_rec->p_cur_service->security_flags);
1999         /* Already have a link key to the connected peer. Is the link key secure enough?
2000         ** Is a link key upgrade even possible?
2001         */
2002         if ((p_dev_rec->security_required & mtm_check)                          /* needs MITM */
2003             && (p_dev_rec->link_key_type == BTM_LKEY_TYPE_UNAUTH_COMB) /* has unauthenticated link key */
2004             && (p_dev_rec->rmt_io_caps < BTM_IO_CAP_MAX)                           /* a valid peer IO cap */
2005             && (btm_sec_io_map[p_dev_rec->rmt_io_caps][btm_cb.devcb.loc_io_caps])) /* authenticated link key is possible */
2006         {
2007             /* upgrade is possible: check if the application wants the upgrade.
2008              * If the application is configured to use a global MITM flag,
2009              * it probably would not want to upgrade the link key based on the security level database */
2010             is_possible = TRUE;
2011         }
2012     }
2013     BTM_TRACE_DEBUG2 ("btm_sec_is_upgrade_possible is_possible:%d sec_flags:0x%x", is_possible, p_dev_rec->sec_flags);
2014     return is_possible;
2015 }
2016 
2017 /*******************************************************************************
2018 **
2019 ** Function         btm_sec_check_upgrade
2020 **
2021 ** Description      This function is called to check if the existing link key
2022 **                  needs to be upgraded.
2023 **
2024 ** Returns          void
2025 **
2026 *******************************************************************************/
btm_sec_check_upgrade(tBTM_SEC_DEV_REC * p_dev_rec,BOOLEAN is_originator)2027 static void btm_sec_check_upgrade(tBTM_SEC_DEV_REC  *p_dev_rec, BOOLEAN is_originator)
2028 {
2029     tBTM_SP_UPGRADE     evt_data;
2030 
2031     BTM_TRACE_DEBUG0 ("btm_sec_check_upgrade...");
2032 
2033     /* Only check if link key already exists */
2034     if (!(p_dev_rec->sec_flags & BTM_SEC_LINK_KEY_KNOWN))
2035         return;
2036     if (btm_sec_is_upgrade_possible (p_dev_rec, is_originator) == TRUE)
2037     {
2038         BTM_TRACE_DEBUG1 ("need upgrade!! sec_flags:0x%x", p_dev_rec->sec_flags);
2039         /* upgrade is possible: check if the application wants the upgrade.
2040          * If the application is configured to use a global MITM flag,
2041          * it probably would not want to upgrade the link key based on the security level database */
2042         memcpy (evt_data.bd_addr, p_dev_rec->bd_addr, BD_ADDR_LEN);
2043         evt_data.upgrade = TRUE;
2044         if (btm_cb.api.p_sp_callback)
2045             (*btm_cb.api.p_sp_callback) (BTM_SP_UPGRADE_EVT, (tBTM_SP_EVT_DATA *)&evt_data);
2046 
2047         BTM_TRACE_DEBUG1 ("evt_data.upgrade:0x%x", evt_data.upgrade);
2048         if (evt_data.upgrade)
2049         {
2050             /* if the application confirms the upgrade, set the upgrade bit */
2051             p_dev_rec->sm4 |= BTM_SM4_UPGRADE;
2052 
2053             /* Clear the link key known to go through authentication/pairing again */
2054             p_dev_rec->sec_flags &= ~(BTM_SEC_LINK_KEY_KNOWN | BTM_SEC_LINK_KEY_AUTHED);
2055             p_dev_rec->sec_flags &= ~BTM_SEC_AUTHENTICATED;
2056             BTM_TRACE_DEBUG1 ("sec_flags:0x%x", p_dev_rec->sec_flags);
2057         }
2058     }
2059 }
2060 
2061 /*******************************************************************************
2062 **
2063 ** Function         btm_sec_l2cap_access_req
2064 **
2065 ** Description      This function is called by the L2CAP to grant permission to
2066 **                  establish L2CAP connection to or from the peer device.
2067 **
2068 ** Parameters:      bd_addr       - Address of the peer device
2069 **                  psm           - L2CAP PSM
2070 **                  is_originator - TRUE if protocol above L2CAP originates
2071 **                                  connection
2072 **                  p_callback    - Pointer to callback function called if
2073 **                                  this function returns PENDING after required
2074 **                                  procedures are complete. MUST NOT BE NULL.
2075 **
2076 ** Returns          tBTM_STATUS
2077 **
2078 *******************************************************************************/
2079 #define BTM_SEC_OUT_FLAGS   (BTM_SEC_OUT_AUTHENTICATE | BTM_SEC_OUT_ENCRYPT | BTM_SEC_OUT_AUTHORIZE)
2080 #define BTM_SEC_IN_FLAGS    (BTM_SEC_IN_AUTHENTICATE | BTM_SEC_IN_ENCRYPT | BTM_SEC_IN_AUTHORIZE)
2081 
btm_sec_l2cap_access_req(BD_ADDR bd_addr,UINT16 psm,UINT16 handle,CONNECTION_TYPE conn_type,tBTM_SEC_CALLBACK * p_callback,void * p_ref_data)2082 tBTM_STATUS btm_sec_l2cap_access_req (BD_ADDR bd_addr, UINT16 psm, UINT16 handle,
2083                                       CONNECTION_TYPE conn_type,
2084                                       tBTM_SEC_CALLBACK *p_callback,
2085                                       void *p_ref_data)
2086 {
2087     tBTM_SEC_DEV_REC  *p_dev_rec;
2088     tBTM_SEC_SERV_REC *p_serv_rec;
2089     UINT16         security_required;
2090     UINT16         old_security_required;
2091     BOOLEAN       old_is_originator;
2092     tBTM_STATUS   rc = BTM_SUCCESS;
2093     BOOLEAN       chk_acp_auth_done = FALSE;
2094     BOOLEAN is_originator;
2095 
2096 #if (L2CAP_UCD_INCLUDED == TRUE)
2097     if (conn_type & CONNECTION_TYPE_ORIG_MASK)
2098         is_originator = TRUE;
2099     else
2100         is_originator = FALSE;
2101 
2102     BTM_TRACE_DEBUG2 ("btm_sec_l2cap_access_req conn_type:0x%x, 0x%x", conn_type, p_ref_data);
2103 #else
2104     is_originator = conn_type;
2105 
2106     BTM_TRACE_DEBUG2 ("btm_sec_l2cap_access_req is_originator:%d, 0x%x", is_originator, p_ref_data);
2107 #endif
2108 
2109     /* Find or get oldest record */
2110     p_dev_rec = btm_find_or_alloc_dev (bd_addr);
2111 
2112     p_dev_rec->hci_handle = handle;
2113 
2114     /* Find the service record for the PSM */
2115     p_serv_rec = btm_sec_find_first_serv (conn_type, psm);
2116 
2117     /* If there is no application registered with this PSM do not allow connection */
2118     if (!p_serv_rec)
2119     {
2120         BTM_TRACE_WARNING1 ("btm_sec_l2cap_access_req()  PSM:%d no application registerd", psm);
2121 
2122         (*p_callback) (bd_addr, p_ref_data, BTM_MODE_UNSUPPORTED);
2123 
2124         return(BTM_MODE_UNSUPPORTED);
2125     }
2126 
2127     /* SDP connection we will always let through */
2128     if (BT_PSM_SDP == psm)
2129     {
2130         (*p_callback) (bd_addr, p_ref_data, BTM_SUCCESS_NO_SECURITY);
2131 
2132         return(BTM_SUCCESS);
2133     }
2134 #if (L2CAP_UCD_INCLUDED == TRUE)
2135     if ( conn_type & CONNECTION_TYPE_CONNLESS_MASK )
2136     {
2137         security_required = p_serv_rec->ucd_security_flags;
2138 
2139         rc = BTM_CMD_STARTED;
2140         if (is_originator)
2141         {
2142             if (((security_required & BTM_SEC_OUT_FLAGS) == 0) ||
2143                 ((((security_required & BTM_SEC_OUT_FLAGS) == BTM_SEC_OUT_AUTHENTICATE) && (p_dev_rec->sec_flags & BTM_SEC_AUTHENTICATED))) ||
2144                 ((((security_required & BTM_SEC_OUT_FLAGS) == (BTM_SEC_OUT_AUTHENTICATE | BTM_SEC_OUT_ENCRYPT)) && (p_dev_rec->sec_flags & BTM_SEC_ENCRYPTED))) ||
2145                 ((((security_required & BTM_SEC_OUT_FLAGS) == BTM_SEC_OUT_FLAGS) && (p_dev_rec->sec_flags & BTM_SEC_AUTHORIZED))) )
2146             {
2147                 rc = BTM_SUCCESS;
2148             }
2149         }
2150         else
2151         {
2152             if (((security_required & BTM_SEC_IN_FLAGS) == 0) ||
2153                 ((((security_required & BTM_SEC_IN_FLAGS) == BTM_SEC_IN_AUTHENTICATE) && (p_dev_rec->sec_flags & BTM_SEC_AUTHENTICATED))) ||
2154                 ((((security_required & BTM_SEC_IN_FLAGS) == (BTM_SEC_IN_AUTHENTICATE | BTM_SEC_IN_ENCRYPT)) && (p_dev_rec->sec_flags & BTM_SEC_ENCRYPTED))) ||
2155                 ((((security_required & BTM_SEC_IN_FLAGS) == BTM_SEC_IN_FLAGS) && (p_dev_rec->sec_flags & BTM_SEC_AUTHORIZED))) )
2156             {
2157                 rc = BTM_SUCCESS;
2158             }
2159         }
2160 
2161         if (rc == BTM_SUCCESS)
2162         {
2163             if (p_callback)
2164                 (*p_callback) (bd_addr, (void *)p_ref_data, BTM_SUCCESS);
2165 
2166             return(BTM_SUCCESS);
2167         }
2168     }
2169     else
2170 #endif
2171     {
2172         security_required = p_serv_rec->security_flags;
2173     }
2174 
2175     /* there are some devices (moto KRZR) which connects to several services at the same time */
2176     /* we will process one after another */
2177     if ( (p_dev_rec->p_callback) || (btm_cb.pairing_state != BTM_PAIR_STATE_IDLE) )
2178     {
2179         BTM_TRACE_EVENT4 ("btm_sec_l2cap_access_req() - busy - PSM:%d delayed  state: %s mode:%d, sm4:0x%x",
2180                           psm, btm_pair_state_descr(btm_cb.pairing_state), btm_cb.security_mode, p_dev_rec->sm4);
2181         BTM_TRACE_EVENT2 ("security_flags:x%x, sec_flags:x%x", security_required, p_dev_rec->sec_flags);
2182         rc = BTM_CMD_STARTED;
2183         if ((BTM_SEC_MODE_SP != btm_cb.security_mode)
2184             || ((BTM_SEC_MODE_SP == btm_cb.security_mode) && (BTM_SM4_KNOWN == p_dev_rec->sm4))
2185             || (BTM_SEC_IS_SM4(p_dev_rec->sm4) && (btm_sec_is_upgrade_possible(p_dev_rec, is_originator) == FALSE))
2186            )
2187         {
2188             /* legacy mode - local is legacy or local is lisbon/peer is legacy
2189              * or SM4 with no possibility of link key upgrade */
2190             if (is_originator)
2191             {
2192                 if (((security_required & BTM_SEC_OUT_FLAGS) == 0) ||
2193                     ((((security_required & BTM_SEC_OUT_FLAGS) == BTM_SEC_OUT_AUTHENTICATE) && (p_dev_rec->sec_flags & BTM_SEC_AUTHENTICATED))) ||
2194                     ((((security_required & BTM_SEC_OUT_FLAGS) == (BTM_SEC_OUT_AUTHENTICATE | BTM_SEC_OUT_ENCRYPT)) && (p_dev_rec->sec_flags & BTM_SEC_ENCRYPTED))) ||
2195                     ((((security_required & BTM_SEC_OUT_FLAGS) == BTM_SEC_OUT_FLAGS) && (p_dev_rec->sec_flags & BTM_SEC_AUTHORIZED))) )
2196                 {
2197                     rc = BTM_SUCCESS;
2198                 }
2199             }
2200             else
2201             {
2202                 if (((security_required & BTM_SEC_IN_FLAGS) == 0) ||
2203                     ((((security_required & BTM_SEC_IN_FLAGS) == BTM_SEC_IN_AUTHENTICATE) && (p_dev_rec->sec_flags & BTM_SEC_AUTHENTICATED))) ||
2204                     ((((security_required & BTM_SEC_IN_FLAGS) == (BTM_SEC_IN_AUTHENTICATE | BTM_SEC_IN_ENCRYPT)) && (p_dev_rec->sec_flags & BTM_SEC_ENCRYPTED))) ||
2205                     ((((security_required & BTM_SEC_IN_FLAGS) == BTM_SEC_IN_FLAGS) && (p_dev_rec->sec_flags & BTM_SEC_AUTHORIZED))) )
2206                 {
2207                     rc = BTM_SUCCESS;
2208                 }
2209             }
2210 
2211             if (rc == BTM_SUCCESS)
2212             {
2213                 if (p_callback)
2214                     (*p_callback) (bd_addr, (void *)p_ref_data, BTM_SUCCESS);
2215 
2216                 return(BTM_SUCCESS);
2217             }
2218         }
2219 
2220         btm_cb.sec_req_pending = TRUE;
2221         return(BTM_CMD_STARTED);
2222     }
2223 
2224     /* Save pointer to service record */
2225     p_dev_rec->p_cur_service = p_serv_rec;
2226 
2227 
2228     /* mess /w security_required in btm_sec_l2cap_access_req for Lisbon */
2229     if (btm_cb.security_mode == BTM_SEC_MODE_SP)
2230     {
2231         if (is_originator)
2232         {
2233             if (BTM_SEC_IS_SM4(p_dev_rec->sm4))
2234             {
2235                 /* SM4 to SM4 -> always authenticate & encrypt */
2236                 security_required |= (BTM_SEC_OUT_AUTHENTICATE | BTM_SEC_OUT_ENCRYPT);
2237             }
2238             else
2239             {
2240                 if ( !(BTM_SM4_KNOWN & p_dev_rec->sm4))
2241                 {
2242                     BTM_TRACE_DEBUG1 ("remote features unknown!!sec_flags:0x%x", p_dev_rec->sec_flags);
2243                     /* the remote features are not known yet */
2244                     p_dev_rec->sm4          |= BTM_SM4_REQ_PEND;
2245 
2246                     return(BTM_CMD_STARTED);
2247                 }
2248             }
2249         }
2250         else
2251         {
2252             /* responder */
2253             if (BTM_SEC_IS_SM4(p_dev_rec->sm4))
2254             {
2255                 /* SM4 to SM4: the acceptor needs to make sure the authentication is already done */
2256                 chk_acp_auth_done = TRUE;
2257                 /* SM4 to SM4 -> always authenticate & encrypt */
2258                 security_required |= (BTM_SEC_IN_AUTHENTICATE | BTM_SEC_IN_ENCRYPT);
2259             }
2260             else
2261             {
2262                 if ( !(BTM_SM4_KNOWN & p_dev_rec->sm4))
2263                 {
2264                     BTM_TRACE_DEBUG1 ("(rsp) remote features unknown!!sec_flags:0x%x", p_dev_rec->sec_flags);
2265                     /* the remote features are not known yet */
2266                     p_dev_rec->sm4          |= BTM_SM4_REQ_PEND;
2267 
2268                     return(BTM_CMD_STARTED);
2269                 }
2270             }
2271         }
2272     }
2273 
2274     BTM_TRACE_DEBUG4 ("btm_sec_l2cap_access_req()  sm4:0x%x, sec_flags:0x%x, security_required:0x%x chk:%d",
2275                       p_dev_rec->sm4, p_dev_rec->sec_flags, security_required, chk_acp_auth_done);
2276 
2277     old_security_required        = p_dev_rec->security_required;
2278     old_is_originator            = p_dev_rec->is_originator;
2279     p_dev_rec->security_required = security_required;
2280     p_dev_rec->p_ref_data        = p_ref_data;
2281     p_dev_rec->is_originator     = is_originator;
2282 
2283 #if (L2CAP_UCD_INCLUDED == TRUE)
2284     if ( conn_type & CONNECTION_TYPE_CONNLESS_MASK )
2285         p_dev_rec->is_ucd = TRUE;
2286     else
2287         p_dev_rec->is_ucd = FALSE;
2288 #endif
2289 
2290     /* If there are multiple service records used through the same PSM */
2291     /* leave security decision for the multiplexor on the top */
2292 #if (L2CAP_UCD_INCLUDED == TRUE)
2293     if (((btm_sec_find_next_serv (p_serv_rec)) != NULL)
2294         &&(!( conn_type & CONNECTION_TYPE_CONNLESS_MASK ))) /* if not UCD */
2295 #else
2296     if ((btm_sec_find_next_serv (p_serv_rec)) != NULL)
2297 #endif
2298     {
2299         BTM_TRACE_DEBUG2 ("no next_serv sm4:0x%x, chk:%d", p_dev_rec->sm4, chk_acp_auth_done);
2300         if (!BTM_SEC_IS_SM4(p_dev_rec->sm4))
2301         {
2302             BTM_TRACE_EVENT1 ("Security Manager: l2cap_access_req PSM:%d postponed for multiplexer", psm);
2303             /* pre-Lisbon: restore the old settings */
2304             p_dev_rec->security_required = old_security_required;
2305             p_dev_rec->is_originator     = old_is_originator;
2306 
2307             (*p_callback) (bd_addr, p_ref_data, BTM_SUCCESS);
2308 
2309             return(BTM_SUCCESS);
2310         }
2311     }
2312 
2313     /* if the originator is using dynamic PSM in legacy mode, do not start any security process now.
2314      * The layer above L2CAP needs to carry out the security requirement after L2CAP connect response is received*/
2315     if (is_originator && (btm_cb.security_mode != BTM_SEC_MODE_SP || !BTM_SEC_IS_SM4(p_dev_rec->sm4)) && (psm >= 0x1001))
2316     {
2317         BTM_TRACE_EVENT1 ("dynamic PSM:0x%x in legacy mode - postponed for upper layer", psm);
2318         /* restore the old settings */
2319         p_dev_rec->security_required = old_security_required;
2320         p_dev_rec->is_originator     = old_is_originator;
2321 
2322         (*p_callback) (bd_addr, p_ref_data, BTM_SUCCESS);
2323 
2324         return(BTM_SUCCESS);
2325     }
2326 
2327     if (chk_acp_auth_done)
2328     {
2329         BTM_TRACE_DEBUG2 ("(SM4 to SM4) btm_sec_l2cap_access_req rspd. authenticated: x%x, enc: x%x",
2330                           (p_dev_rec->sec_flags & BTM_SEC_AUTHENTICATED), (p_dev_rec->sec_flags & BTM_SEC_ENCRYPTED));
2331         /* SM4, but we do not know for sure which level of security we need.
2332          * as long as we have a link key, it's OK */
2333         if ((0 == (p_dev_rec->sec_flags & BTM_SEC_AUTHENTICATED))
2334             ||(0 == (p_dev_rec->sec_flags & BTM_SEC_ENCRYPTED)))
2335         {
2336             rc = BTM_DELAY_CHECK;
2337             /*
2338             2046 may report HCI_Encryption_Change and L2C Connection Request out of sequence
2339             because of data path issues. Delay this disconnect a little bit
2340             */
2341             BTM_TRACE_ERROR0 ("peer should have initiated security process by now (SM4 to SM4)");
2342             p_dev_rec->p_callback        = p_callback;
2343             p_dev_rec->sec_state         = BTM_SEC_STATE_DELAY_FOR_ENC;
2344             (*p_callback) (bd_addr, p_ref_data, rc);
2345 
2346             return(BTM_SUCCESS);
2347         }
2348     }
2349 
2350     p_dev_rec->p_callback        = p_callback;
2351 
2352     if (p_dev_rec->last_author_service_id == BTM_SEC_NO_LAST_SERVICE_ID
2353         || p_dev_rec->last_author_service_id != p_dev_rec->p_cur_service->service_id)
2354     {
2355         /* Although authentication and encryption are per connection
2356         ** authorization is per access request.  For example when serial connection
2357         ** is up and authorized and client requests to read file (access to other
2358         ** scn), we need to request user's permission again.
2359         */
2360         p_dev_rec->sec_flags &= ~BTM_SEC_AUTHORIZED;
2361     }
2362 
2363     if (BTM_SEC_IS_SM4(p_dev_rec->sm4))
2364     {
2365         /* If we already have a link key to the connected peer, is the link key secure enough ? */
2366         btm_sec_check_upgrade(p_dev_rec, is_originator);
2367     }
2368 
2369     BTM_TRACE_EVENT6 ("Security Manager: l2cap_access_req PSM:%d Handle:%d State:%d Flags:0x%x Required:0x%x Service ID:%d",
2370                       psm, handle, p_dev_rec->sec_state, p_dev_rec->sec_flags, p_dev_rec->security_required, p_dev_rec->p_cur_service->service_id);
2371 
2372     if ((rc = btm_sec_execute_procedure (p_dev_rec)) != BTM_CMD_STARTED)
2373     {
2374         p_dev_rec->p_callback = NULL;
2375         (*p_callback) (bd_addr, p_dev_rec->p_ref_data, (UINT8)rc);
2376     }
2377 
2378     return(rc);
2379 }
2380 
2381 /*******************************************************************************
2382 **
2383 ** Function         btm_sec_mx_access_request
2384 **
2385 ** Description      This function is called by all Multiplexing Protocols during
2386 **                  establishing connection to or from peer device to grant
2387 **                  permission to establish application connection.
2388 **
2389 ** Parameters:      bd_addr       - Address of the peer device
2390 **                  psm           - L2CAP PSM
2391 **                  is_originator - TRUE if protocol above L2CAP originates
2392 **                                  connection
2393 **                  mx_proto_id   - protocol ID of the multiplexer
2394 **                  mx_chan_id    - multiplexer channel to reach application
2395 **                  p_callback    - Pointer to callback function called if
2396 **                                  this function returns PENDING after required
2397 **                                  procedures are completed
2398 **                  p_ref_data    - Pointer to any reference data needed by the
2399 **                                  the callback function.
2400 **
2401 ** Returns          BTM_CMD_STARTED
2402 **
2403 *******************************************************************************/
btm_sec_mx_access_request(BD_ADDR bd_addr,UINT16 psm,BOOLEAN is_originator,UINT32 mx_proto_id,UINT32 mx_chan_id,tBTM_SEC_CALLBACK * p_callback,void * p_ref_data)2404 tBTM_STATUS btm_sec_mx_access_request (BD_ADDR bd_addr, UINT16 psm, BOOLEAN is_originator,
2405                                        UINT32 mx_proto_id, UINT32 mx_chan_id,
2406                                        tBTM_SEC_CALLBACK *p_callback, void *p_ref_data)
2407 
2408 {
2409     tBTM_SEC_DEV_REC  *p_dev_rec;
2410     tBTM_SEC_SERV_REC *p_serv_rec;
2411     tBTM_STATUS        rc;
2412     UINT16             security_required;
2413 
2414     BTM_TRACE_DEBUG1 ("btm_sec_mx_access_request is_originator:%d", is_originator);
2415     /* Find or get oldest record */
2416     p_dev_rec = btm_find_or_alloc_dev (bd_addr);
2417 
2418     /* Find the service record for the PSM */
2419     p_serv_rec = btm_sec_find_mx_serv (is_originator, psm, mx_proto_id, mx_chan_id);
2420 
2421     /* If there is no application registered with this PSM do not allow connection */
2422     if (!p_serv_rec)
2423     {
2424         if (p_callback)
2425             (*p_callback) (bd_addr, p_ref_data, BTM_MODE_UNSUPPORTED);
2426 
2427         BTM_TRACE_ERROR3 ("Security Manager: MX service not found PSM:%d Proto:%d SCN:%d",
2428                           psm, mx_proto_id, mx_chan_id);
2429         return BTM_NO_RESOURCES;
2430     }
2431 
2432     /* there are some devices (moto phone) which connects to several services at the same time */
2433     /* we will process one after another */
2434     if ( (p_dev_rec->p_callback) || (btm_cb.pairing_state != BTM_PAIR_STATE_IDLE) )
2435     {
2436         BTM_TRACE_EVENT4 ("btm_sec_mx_access_request service PSM:%d Proto:%d SCN:%d delayed  state: %s",
2437                           psm, mx_proto_id, mx_chan_id, btm_pair_state_descr(btm_cb.pairing_state));
2438 
2439         rc = BTM_CMD_STARTED;
2440         security_required = p_serv_rec->security_flags;
2441         if ((BTM_SEC_MODE_SP != btm_cb.security_mode)
2442             || ((BTM_SEC_MODE_SP == btm_cb.security_mode) && (BTM_SM4_KNOWN == p_dev_rec->sm4))
2443             || (BTM_SEC_IS_SM4(p_dev_rec->sm4) && (btm_sec_is_upgrade_possible(p_dev_rec, is_originator) == FALSE))
2444            )
2445         {
2446             /* legacy mode - local is legacy or local is lisbon/peer is legacy
2447              * or SM4 with no possibility of link key upgrade */
2448             if (is_originator)
2449             {
2450                 if (((security_required & BTM_SEC_OUT_FLAGS) == 0) ||
2451                     ((((security_required & BTM_SEC_OUT_FLAGS) == BTM_SEC_OUT_AUTHENTICATE) && (p_dev_rec->sec_flags & BTM_SEC_AUTHENTICATED))) ||
2452                     ((((security_required & BTM_SEC_OUT_FLAGS) == (BTM_SEC_OUT_AUTHENTICATE | BTM_SEC_OUT_ENCRYPT)) && (p_dev_rec->sec_flags & BTM_SEC_ENCRYPTED)))
2453                     )
2454                 {
2455                     rc = BTM_SUCCESS;
2456                 }
2457             }
2458             else
2459             {
2460                 if (((security_required & BTM_SEC_IN_FLAGS) == 0) ||
2461                     ((((security_required & BTM_SEC_IN_FLAGS) == BTM_SEC_IN_AUTHENTICATE) && (p_dev_rec->sec_flags & BTM_SEC_AUTHENTICATED))) ||
2462                     ((((security_required & BTM_SEC_IN_FLAGS) == (BTM_SEC_IN_AUTHENTICATE | BTM_SEC_IN_ENCRYPT)) && (p_dev_rec->sec_flags & BTM_SEC_ENCRYPTED)))
2463                     )
2464                 {
2465                     rc = BTM_SUCCESS;
2466                 }
2467             }
2468         }
2469         if (rc == BTM_CMD_STARTED)
2470         {
2471             btm_sec_queue_mx_request (bd_addr, psm,  is_originator, mx_proto_id, mx_chan_id, p_callback, p_ref_data);
2472             return rc;
2473         }
2474     }
2475 
2476     p_dev_rec->p_cur_service     = p_serv_rec;
2477     p_dev_rec->security_required = p_serv_rec->security_flags;
2478 
2479     if (BTM_SEC_MODE_SP == btm_cb.security_mode)
2480     {
2481         if (BTM_SEC_IS_SM4(p_dev_rec->sm4))
2482         {
2483             /* If we already have a link key, check if that link key is good enough */
2484             btm_sec_check_upgrade(p_dev_rec, is_originator);
2485         }
2486     }
2487 
2488     p_dev_rec->is_originator     = is_originator;
2489     p_dev_rec->p_callback        = p_callback;
2490     p_dev_rec->p_ref_data        = p_ref_data;
2491 
2492     /* Although authentication and encryption are per connection */
2493     /* authorization is per access request.  For example when serial connection */
2494     /* is up and authorized and client requests to read file (access to other */
2495     /* scn, we need to request user's permission again. */
2496     p_dev_rec->sec_flags &= ~(BTM_SEC_AUTHORIZED);
2497 
2498     BTM_TRACE_EVENT6 ("Security Manager: mx_access_req proto_id:%d chan_id:%d State:%d Flags:0x%x Required:0x%x Service ID:%d",
2499                       mx_proto_id, mx_chan_id, p_dev_rec->sec_state, p_dev_rec->sec_flags, p_dev_rec->security_required, p_dev_rec->p_cur_service->service_id);
2500 
2501     if ((rc = btm_sec_execute_procedure (p_dev_rec)) != BTM_CMD_STARTED)
2502     {
2503         if (p_callback)
2504         {
2505             p_dev_rec->p_callback = NULL;
2506 
2507             (*p_callback) (bd_addr, p_ref_data, (UINT8)rc);
2508         }
2509     }
2510 
2511     return rc;
2512 }
2513 
2514 /*******************************************************************************
2515 **
2516 ** Function         btm_sec_conn_req
2517 **
2518 ** Description      This function is when the peer device is requesting
2519 **                  connection
2520 **
2521 ** Returns          void
2522 **
2523 *******************************************************************************/
btm_sec_conn_req(UINT8 * bda,UINT8 * dc)2524 void btm_sec_conn_req (UINT8 *bda, UINT8 *dc)
2525 {
2526     tBTM_SEC_DEV_REC  *p_dev_rec = btm_find_dev (bda);
2527 
2528     /* Some device may request a connection before we are done with the HCI_Reset sequence */
2529     if (btm_cb.devcb.state != BTM_DEV_STATE_READY)
2530     {
2531         BTM_TRACE_EVENT0 ("Security Manager: connect request when device not ready");
2532         btsnd_hcic_reject_conn (bda, HCI_ERR_HOST_REJECT_DEVICE);
2533         return;
2534     }
2535 
2536     /* Security guys wants us not to allow connection from not paired devices */
2537 
2538     /* Check if connection is allowed for only paired devices */
2539     if (btm_cb.connect_only_paired)
2540     {
2541         if (!p_dev_rec || !(p_dev_rec->sec_flags & BTM_SEC_LINK_KEY_AUTHED))
2542         {
2543             BTM_TRACE_EVENT0 ("Security Manager: connect request from non-paired device");
2544             btsnd_hcic_reject_conn (bda, HCI_ERR_HOST_REJECT_DEVICE);
2545             return;
2546         }
2547     }
2548 
2549 #if BTM_ALLOW_CONN_IF_NONDISCOVER == FALSE
2550     /* If non-discoverable, only allow known devices to connect */
2551     if (btm_cb.btm_inq_vars.discoverable_mode == BTM_NON_DISCOVERABLE)
2552     {
2553         if (!p_dev_rec)
2554         {
2555             BTM_TRACE_EVENT0 ("Security Manager: connect request from not paired device");
2556             btsnd_hcic_reject_conn (bda, HCI_ERR_HOST_REJECT_DEVICE);
2557             return;
2558         }
2559     }
2560 #endif
2561 
2562     /* Host can be registered to verify comming BDA or DC */
2563     if (btm_cb.p_conn_filter_cb)
2564     {
2565         if (!(* btm_cb.p_conn_filter_cb) (bda, dc))
2566         {
2567             BTM_TRACE_EVENT0 ("Security Manager: connect request did not pass filter");
2568 
2569             /* incomming call did not pass connection filters.  Reject */
2570             btsnd_hcic_reject_conn (bda, HCI_ERR_HOST_REJECT_DEVICE);
2571             return;
2572         }
2573     }
2574 
2575     if ((btm_cb.pairing_state != BTM_PAIR_STATE_IDLE)
2576         &&(btm_cb.pairing_flags & BTM_PAIR_FLAGS_WE_STARTED_DD)
2577         &&(!memcmp (btm_cb.pairing_bda, bda, BD_ADDR_LEN)))
2578     {
2579         BTM_TRACE_EVENT0 ("Security Manager: reject connect request from bonding device");
2580 
2581         /* incoming connection from bonding device is rejected */
2582         btm_cb.pairing_flags |= BTM_PAIR_FLAGS_REJECTED_CONNECT;
2583         btsnd_hcic_reject_conn (bda, HCI_ERR_HOST_REJECT_DEVICE);
2584         return;
2585     }
2586 
2587     /* Host is not interested or approved connection.  Save BDA and DC and */
2588     /* pass request to L2CAP */
2589     memcpy (btm_cb.connecting_bda, bda, BD_ADDR_LEN);
2590     memcpy (btm_cb.connecting_dc,  dc,  DEV_CLASS_LEN);
2591 
2592     if (l2c_link_hci_conn_req (bda))
2593     {
2594         if (!p_dev_rec)
2595         {
2596             /* accept the connection -> allocate a device record */
2597             p_dev_rec = btm_sec_alloc_dev (bda);
2598         }
2599         if (p_dev_rec)
2600         {
2601             p_dev_rec->sm4 |= BTM_SM4_CONN_PEND;
2602         }
2603     }
2604 }
2605 
2606 /*******************************************************************************
2607 **
2608 ** Function         btm_sec_bond_cancel_complete
2609 **
2610 ** Description      This function is called to report bond cancel complete
2611 **                  event.
2612 **
2613 ** Returns          void
2614 **
2615 *******************************************************************************/
btm_sec_bond_cancel_complete(void)2616 static void btm_sec_bond_cancel_complete (void)
2617 {
2618     tBTM_SEC_DEV_REC *p_dev_rec;
2619 
2620     if ((btm_cb.pairing_flags & BTM_PAIR_FLAGS_DISC_WHEN_DONE) ||
2621         (BTM_PAIR_STATE_WAIT_LOCAL_PIN == btm_cb.pairing_state &&
2622          BTM_PAIR_FLAGS_WE_STARTED_DD & btm_cb.pairing_flags) ||
2623          (btm_cb.pairing_state == BTM_PAIR_STATE_GET_REM_NAME &&
2624           BTM_PAIR_FLAGS_WE_CANCEL_DD & btm_cb.pairing_flags))
2625     {
2626         /* for dedicated bonding in legacy mode, authentication happens at "link level"
2627          * btm_sec_connected is called with failed status.
2628          * In theory, the code that handles is_pairing_device/TRUE should clean out security related code.
2629          * However, this function may clean out the security related flags and btm_sec_connected would not know
2630          * this function also needs to do proper clean up.
2631          */
2632         if ((p_dev_rec = btm_find_dev (btm_cb.pairing_bda)) != NULL)
2633             p_dev_rec->security_required = BTM_SEC_NONE;
2634         btm_sec_change_pairing_state (BTM_PAIR_STATE_IDLE);
2635 
2636         /* Notify application that the cancel succeeded */
2637         if (btm_cb.api.p_bond_cancel_cmpl_callback)
2638             btm_cb.api.p_bond_cancel_cmpl_callback(BTM_SUCCESS);
2639     }
2640 }
2641 
2642 /*******************************************************************************
2643 **
2644 ** Function         btm_create_conn_cancel_complete
2645 **
2646 ** Description      This function is called when the command complete message
2647 **                  is received from the HCI for the create connection cancel
2648 **                  command.
2649 **
2650 ** Returns          void
2651 **
2652 *******************************************************************************/
btm_create_conn_cancel_complete(UINT8 * p)2653 void btm_create_conn_cancel_complete (UINT8 *p)
2654 {
2655     UINT8       status;
2656 
2657     STREAM_TO_UINT8 (status, p);
2658     BTM_TRACE_EVENT2 ("btm_create_conn_cancel_complete(): in State: %s  status:%d",
2659                       btm_pair_state_descr(btm_cb.pairing_state), status);
2660 
2661     /* if the create conn cancel cmd was issued by the bond cancel,
2662     ** the application needs to be notified that bond cancel succeeded
2663     */
2664     switch (status)
2665     {
2666         case HCI_SUCCESS:
2667             btm_sec_bond_cancel_complete();
2668             break;
2669         case HCI_ERR_CONNECTION_EXISTS:
2670         case HCI_ERR_NO_CONNECTION:
2671         default:
2672             /* Notify application of the error */
2673             if (btm_cb.api.p_bond_cancel_cmpl_callback)
2674                 btm_cb.api.p_bond_cancel_cmpl_callback(BTM_ERR_PROCESSING);
2675             break;
2676     }
2677 }
2678 
2679 /*******************************************************************************
2680 **
2681 ** Function         btm_sec_check_pending_reqs
2682 **
2683 ** Description      This function is called at the end of the security procedure
2684 **                  to let L2CAP and RFCOMM know to re-submit any pending requests
2685 **
2686 ** Returns          void
2687 **
2688 *******************************************************************************/
btm_sec_check_pending_reqs(void)2689 void btm_sec_check_pending_reqs (void)
2690 {
2691     tBTM_SEC_QUEUE_ENTRY    *p_e;
2692     BUFFER_Q                bq;
2693 
2694     if (btm_cb.pairing_state == BTM_PAIR_STATE_IDLE)
2695     {
2696         /* First, resubmit L2CAP requests */
2697         if (btm_cb.sec_req_pending)
2698         {
2699             btm_cb.sec_req_pending = FALSE;
2700             l2cu_resubmit_pending_sec_req (NULL);
2701         }
2702 
2703         /* Now, re-submit anything in the mux queue */
2704         bq = btm_cb.sec_pending_q;
2705 
2706         GKI_init_q (&btm_cb.sec_pending_q);
2707 
2708         while ((p_e = (tBTM_SEC_QUEUE_ENTRY *)GKI_dequeue (&bq)) != NULL)
2709         {
2710             /* Check that the ACL is still up before starting security procedures */
2711             if (btm_bda_to_acl(p_e->bd_addr) != NULL)
2712             {
2713                 BTM_TRACE_EVENT4 ("btm_sec_check_pending_reqs() submitting  PSM: 0x%04x  Is_Orig: %u  mx_proto_id: %u  mx_chan_id: %u",
2714                                   p_e->psm, p_e->is_orig, p_e->mx_proto_id, p_e->mx_chan_id);
2715 
2716                 btm_sec_mx_access_request (p_e->bd_addr, p_e->psm, p_e->is_orig,
2717                                            p_e->mx_proto_id, p_e->mx_chan_id,
2718                                            p_e->p_callback, p_e->p_ref_data);
2719             }
2720 
2721             GKI_freebuf (p_e);
2722         }
2723     }
2724 }
2725 
2726 /*******************************************************************************
2727 **
2728 ** Function         btm_sec_init
2729 **
2730 ** Description      This function is on the SEC startup
2731 **
2732 ** Returns          void
2733 **
2734 *******************************************************************************/
btm_sec_init(UINT8 sec_mode)2735 void btm_sec_init (UINT8 sec_mode)
2736 {
2737 #if 0  /* cleared in btm_init; put back in if calling from anywhere else! */
2738     int i;
2739 
2740     memset (btm_cb.sec_serv_rec, 0, sizeof (btm_cb.sec_serv_rec));
2741     memset (btm_cb.sec_dev_rec, 0, sizeof (btm_cb.sec_dev_rec));
2742     memset (&btm_cb.pairing_tle, 0, sizeof(TIMER_LIST_ENT));
2743 
2744 #endif
2745     btm_cb.security_mode = sec_mode;
2746     memset (btm_cb.pairing_bda, 0xff, BD_ADDR_LEN);
2747     btm_cb.max_collision_delay = BTM_SEC_MAX_COLLISION_DELAY;
2748 }
2749 
2750 /*******************************************************************************
2751 **
2752 ** Function         btm_sec_device_down
2753 **
2754 ** Description      This function should be called when device is disabled or
2755 **                  turned off
2756 **
2757 ** Returns          void
2758 **
2759 *******************************************************************************/
btm_sec_device_down(void)2760 void btm_sec_device_down (void)
2761 {
2762     BTM_TRACE_EVENT1 ("btm_sec_device_down()  State: %s", btm_pair_state_descr(btm_cb.pairing_state));
2763 
2764     btm_sec_change_pairing_state (BTM_PAIR_STATE_IDLE);
2765 }
2766 
2767 /*******************************************************************************
2768 **
2769 ** Function         btm_sec_dev_reset
2770 **
2771 ** Description      This function should be called after device reset
2772 **
2773 ** Returns          void
2774 **
2775 *******************************************************************************/
btm_sec_dev_reset(void)2776 void btm_sec_dev_reset (void)
2777 {
2778 #if (BTM_PRE_LISBON_INCLUDED == TRUE)
2779     if (btm_cb.security_mode == BTM_SEC_MODE_LINK)
2780     {
2781         btsnd_hcic_write_auth_enable (TRUE);
2782         btsnd_hcic_write_encr_mode (HCI_ENCRYPT_MODE_POINT_TO_POINT);
2783     }
2784 #endif
2785 #if (BTM_PRE_LISBON_INCLUDED == TRUE)
2786     else
2787 #endif
2788         /* btm_sec_dev_reset() is only called from btm_decode_ext_features_page(...)
2789          * right now. */
2790         if (HCI_SIMPLE_PAIRING_SUPPORTED(btm_cb.devcb.local_lmp_features[HCI_EXT_FEATURES_PAGE_0]))
2791     {
2792 #if BLE_INCLUDED == TRUE
2793         btsnd_hcic_set_event_mask(LOCAL_BR_EDR_CONTROLLER_ID,
2794                                   (UINT8 *)HCI_DUMO_EVENT_MASK_EXT);
2795 #else
2796         btsnd_hcic_set_event_mask(LOCAL_BR_EDR_CONTROLLER_ID,
2797                                   (UINT8 *)HCI_LISBON_EVENT_MASK_EXT);
2798 #endif
2799         /* set the default IO capabilities */
2800         btm_cb.devcb.loc_io_caps = BTM_LOCAL_IO_CAPS;
2801         /* add mx service to use no security */
2802 #if (RFCOMM_INCLUDED == TRUE)
2803         BTM_SetSecurityLevel(FALSE, "RFC_MUX", BTM_SEC_SERVICE_RFC_MUX,
2804                              BTM_SEC_NONE, BT_PSM_RFCOMM, BTM_SEC_PROTO_RFCOMM, 0);
2805 #endif
2806     }
2807     else
2808     {
2809         btm_cb.security_mode = BTM_SEC_MODE_SERVICE;
2810     }
2811 
2812     BTM_TRACE_DEBUG1 ("btm_sec_dev_reset sec mode: %d", btm_cb.security_mode);
2813 }
2814 
2815 /*******************************************************************************
2816 **
2817 ** Function         btm_sec_abort_access_req
2818 **
2819 ** Description      This function is called by the L2CAP or RFCOMM to abort
2820 **                  the pending operation.
2821 **
2822 ** Parameters:      bd_addr       - Address of the peer device
2823 **
2824 ** Returns          void
2825 **
2826 *******************************************************************************/
btm_sec_abort_access_req(BD_ADDR bd_addr)2827 void btm_sec_abort_access_req (BD_ADDR bd_addr)
2828 {
2829     tBTM_SEC_DEV_REC  *p_dev_rec = btm_find_dev (bd_addr);
2830 
2831     if (!p_dev_rec)
2832         return;
2833 
2834     if (btm_cb.api.p_abort_callback)
2835         (*btm_cb.api.p_abort_callback)(bd_addr, p_dev_rec->dev_class, p_dev_rec->sec_bd_name);
2836 
2837     if ((p_dev_rec->sec_state != BTM_SEC_STATE_AUTHORIZING)
2838         && (p_dev_rec->sec_state != BTM_SEC_STATE_AUTHENTICATING))
2839         return;
2840 
2841     p_dev_rec->sec_state  = BTM_SEC_STATE_IDLE;
2842     p_dev_rec->p_callback = NULL;
2843 }
2844 
2845 /*******************************************************************************
2846 **
2847 ** Function         btm_sec_dd_create_conn
2848 **
2849 ** Description      This function is called to create the ACL connection for
2850 **                  the dedicated boding process
2851 **
2852 ** Returns          void
2853 **
2854 *******************************************************************************/
btm_sec_dd_create_conn(tBTM_SEC_DEV_REC * p_dev_rec)2855 static tBTM_STATUS btm_sec_dd_create_conn (tBTM_SEC_DEV_REC *p_dev_rec)
2856 {
2857     tL2C_LCB         *p_lcb;
2858 
2859     /* Make sure an L2cap link control block is available */
2860     if ((p_lcb = l2cu_allocate_lcb (p_dev_rec->bd_addr, TRUE)) == NULL)
2861     {
2862         BTM_TRACE_WARNING6 ("Security Manager: failed allocate LCB [%02x%02x%02x%02x%02x%02x]",
2863                             p_dev_rec->bd_addr[0], p_dev_rec->bd_addr[1], p_dev_rec->bd_addr[2],
2864                             p_dev_rec->bd_addr[3], p_dev_rec->bd_addr[4], p_dev_rec->bd_addr[5]);
2865 
2866         return(BTM_NO_RESOURCES);
2867     }
2868 
2869     /* set up the control block to indicated dedicated bonding */
2870     btm_cb.pairing_flags |= BTM_PAIR_FLAGS_DISC_WHEN_DONE;
2871 
2872     if (l2cu_create_conn(p_lcb) == FALSE)
2873     {
2874         BTM_TRACE_WARNING6 ("Security Manager: failed create  [%02x%02x%02x%02x%02x%02x]",
2875                             p_dev_rec->bd_addr[0], p_dev_rec->bd_addr[1], p_dev_rec->bd_addr[2],
2876                             p_dev_rec->bd_addr[3], p_dev_rec->bd_addr[4], p_dev_rec->bd_addr[5]);
2877 
2878         l2cu_release_lcb(p_lcb);
2879         return(BTM_NO_RESOURCES);
2880     }
2881 
2882 #if (defined(BTM_BUSY_LEVEL_CHANGE_INCLUDED) && BTM_BUSY_LEVEL_CHANGE_INCLUDED == TRUE)
2883     btm_acl_update_busy_level (BTM_BLI_PAGE_EVT);
2884 #endif
2885 
2886     BTM_TRACE_DEBUG6 ("Security Manager: btm_sec_dd_create_conn [%02x%02x%02x%02x%02x%02x]",
2887                       p_dev_rec->bd_addr[0], p_dev_rec->bd_addr[1], p_dev_rec->bd_addr[2],
2888                       p_dev_rec->bd_addr[3], p_dev_rec->bd_addr[4], p_dev_rec->bd_addr[5]);
2889 
2890     btm_sec_change_pairing_state (BTM_PAIR_STATE_WAIT_PIN_REQ);
2891 
2892     return(BTM_CMD_STARTED);
2893 }
2894 
2895 /*******************************************************************************
2896 **
2897 ** Function         btm_sec_rmt_name_request_complete
2898 **
2899 ** Description      This function is called when remote name was obtained from
2900 **                  the peer device
2901 **
2902 ** Returns          void
2903 **
2904 *******************************************************************************/
btm_sec_rmt_name_request_complete(UINT8 * p_bd_addr,UINT8 * p_bd_name,UINT8 status)2905 void btm_sec_rmt_name_request_complete (UINT8 *p_bd_addr, UINT8 *p_bd_name, UINT8 status)
2906 {
2907     tBTM_SEC_DEV_REC *p_dev_rec;
2908     int              i;
2909     DEV_CLASS        dev_class;
2910     UINT8            old_sec_state;
2911 
2912     BTM_TRACE_EVENT0 ("btm_sec_rmt_name_request_complete");
2913     if (((p_bd_addr == NULL) && !BTM_ACL_IS_CONNECTED(btm_cb.connecting_bda))
2914         || ((p_bd_addr != NULL) && !BTM_ACL_IS_CONNECTED(p_bd_addr)))
2915     {
2916         btm_acl_resubmit_page();
2917     }
2918 
2919     /* If remote name request failed, p_bd_addr is null and we need to search */
2920     /* based on state assuming that we are doing 1 at a time */
2921     if (p_bd_addr)
2922         p_dev_rec = btm_find_dev (p_bd_addr);
2923     else
2924     {
2925         p_dev_rec = &btm_cb.sec_dev_rec[0];
2926 
2927         for (i = 0; i < BTM_SEC_MAX_DEVICE_RECORDS; i++, p_dev_rec++)
2928         {
2929             if ((p_dev_rec->sec_flags & BTM_SEC_IN_USE)
2930                 && (p_dev_rec->sec_state == BTM_SEC_STATE_GETTING_NAME))
2931             {
2932                 p_bd_addr = p_dev_rec->bd_addr;
2933                 break;
2934             }
2935         }
2936 
2937         if (i == BTM_SEC_MAX_DEVICE_RECORDS)
2938             p_dev_rec = NULL;
2939     }
2940 
2941 
2942     /* Commenting out trace due to obf/compilation problems.
2943     */
2944 #if (BT_USE_TRACES == TRUE)
2945     if (!p_bd_name)
2946         p_bd_name = (UINT8 *)"";
2947 
2948     if (p_dev_rec)
2949     {
2950         BTM_TRACE_EVENT5 ("Security Manager: rmt_name_complete PairState: %s  RemName: %s  status: %d State:%d  p_dev_rec: 0x%08x ",
2951                           btm_pair_state_descr (btm_cb.pairing_state), p_bd_name,
2952                           status, p_dev_rec->sec_state, p_dev_rec);
2953     }
2954     else
2955     {
2956         BTM_TRACE_EVENT3 ("Security Manager: rmt_name_complete PairState: %s  RemName: %s  status: %d",
2957                           btm_pair_state_descr (btm_cb.pairing_state), p_bd_name,
2958                           status);
2959     }
2960 #endif
2961 
2962     if (p_dev_rec)
2963     {
2964         old_sec_state = p_dev_rec->sec_state;
2965         if (status == HCI_SUCCESS)
2966         {
2967             BCM_STRNCPY_S ((char *)p_dev_rec->sec_bd_name, sizeof (p_dev_rec->sec_bd_name), (char *)p_bd_name, BTM_MAX_REM_BD_NAME_LEN);
2968             p_dev_rec->sec_flags |= BTM_SEC_NAME_KNOWN;
2969             BTM_TRACE_EVENT1 ("setting BTM_SEC_NAME_KNOWN sec_flags:0x%x", p_dev_rec->sec_flags);
2970         }
2971         else
2972         {
2973             /* Notify all clients waiting for name to be resolved even if it failed so clients can continue */
2974             p_dev_rec->sec_bd_name[0] = 0;
2975         }
2976 
2977         if (p_dev_rec->sec_state == BTM_SEC_STATE_GETTING_NAME)
2978             p_dev_rec->sec_state = BTM_SEC_STATE_IDLE;
2979 
2980         /* Notify all clients waiting for name to be resolved */
2981         for (i = 0;i < BTM_SEC_MAX_RMT_NAME_CALLBACKS; i++)
2982         {
2983             if (btm_cb.p_rmt_name_callback[i])
2984                 (*btm_cb.p_rmt_name_callback[i])(p_bd_addr, p_dev_rec->dev_class,
2985                                                  p_dev_rec->sec_bd_name);
2986         }
2987     }
2988     else
2989     {
2990         dev_class[0] = 0;
2991         dev_class[1] = 0;
2992         dev_class[2] = 0;
2993 
2994         /* Notify all clients waiting for name to be resolved even if not found so clients can continue */
2995         for (i = 0;i < BTM_SEC_MAX_RMT_NAME_CALLBACKS; i++)
2996         {
2997             if (btm_cb.p_rmt_name_callback[i])
2998                 (*btm_cb.p_rmt_name_callback[i])(p_bd_addr, dev_class, (UINT8 *)"");
2999         }
3000 
3001         return;
3002     }
3003 
3004     /* If we were delaying asking UI for a PIN because name was not resolved, ask now */
3005     if ( (btm_cb.pairing_state == BTM_PAIR_STATE_WAIT_LOCAL_PIN) && p_bd_addr
3006          &&  (memcmp (btm_cb.pairing_bda, p_bd_addr, BD_ADDR_LEN) == 0) )
3007     {
3008         BTM_TRACE_EVENT2 ("btm_sec_rmt_name_request_complete() delayed pin now being requested flags:0x%x, (p_pin_callback=0x%p)", btm_cb.pairing_flags, btm_cb.api.p_pin_callback);
3009 
3010         if (((btm_cb.pairing_flags & BTM_PAIR_FLAGS_WE_STARTED_DD) == 0) &&
3011             ((btm_cb.pairing_flags & BTM_PAIR_FLAGS_PIN_REQD) == 0) &&
3012             btm_cb.api.p_pin_callback)
3013         {
3014             BTM_TRACE_EVENT0 ("btm_sec_rmt_name_request_complete() calling pin_callback");
3015             btm_cb.pairing_flags |= BTM_PAIR_FLAGS_PIN_REQD;
3016             (*btm_cb.api.p_pin_callback) (p_dev_rec->bd_addr, p_dev_rec->dev_class, p_bd_name);
3017         }
3018 
3019         /* Set the same state again to force the timer to be restarted */
3020         btm_sec_change_pairing_state (BTM_PAIR_STATE_WAIT_LOCAL_PIN);
3021         return;
3022     }
3023 
3024     /* Check if we were delaying bonding because name was not resolved */
3025     if ( btm_cb.pairing_state == BTM_PAIR_STATE_GET_REM_NAME)
3026     {
3027         if (p_bd_addr && memcmp (btm_cb.pairing_bda, p_bd_addr, BD_ADDR_LEN) == 0)
3028         {
3029             BTM_TRACE_EVENT2 ("btm_sec_rmt_name_request_complete() continue bonding sm4: 0x%04x, status:0x%x", p_dev_rec->sm4, status);
3030             if(btm_cb.pairing_flags & BTM_PAIR_FLAGS_WE_CANCEL_DD)
3031             {
3032                 btm_sec_bond_cancel_complete();
3033                 return;
3034             }
3035 
3036             if (status != HCI_SUCCESS)
3037             {
3038                 btm_sec_change_pairing_state (BTM_PAIR_STATE_IDLE);
3039 
3040                 (*btm_cb.api.p_auth_complete_callback) (p_dev_rec->bd_addr,  p_dev_rec->dev_class,
3041                                                         p_dev_rec->sec_bd_name, status);
3042                 return;
3043             }
3044 
3045             /* if peer is very old legacy devices, HCI_RMT_HOST_SUP_FEAT_NOTIFY_EVT is not reported */
3046             if (BTM_SEC_IS_SM4_UNKNOWN(p_dev_rec->sm4))
3047             {
3048                 /* set the KNOWN flag only if BTM_PAIR_FLAGS_REJECTED_CONNECT is not set.
3049                  * If it is set, there may be a race condition */
3050 				BTM_TRACE_EVENT1 ("btm_sec_rmt_name_request_complete  IS_SM4_UNKNOWN Flags:0x%04x", btm_cb.pairing_flags);
3051                 if ((btm_cb.pairing_flags & BTM_PAIR_FLAGS_REJECTED_CONNECT) == 0)
3052                 {
3053                     p_dev_rec->sm4 |= BTM_SM4_KNOWN;
3054                 }
3055             }
3056 
3057             /* BT 2.1 or carkit, bring up the connection to force the peer to request PIN.
3058             ** Else prefetch (btm_sec_check_prefetch_pin will do the prefetching if needed)
3059             */
3060             if ((p_dev_rec->sm4 != BTM_SM4_KNOWN) || !btm_sec_check_prefetch_pin(p_dev_rec))
3061             {
3062                 /* if we rejected incoming connection request, we have to wait HCI_Connection_Complete event */
3063                 /*  before originating  */
3064                 if (btm_cb.pairing_flags & BTM_PAIR_FLAGS_REJECTED_CONNECT)
3065                 {
3066                     BTM_TRACE_WARNING0 ("btm_sec_rmt_name_request_complete: waiting HCI_Connection_Complete after rejecting connection");
3067                 }
3068                 /* Both we and the peer are 2.1 - continue to create connection */
3069                 else if (btm_sec_dd_create_conn(p_dev_rec) != BTM_CMD_STARTED)
3070                 {
3071                     BTM_TRACE_WARNING0 ("btm_sec_rmt_name_request_complete: failed to start connection");
3072 
3073                     btm_sec_change_pairing_state (BTM_PAIR_STATE_IDLE);
3074 
3075                     (*btm_cb.api.p_auth_complete_callback) (p_dev_rec->bd_addr,  p_dev_rec->dev_class,
3076                                                             p_dev_rec->sec_bd_name, HCI_ERR_MEMORY_FULL);
3077                 }
3078             }
3079             return;
3080         }
3081         else
3082         {
3083             BTM_TRACE_WARNING0 ("btm_sec_rmt_name_request_complete: wrong BDA, retry with pairing BDA");
3084 
3085             BTM_ReadRemoteDeviceName (btm_cb.pairing_bda, NULL);
3086             return;
3087         }
3088     }
3089 
3090     /* check if we were delaying link_key_callback because name was not resolved */
3091     if (p_dev_rec->link_key_not_sent)
3092     {
3093         /* If HCI connection complete has not arrived, wait for it */
3094         if (p_dev_rec->hci_handle == BTM_SEC_INVALID_HANDLE)
3095             return;
3096 
3097         p_dev_rec->link_key_not_sent = FALSE;
3098         btm_send_link_key_notif(p_dev_rec);
3099 
3100         /* If its not us who perform authentication, we should tell stackserver */
3101         /* that some authentication has been completed                          */
3102         /* This is required when different entities receive link notification and auth complete */
3103         if (!(p_dev_rec->security_required & BTM_SEC_OUT_AUTHENTICATE))
3104         {
3105             if (btm_cb.api.p_auth_complete_callback)
3106                 (*btm_cb.api.p_auth_complete_callback) (p_dev_rec->bd_addr,
3107                                                         p_dev_rec->dev_class,
3108                                                         p_dev_rec->sec_bd_name, HCI_SUCCESS);
3109 
3110         }
3111     }
3112 
3113     /* If this is a bonding procedure can disconnect the link now */
3114     if ((btm_cb.pairing_flags & BTM_PAIR_FLAGS_WE_STARTED_DD)
3115         && (p_dev_rec->sec_flags & BTM_SEC_AUTHENTICATED))
3116     {
3117         BTM_TRACE_WARNING0 ("btm_sec_rmt_name_request_complete (none/ce)");
3118         p_dev_rec->security_required &= ~(BTM_SEC_OUT_AUTHENTICATE);
3119         l2cu_start_post_bond_timer(p_dev_rec->hci_handle);
3120         return;
3121     }
3122 
3123     if (old_sec_state != BTM_SEC_STATE_GETTING_NAME)
3124         return;
3125 
3126     /* If get name failed, notify the waiting layer */
3127     if (status != HCI_SUCCESS)
3128     {
3129         btm_sec_dev_rec_cback_event  (p_dev_rec, BTM_ERR_PROCESSING);
3130         return;
3131     }
3132 
3133     if (p_dev_rec->sm4 & BTM_SM4_REQ_PEND)
3134     {
3135         BTM_TRACE_EVENT0 ("waiting for remote features!!");
3136         return;
3137     }
3138 
3139     /* Remote Name succeeded, execute the next security procedure, if any */
3140     status = (UINT8)btm_sec_execute_procedure (p_dev_rec);
3141 
3142     /* If result is pending reply from the user or from the device is pending */
3143     if (status == BTM_CMD_STARTED)
3144         return;
3145 
3146     /* There is no next procedure or start of procedure failed, notify the waiting layer */
3147     btm_sec_dev_rec_cback_event  (p_dev_rec, status);
3148 }
3149 
3150 /*******************************************************************************
3151 **
3152 ** Function         btm_sec_rmt_host_support_feat_evt
3153 **
3154 ** Description      This function is called when the
3155 **                  HCI_RMT_HOST_SUP_FEAT_NOTIFY_EVT is received
3156 **
3157 ** Returns          void
3158 **
3159 *******************************************************************************/
btm_sec_rmt_host_support_feat_evt(UINT8 * p)3160 void btm_sec_rmt_host_support_feat_evt (UINT8 *p)
3161 {
3162     tBTM_SEC_DEV_REC *p_dev_rec;
3163     BD_ADDR         bd_addr;        /* peer address */
3164     BD_FEATURES     features;
3165 
3166     STREAM_TO_BDADDR (bd_addr, p);
3167     p_dev_rec = btm_find_or_alloc_dev (bd_addr);
3168 
3169     BTM_TRACE_EVENT2 ("btm_sec_rmt_host_support_feat_evt  sm4: 0x%x  p[0]: 0x%x", p_dev_rec->sm4, p[0]);
3170 
3171     if (BTM_SEC_IS_SM4_UNKNOWN(p_dev_rec->sm4))
3172     {
3173         p_dev_rec->sm4 = BTM_SM4_KNOWN;
3174         STREAM_TO_ARRAY(features, p, HCI_FEATURE_BYTES_PER_PAGE);
3175         if (HCI_SSP_HOST_SUPPORTED(features))
3176         {
3177             p_dev_rec->sm4 = BTM_SM4_TRUE;
3178         }
3179         BTM_TRACE_EVENT2 ("btm_sec_rmt_host_support_feat_evt sm4: 0x%x features[0]: 0x%x", p_dev_rec->sm4, features[0]);
3180     }
3181 }
3182 
3183 /*******************************************************************************
3184 **
3185 ** Function         btm_io_capabilities_req
3186 **
3187 ** Description      This function is called when LM request for the IO
3188 **                  capability of the local device and
3189 **                  if the OOB data is present for the device in the event
3190 **
3191 ** Returns          void
3192 **
3193 *******************************************************************************/
btm_io_capabilities_req(UINT8 * p)3194 void btm_io_capabilities_req (UINT8 *p)
3195 {
3196     tBTM_SP_IO_REQ  evt_data;
3197     UINT8           err_code = 0;
3198     tBTM_SEC_DEV_REC *p_dev_rec;
3199     BOOLEAN         is_orig = TRUE;
3200     UINT8           callback_rc = BTM_SUCCESS;
3201 
3202     STREAM_TO_BDADDR (evt_data.bd_addr, p);
3203 
3204     /* setup the default response according to compile options */
3205     /* assume that the local IO capability does not change
3206      * loc_io_caps is initialized with the default value */
3207     evt_data.io_cap = btm_cb.devcb.loc_io_caps;
3208     evt_data.oob_data = BTM_OOB_NONE;
3209     evt_data.auth_req = BTM_DEFAULT_AUTH_REQ;
3210 
3211     BTM_TRACE_EVENT1 ("btm_io_capabilities_req() State: %s", btm_pair_state_descr(btm_cb.pairing_state));
3212 
3213     p_dev_rec = btm_find_or_alloc_dev (evt_data.bd_addr);
3214     p_dev_rec->sm4 |= BTM_SM4_TRUE;
3215 
3216     BTM_TRACE_EVENT3 ("btm_io_capabilities_req() State: %s  Flags: 0x%04x  p_cur_service: 0x%08x",
3217                       btm_pair_state_descr(btm_cb.pairing_state), btm_cb.pairing_flags, p_dev_rec->p_cur_service);
3218 
3219     if (btm_cb.pairing_state != BTM_PAIR_STATE_IDLE)
3220     {
3221         if (btm_cb.pairing_state == BTM_PAIR_STATE_INCOMING_SSP)
3222         {
3223             /* received IO capability response already-> not the originator of SSP */
3224             is_orig = FALSE;
3225 
3226             if (btm_cb.pairing_flags & BTM_PAIR_FLAGS_PEER_STARTED_DD)
3227                 evt_data.auth_req = BTM_DEFAULT_DD_AUTH_REQ;
3228         }
3229         /* security is already in progress */
3230         else if (btm_cb.pairing_state == BTM_PAIR_STATE_WAIT_PIN_REQ)
3231         {
3232 /* coverity[uninit_use_in_call]
3233 Event uninit_use_in_call: Using uninitialized element of array "evt_data.bd_addr" in call to function "memcmp"
3234 False-positive: evt_data.bd_addr is set at the beginning with:     STREAM_TO_BDADDR (evt_data.bd_addr, p);
3235 */
3236             if (memcmp (evt_data.bd_addr, btm_cb.pairing_bda, BD_ADDR_LEN))
3237             {
3238                 /* and it's not the device in bonding -> reject it */
3239                 err_code = HCI_ERR_HOST_BUSY_PAIRING;
3240             }
3241             else
3242             {
3243                 /* local device initiated dedicated bonding */
3244                 evt_data.auth_req = BTM_DEFAULT_DD_AUTH_REQ;
3245             }
3246         }
3247         else
3248         {
3249             err_code = HCI_ERR_HOST_BUSY_PAIRING;
3250         }
3251     }
3252 
3253     /* paring is not allowed */
3254     if (btm_cb.pairing_disabled)
3255         err_code = HCI_ERR_PAIRING_NOT_ALLOWED;
3256 
3257     if (err_code != 0)
3258     {
3259 /* coverity[uninit_use_in_call]
3260 Event uninit_use_in_call: Using uninitialized element of array "evt_data.bd_addr" in call to function "memcmp"
3261 False-positive: evt_data.bd_addr is set at the beginning with:     STREAM_TO_BDADDR (evt_data.bd_addr, p);
3262 */
3263         btsnd_hcic_io_cap_req_neg_reply(evt_data.bd_addr, err_code);
3264         return;
3265     }
3266 
3267     evt_data.is_orig = is_orig;
3268 
3269     if (is_orig)
3270     {
3271         /* local device initiated the pairing non-bonding -> use p_cur_service */
3272         if (!(btm_cb.pairing_flags & BTM_PAIR_FLAGS_WE_STARTED_DD) &&
3273             p_dev_rec->p_cur_service &&
3274             (p_dev_rec->p_cur_service->security_flags & BTM_SEC_OUT_AUTHENTICATE))
3275         {
3276             evt_data.auth_req = (p_dev_rec->p_cur_service->security_flags & BTM_SEC_OUT_MITM) ? BTM_AUTH_SP_YES : BTM_AUTH_SP_NO;
3277         }
3278     }
3279 
3280     /* Notify L2CAP to increase timeout */
3281     l2c_pin_code_request (evt_data.bd_addr);
3282 
3283     memcpy (btm_cb.pairing_bda, evt_data.bd_addr, BD_ADDR_LEN);
3284 
3285 /* coverity[uninit_use_in_call]
3286 Event uninit_use_in_call: Using uninitialized element of array "evt_data.bd_addr" in call to function "memcmp"
3287 False-positive: False-positive: evt_data.bd_addr is set at the beginning with:     STREAM_TO_BDADDR (evt_data.bd_addr, p);
3288 */
3289     if (!memcmp (evt_data.bd_addr, btm_cb.connecting_bda, BD_ADDR_LEN))
3290         memcpy (p_dev_rec->dev_class, btm_cb.connecting_dc, DEV_CLASS_LEN);
3291 
3292     btm_sec_change_pairing_state (BTM_PAIR_STATE_WAIT_LOCAL_IOCAPS);
3293 
3294     callback_rc = BTM_SUCCESS;
3295     if (p_dev_rec->sm4 & BTM_SM4_UPGRADE)
3296     {
3297         p_dev_rec->sm4 &= ~BTM_SM4_UPGRADE;
3298 
3299         /* link key upgrade: always use SPGB_YES - assuming we want to save the link key */
3300         evt_data.auth_req = BTM_AUTH_SPGB_YES;
3301     }
3302     else if (btm_cb.api.p_sp_callback)
3303     {
3304         /* the callback function implementation may change the IO capability... */
3305         callback_rc = (*btm_cb.api.p_sp_callback) (BTM_SP_IO_REQ_EVT, (tBTM_SP_EVT_DATA *)&evt_data);
3306     }
3307 
3308 #if BTM_OOB_INCLUDED == TRUE
3309     if ((callback_rc == BTM_SUCCESS) || (BTM_OOB_UNKNOWN != evt_data.oob_data))
3310 #else
3311     if (callback_rc == BTM_SUCCESS)
3312 #endif
3313     {
3314         if ((btm_cb.pairing_flags & BTM_PAIR_FLAGS_WE_STARTED_DD))
3315         {
3316             evt_data.auth_req = (BTM_AUTH_DD_BOND | (evt_data.auth_req & BTM_AUTH_YN_BIT));
3317         }
3318 
3319         /* if the user does not indicate "reply later" by setting the oob_data to unknown
3320          * send the response right now. Save the current IO capability in the control block */
3321         btm_cb.devcb.loc_auth_req   = evt_data.auth_req;
3322         btm_cb.devcb.loc_io_caps    = evt_data.io_cap;
3323 
3324         BTM_TRACE_EVENT4 ("btm_io_capabilities_req: State: %s  IO_CAP:%d oob_data:%d auth_req:%d",
3325                           btm_pair_state_descr(btm_cb.pairing_state), evt_data.io_cap,
3326                           evt_data.oob_data, evt_data.auth_req);
3327 
3328         btsnd_hcic_io_cap_req_reply(evt_data.bd_addr, evt_data.io_cap,
3329                                     evt_data.oob_data, evt_data.auth_req);
3330     }
3331 }
3332 
3333 /*******************************************************************************
3334 **
3335 ** Function         btm_io_capabilities_rsp
3336 **
3337 ** Description      This function is called when the IO capability of the
3338 **                  specified device is received
3339 **
3340 ** Returns          void
3341 **
3342 *******************************************************************************/
btm_io_capabilities_rsp(UINT8 * p)3343 void btm_io_capabilities_rsp (UINT8 *p)
3344 {
3345     tBTM_SEC_DEV_REC *p_dev_rec;
3346     tBTM_SP_IO_RSP evt_data;
3347 
3348     STREAM_TO_BDADDR (evt_data.bd_addr, p);
3349     STREAM_TO_UINT8 (evt_data.io_cap, p);
3350     STREAM_TO_UINT8 (evt_data.oob_data, p);
3351     STREAM_TO_UINT8 (evt_data.auth_req, p);
3352 
3353     /* Allocate a new device record or reuse the oldest one */
3354     p_dev_rec = btm_find_or_alloc_dev (evt_data.bd_addr);
3355 
3356     /* If no security is in progress, this indicates incoming security */
3357     if (btm_cb.pairing_state == BTM_PAIR_STATE_IDLE)
3358     {
3359         memcpy (btm_cb.pairing_bda, evt_data.bd_addr, BD_ADDR_LEN);
3360 
3361         btm_sec_change_pairing_state (BTM_PAIR_STATE_INCOMING_SSP);
3362 
3363         /* Make sure we reset the trusted mask to help against attacks */
3364         BTM_SEC_CLR_TRUSTED_DEVICE(p_dev_rec->trusted_mask);
3365 
3366         /* work around for FW bug */
3367         btm_inq_stop_on_ssp();
3368     }
3369 
3370     /* Notify L2CAP to increase timeout */
3371     l2c_pin_code_request (evt_data.bd_addr);
3372 
3373     /* We must have a device record here.
3374      * Use the connecting device's CoD for the connection */
3375 /* coverity[uninit_use_in_call]
3376 Event uninit_use_in_call: Using uninitialized element of array "evt_data.bd_addr" in call to function "memcmp"
3377 FALSE-POSITIVE error from Coverity test-tool. evt_data.bd_addr is set at the beginning with:     STREAM_TO_BDADDR (evt_data.bd_addr, p);
3378 */
3379     if (!memcmp (evt_data.bd_addr, btm_cb.connecting_bda, BD_ADDR_LEN))
3380         memcpy (p_dev_rec->dev_class, btm_cb.connecting_dc, DEV_CLASS_LEN);
3381 
3382     /* peer sets dedicated bonding bit and we did not initiate dedicated bonding */
3383     if (btm_cb.pairing_state == BTM_PAIR_STATE_INCOMING_SSP /* peer initiated bonding */
3384         && (evt_data.auth_req & BTM_AUTH_DD_BOND) )            /* and dedicated bonding bit is set */
3385     {
3386         btm_cb.pairing_flags |= BTM_PAIR_FLAGS_PEER_STARTED_DD;
3387     }
3388 
3389     /* save the IO capability in the device record */
3390     p_dev_rec->rmt_io_caps  = evt_data.io_cap;
3391     p_dev_rec->rmt_auth_req = evt_data.auth_req;
3392 
3393     if (btm_cb.api.p_sp_callback)
3394         (*btm_cb.api.p_sp_callback) (BTM_SP_IO_RSP_EVT, (tBTM_SP_EVT_DATA *)&evt_data);
3395 }
3396 
3397 /*******************************************************************************
3398 **
3399 ** Function         btm_proc_sp_req_evt
3400 **
3401 ** Description      This function is called to process/report
3402 **                  HCI_USER_CONFIRMATION_REQUEST_EVT
3403 **                  or HCI_USER_PASSKEY_REQUEST_EVT
3404 **                  or HCI_USER_PASSKEY_NOTIFY_EVT
3405 **
3406 ** Returns          void
3407 **
3408 *******************************************************************************/
btm_proc_sp_req_evt(tBTM_SP_EVT event,UINT8 * p)3409 void btm_proc_sp_req_evt (tBTM_SP_EVT event, UINT8 *p)
3410 {
3411     tBTM_STATUS status = BTM_ERR_PROCESSING;
3412     tBTM_SP_EVT_DATA evt_data;
3413     UINT8               *p_bda = evt_data.cfm_req.bd_addr;
3414     tBTM_SEC_DEV_REC *p_dev_rec;
3415 
3416     /* All events start with bd_addr */
3417     STREAM_TO_BDADDR (p_bda, p);
3418 
3419     BTM_TRACE_EVENT4 ("btm_proc_sp_req_evt() BDA: %08x%04x event: 0x%x, State: %s",
3420                       (p_bda[0]<<24) + (p_bda[1]<<16) + (p_bda[2]<<8) + p_bda[3], (p_bda[4] << 8) + p_bda[5],
3421                       event, btm_pair_state_descr(btm_cb.pairing_state));
3422 
3423     if ( ((p_dev_rec = btm_find_dev (p_bda)) != NULL)
3424          &&  (btm_cb.pairing_state != BTM_PAIR_STATE_IDLE)
3425          &&  (memcmp (btm_cb.pairing_bda, p_bda, BD_ADDR_LEN) == 0) )
3426     {
3427         memcpy (evt_data.cfm_req.bd_addr, p_dev_rec->bd_addr, BD_ADDR_LEN);
3428         memcpy (evt_data.cfm_req.dev_class, p_dev_rec->dev_class, DEV_CLASS_LEN);
3429 
3430         BCM_STRNCPY_S ((char *)evt_data.cfm_req.bd_name, sizeof(evt_data.cfm_req.bd_name), (char *)p_dev_rec->sec_bd_name, BTM_MAX_REM_BD_NAME_LEN);
3431 
3432         switch (event)
3433         {
3434             case BTM_SP_CFM_REQ_EVT:
3435                 /* Numeric confirmation. Need user to conf the passkey */
3436                 btm_sec_change_pairing_state (BTM_PAIR_STATE_WAIT_NUMERIC_CONFIRM);
3437 
3438                 /* The device record must be allocated in the "IO cap exchange" step */
3439                 STREAM_TO_UINT32 (evt_data.cfm_req.num_val, p);
3440 
3441                 evt_data.cfm_req.just_works = TRUE;
3442 
3443                 /* process user confirm req in association with the auth_req param */
3444 #if (BTM_LOCAL_IO_CAPS == BTM_IO_CAP_IO)
3445                 if ( (p_dev_rec->rmt_io_caps == BTM_IO_CAP_IO)
3446                      &&  (btm_cb.devcb.loc_io_caps == BTM_IO_CAP_IO)
3447                      &&  ((p_dev_rec->rmt_auth_req & BTM_AUTH_SP_YES) || (btm_cb.devcb.loc_auth_req & BTM_AUTH_SP_YES)) )
3448                 {
3449                     /* Both devices are DisplayYesNo and one or both devices want to authenticate
3450                        -> use authenticated link key */
3451                     evt_data.cfm_req.just_works = FALSE;
3452                 }
3453 #endif
3454                 BTM_TRACE_DEBUG5 ("btm_proc_sp_req_evt()  just_works:%d, io loc:%d, rmt:%d, auth loc:%d, rmt:%d",
3455                                   evt_data.cfm_req.just_works, btm_cb.devcb.loc_io_caps, p_dev_rec->rmt_io_caps,
3456                                   btm_cb.devcb.loc_auth_req, p_dev_rec->rmt_auth_req);
3457 
3458                 evt_data.cfm_req.loc_auth_req   = btm_cb.devcb.loc_auth_req;
3459                 evt_data.cfm_req.rmt_auth_req   = p_dev_rec->rmt_auth_req;
3460                 evt_data.cfm_req.loc_io_caps    = btm_cb.devcb.loc_io_caps;
3461                 evt_data.cfm_req.rmt_io_caps    = p_dev_rec->rmt_io_caps;
3462                 break;
3463 
3464             case BTM_SP_KEY_NOTIF_EVT:
3465                 /* Passkey notification (other side is a keyboard) */
3466                 STREAM_TO_UINT32 (evt_data.key_notif.passkey, p);
3467 
3468                 BTM_TRACE_DEBUG1 ("BTM_SP_KEY_NOTIF_EVT:  passkey: %u", evt_data.key_notif.passkey);
3469 
3470                 btm_sec_change_pairing_state (BTM_PAIR_STATE_WAIT_AUTH_COMPLETE);
3471                 break;
3472 
3473 #if (BTM_LOCAL_IO_CAPS != BTM_IO_CAP_NONE)
3474             case BTM_SP_KEY_REQ_EVT:
3475                 /* HCI_USER_PASSKEY_REQUEST_EVT */
3476                 btm_sec_change_pairing_state (BTM_PAIR_STATE_KEY_ENTRY);
3477                 break;
3478 #endif
3479         }
3480 
3481         if (btm_cb.api.p_sp_callback)
3482         {
3483             status = (*btm_cb.api.p_sp_callback) (event, (tBTM_SP_EVT_DATA *)&evt_data);
3484             if (status != BTM_NOT_AUTHORIZED)
3485             {
3486                 return;
3487             }
3488             /* else BTM_NOT_AUTHORIZED means when the app wants to reject the req right now */
3489         }
3490         else if ( (event == BTM_SP_CFM_REQ_EVT) && (evt_data.cfm_req.just_works == TRUE) )
3491         {
3492             /* automatically reply with just works if no sp_cback */
3493             status = BTM_SUCCESS;
3494         }
3495 
3496         if (event == BTM_SP_CFM_REQ_EVT)
3497         {
3498             BTM_TRACE_DEBUG1 ("calling BTM_ConfirmReqReply with status: %d", status);
3499             BTM_ConfirmReqReply (status, p_bda);
3500         }
3501 #if (BTM_LOCAL_IO_CAPS != BTM_IO_CAP_NONE)
3502         else if (event == BTM_SP_KEY_REQ_EVT)
3503         {
3504             BTM_PasskeyReqReply(status, p_bda, 0);
3505         }
3506 #endif
3507         return;
3508     }
3509 
3510     /* Something bad. we can only fail this connection */
3511     btm_cb.acl_disc_reason = HCI_ERR_HOST_REJECT_SECURITY;
3512 
3513     if (BTM_SP_CFM_REQ_EVT == event)
3514     {
3515         btsnd_hcic_user_conf_reply (p_bda, FALSE);
3516     }
3517     else if (BTM_SP_KEY_NOTIF_EVT == event)
3518     {
3519         /* do nothing -> it very unlikely to happen.
3520         This event is most likely to be received by a HID host when it first connects to a HID device.
3521         Usually the Host initiated the connection in this case.
3522         On Mobile platforms, if there's a security process happening,
3523         the host probably can not initiate another connection.
3524         BTW (PC) is another story.  */
3525         if (NULL != (p_dev_rec = btm_find_dev (p_bda)) )
3526         {
3527             btm_sec_disconnect (p_dev_rec->hci_handle, HCI_ERR_AUTH_FAILURE);
3528         }
3529     }
3530 #if (BTM_LOCAL_IO_CAPS != BTM_IO_CAP_NONE)
3531     else
3532     {
3533         btsnd_hcic_user_passkey_neg_reply(p_bda);
3534     }
3535 #endif
3536 }
3537 
3538 /*******************************************************************************
3539 **
3540 ** Function         btm_keypress_notif_evt
3541 **
3542 ** Description      This function is called when a key press notification is
3543 **                  received
3544 **
3545 ** Returns          void
3546 **
3547 *******************************************************************************/
btm_keypress_notif_evt(UINT8 * p)3548 void  btm_keypress_notif_evt (UINT8 *p)
3549 {
3550     tBTM_SP_KEYPRESS    evt_data;
3551     UINT8 *p_bda;
3552 
3553     /* parse & report BTM_SP_KEYPRESS_EVT */
3554     if (btm_cb.api.p_sp_callback)
3555     {
3556         p_bda = evt_data.bd_addr;
3557 
3558         STREAM_TO_BDADDR (p_bda, p);
3559         evt_data.notif_type = *p;
3560 
3561         (*btm_cb.api.p_sp_callback) (BTM_SP_KEYPRESS_EVT, (tBTM_SP_EVT_DATA *)&evt_data);
3562     }
3563 }
3564 
3565 /*******************************************************************************
3566 **
3567 ** Function         btm_simple_pair_complete
3568 **
3569 ** Description      This function is called when simple pairing process is
3570 **                  complete
3571 **
3572 ** Returns          void
3573 **
3574 *******************************************************************************/
btm_simple_pair_complete(UINT8 * p)3575 void btm_simple_pair_complete (UINT8 *p)
3576 {
3577     tBTM_SP_COMPLT  evt_data;
3578     tBTM_SEC_DEV_REC *p_dev_rec;
3579     UINT8           status;
3580     BOOLEAN         disc = FALSE;
3581 
3582     status = *p++;
3583     STREAM_TO_BDADDR (evt_data.bd_addr, p);
3584 
3585     if ((p_dev_rec = btm_find_dev (evt_data.bd_addr)) == NULL)
3586     {
3587         BTM_TRACE_ERROR2 ("btm_simple_pair_complete() with unknown BDA: %08x%04x",
3588                           (evt_data.bd_addr[0]<<24) + (evt_data.bd_addr[1]<<16) + (evt_data.bd_addr[2]<<8) + evt_data.bd_addr[3],
3589                           (evt_data.bd_addr[4] << 8) + evt_data.bd_addr[5]);
3590         return;
3591     }
3592 
3593     BTM_TRACE_EVENT3 ("btm_simple_pair_complete()  Pair State: %s  Status:%d  sec_state: %u",
3594                       btm_pair_state_descr(btm_cb.pairing_state),  status, p_dev_rec->sec_state);
3595 
3596     evt_data.status = BTM_ERR_PROCESSING;
3597     if (status == HCI_SUCCESS)
3598     {
3599         evt_data.status = BTM_SUCCESS;
3600         p_dev_rec->sec_flags |= BTM_SEC_AUTHENTICATED;
3601     }
3602     else
3603     {
3604         if (status == HCI_ERR_PAIRING_NOT_ALLOWED)
3605         {
3606             /* The test spec wants the peer device to get this failure code. */
3607             btm_sec_change_pairing_state (BTM_PAIR_STATE_WAIT_DISCONNECT);
3608 
3609             /* Change the timer to 1 second */
3610             btu_start_timer (&btm_cb.pairing_tle, BTU_TTYPE_USER_FUNC, BT_1SEC_TIMEOUT);
3611         }
3612         else if (memcmp (btm_cb.pairing_bda, evt_data.bd_addr, BD_ADDR_LEN) == 0)
3613         {
3614             /* stop the timer */
3615             btu_stop_timer (&btm_cb.pairing_tle);
3616 
3617             if (p_dev_rec->sec_state != BTM_SEC_STATE_AUTHENTICATING)
3618             {
3619                 /* the initiating side: will receive auth complete event. disconnect ACL at that time */
3620                 disc = TRUE;
3621             }
3622         }
3623         else
3624             disc = TRUE;
3625     }
3626 
3627     /* Let the pairing state stay active, p_auth_complete_callback will report the failure */
3628     memcpy (evt_data.bd_addr, p_dev_rec->bd_addr, BD_ADDR_LEN);
3629     memcpy (evt_data.dev_class, p_dev_rec->dev_class, DEV_CLASS_LEN);
3630 
3631     if (btm_cb.api.p_sp_callback)
3632         (*btm_cb.api.p_sp_callback) (BTM_SP_COMPLT_EVT, (tBTM_SP_EVT_DATA *)&evt_data);
3633 
3634     if (disc)
3635     {
3636         /* simple pairing failed */
3637         btm_sec_send_hci_disconnect (p_dev_rec, HCI_ERR_AUTH_FAILURE);
3638     }
3639 }
3640 
3641 #if BTM_OOB_INCLUDED == TRUE
3642 /*******************************************************************************
3643 **
3644 ** Function         btm_rem_oob_req
3645 **
3646 ** Description      This function is called to process/report
3647 **                  HCI_REMOTE_OOB_DATA_REQUEST_EVT
3648 **
3649 ** Returns          void
3650 **
3651 *******************************************************************************/
btm_rem_oob_req(UINT8 * p)3652 void btm_rem_oob_req (UINT8 *p)
3653 {
3654     UINT8 *p_bda;
3655     tBTM_SP_RMT_OOB  evt_data;
3656     tBTM_SEC_DEV_REC *p_dev_rec;
3657     BT_OCTET16      c;
3658     BT_OCTET16      r;
3659 
3660     p_bda = evt_data.bd_addr;
3661 
3662     STREAM_TO_BDADDR (p_bda, p);
3663 
3664     BTM_TRACE_EVENT6 ("btm_rem_oob_req() BDA: %02x:%02x:%02x:%02x:%02x:%02x",
3665                       p_bda[0], p_bda[1], p_bda[2], p_bda[3], p_bda[4], p_bda[5]);
3666 
3667     if ( (NULL != (p_dev_rec = btm_find_dev (p_bda))) &&
3668          btm_cb.api.p_sp_callback)
3669     {
3670         memcpy (evt_data.bd_addr, p_dev_rec->bd_addr, BD_ADDR_LEN);
3671         memcpy (evt_data.dev_class, p_dev_rec->dev_class, DEV_CLASS_LEN);
3672         BCM_STRNCPY_S((char *)evt_data.bd_name, sizeof(evt_data.bd_name), (char *)p_dev_rec->sec_bd_name, BTM_MAX_REM_BD_NAME_LEN+1);
3673         evt_data.bd_name[BTM_MAX_REM_BD_NAME_LEN] = 0;
3674 
3675         btm_sec_change_pairing_state(BTM_PAIR_STATE_WAIT_LOCAL_OOB_RSP);
3676         if ((*btm_cb.api.p_sp_callback) (BTM_SP_RMT_OOB_EVT, (tBTM_SP_EVT_DATA *)&evt_data) == BTM_NOT_AUTHORIZED)
3677         {
3678             BTM_RemoteOobDataReply(TRUE, p_bda, c, r);
3679         }
3680         return;
3681     }
3682 
3683     /* something bad. we can only fail this connection */
3684     btm_cb.acl_disc_reason = HCI_ERR_HOST_REJECT_SECURITY;
3685     btsnd_hcic_rem_oob_neg_reply (p_bda);
3686 }
3687 
3688 /*******************************************************************************
3689 **
3690 ** Function         btm_read_local_oob_complete
3691 **
3692 ** Description      This function is called when read local oob data is
3693 **                  completed by the LM
3694 **
3695 ** Returns          void
3696 **
3697 *******************************************************************************/
btm_read_local_oob_complete(UINT8 * p)3698 void btm_read_local_oob_complete (UINT8 *p)
3699 {
3700     tBTM_SP_LOC_OOB evt_data;
3701     UINT8           status = *p++;
3702 
3703     BTM_TRACE_EVENT1 ("btm_read_local_oob_complete:%d", status);
3704     if (status == HCI_SUCCESS)
3705     {
3706         evt_data.status = BTM_SUCCESS;
3707         STREAM_TO_ARRAY16(evt_data.c, p);
3708         STREAM_TO_ARRAY16(evt_data.r, p);
3709     }
3710     else
3711         evt_data.status = BTM_ERR_PROCESSING;
3712 
3713     if (btm_cb.api.p_sp_callback)
3714         (*btm_cb.api.p_sp_callback) (BTM_SP_LOC_OOB_EVT, (tBTM_SP_EVT_DATA *)&evt_data);
3715 }
3716 #endif /* BTM_OOB_INCLUDED */
3717 
3718 /*******************************************************************************
3719 **
3720 ** Function         btm_sec_auth_collision
3721 **
3722 ** Description      This function is called when authentication or encryption
3723 **                  needs to be retried at a later time.
3724 **
3725 ** Returns          void
3726 **
3727 *******************************************************************************/
btm_sec_auth_collision(UINT16 handle)3728 static void btm_sec_auth_collision (UINT16 handle)
3729 {
3730     tBTM_SEC_DEV_REC *p_dev_rec;
3731 
3732     if (!btm_cb.collision_start_time)
3733         btm_cb.collision_start_time = GKI_get_tick_count ();
3734 
3735     if ((GKI_get_tick_count () - btm_cb.collision_start_time) < btm_cb.max_collision_delay)
3736     {
3737         if (handle == BTM_SEC_INVALID_HANDLE)
3738         {
3739             if ((p_dev_rec = btm_sec_find_dev_by_sec_state (BTM_SEC_STATE_AUTHENTICATING)) == NULL)
3740                 p_dev_rec = btm_sec_find_dev_by_sec_state (BTM_SEC_STATE_ENCRYPTING);
3741         }
3742         else
3743             p_dev_rec = btm_find_dev_by_handle (handle);
3744 
3745         if (p_dev_rec != NULL)
3746         {
3747             BTM_TRACE_DEBUG1 ("btm_sec_auth_collision: state %d (retrying in a moment...)", p_dev_rec->sec_state);
3748             /* We will restart authentication after timeout */
3749             if (p_dev_rec->sec_state == BTM_SEC_STATE_AUTHENTICATING || p_dev_rec->sec_state == BTM_SEC_STATE_ENCRYPTING)
3750                 p_dev_rec->sec_state = 0;
3751 
3752             btm_cb.p_collided_dev_rec = p_dev_rec;
3753             btm_cb.sec_collision_tle.param = (UINT32) btm_sec_collision_timeout;
3754             btu_start_timer (&btm_cb.sec_collision_tle, BTU_TTYPE_USER_FUNC, BT_1SEC_TIMEOUT);
3755         }
3756     }
3757 }
3758 
3759 /*******************************************************************************
3760 **
3761 ** Function         btm_sec_auth_complete
3762 **
3763 ** Description      This function is when authentication of the connection is
3764 **                  completed by the LM
3765 **
3766 ** Returns          void
3767 **
3768 *******************************************************************************/
btm_sec_auth_complete(UINT16 handle,UINT8 status)3769 void btm_sec_auth_complete (UINT16 handle, UINT8 status)
3770 {
3771     UINT8            old_sm4;
3772     tBTM_PAIRING_STATE  old_state   = btm_cb.pairing_state;
3773     tBTM_SEC_DEV_REC *p_dev_rec = btm_find_dev_by_handle (handle);
3774     BOOLEAN             are_bonding = FALSE;
3775 
3776     /* Commenting out trace due to obf/compilation problems.
3777     */
3778 #if (BT_USE_TRACES == TRUE)
3779     if (p_dev_rec)
3780     {
3781         BTM_TRACE_EVENT6 ("Security Manager: auth_complete PairState: %s  handle:%u  status:%d  dev->sec_state: %u  Bda:%08x, RName:%s",
3782                           btm_pair_state_descr (btm_cb.pairing_state),
3783                           handle, status,
3784                           p_dev_rec->sec_state,
3785                           (p_dev_rec->bd_addr[2]<<24)+(p_dev_rec->bd_addr[3]<<16)+(p_dev_rec->bd_addr[4]<<8)+p_dev_rec->bd_addr[5],
3786                           p_dev_rec->sec_bd_name);
3787     }
3788     else
3789     {
3790         BTM_TRACE_EVENT3 ("Security Manager: auth_complete PairState: %s  handle:%u  status:%d",
3791                           btm_pair_state_descr (btm_cb.pairing_state),
3792                           handle, status);
3793     }
3794 #endif
3795 
3796     /* For transaction collision we need to wait and repeat.  There is no need */
3797     /* for random timeout because only slave should receive the result */
3798     if ((status == HCI_ERR_LMP_ERR_TRANS_COLLISION) || (status == HCI_ERR_DIFF_TRANSACTION_COLLISION))
3799     {
3800         btm_sec_auth_collision(handle);
3801         return;
3802     }
3803     btm_cb.collision_start_time = 0;
3804 
3805     btm_restore_mode();
3806 
3807     /* Check if connection was made just to do bonding.  If we authenticate
3808        the connection that is up, this is the last event received.
3809     */
3810     if (p_dev_rec
3811         && (btm_cb.pairing_flags & BTM_PAIR_FLAGS_WE_STARTED_DD)
3812         && !(btm_cb.pairing_flags & BTM_PAIR_FLAGS_DISC_WHEN_DONE))
3813     {
3814         p_dev_rec->security_required &= ~BTM_SEC_OUT_AUTHENTICATE;
3815 
3816         l2cu_start_post_bond_timer (p_dev_rec->hci_handle);
3817     }
3818 
3819     if (!p_dev_rec)
3820         return;
3821 
3822     /* keep the old sm4 flag and clear the retry bit in control block */
3823     old_sm4 = p_dev_rec->sm4;
3824     p_dev_rec->sm4 &= ~BTM_SM4_RETRY;
3825 
3826     if ( (btm_cb.pairing_state != BTM_PAIR_STATE_IDLE)
3827          &&  (btm_cb.pairing_flags & BTM_PAIR_FLAGS_WE_STARTED_DD)
3828          &&  (memcmp (p_dev_rec->bd_addr, btm_cb.pairing_bda, BD_ADDR_LEN) == 0) )
3829         are_bonding = TRUE;
3830 
3831     btm_sec_change_pairing_state (BTM_PAIR_STATE_IDLE);
3832 
3833     if (p_dev_rec->sec_state != BTM_SEC_STATE_AUTHENTICATING)
3834     {
3835         if ( (btm_cb.api.p_auth_complete_callback && status != HCI_SUCCESS)
3836              &&  (old_state != BTM_PAIR_STATE_IDLE) )
3837         {
3838             (*btm_cb.api.p_auth_complete_callback) (p_dev_rec->bd_addr,
3839                                                     p_dev_rec->dev_class,
3840                                                     p_dev_rec->sec_bd_name, status);
3841         }
3842         return;
3843     }
3844 
3845     /* There can be a race condition, when we are starting authentication and
3846     ** the peer device is doing encryption.
3847     ** If first we receive encryption change up, then initiated authentication
3848     ** can not be performed.  According to the spec we can not do authentication
3849     ** on the encrypted link, so device is correct.
3850     */
3851     if ((status == HCI_ERR_COMMAND_DISALLOWED)
3852         && ((p_dev_rec->sec_flags & (BTM_SEC_AUTHENTICATED | BTM_SEC_ENCRYPTED)) ==
3853             (BTM_SEC_AUTHENTICATED | BTM_SEC_ENCRYPTED)))
3854     {
3855         status = HCI_SUCCESS;
3856     }
3857     /* Currently we do not notify user if it is a keyboard which connects */
3858     /* User probably Disabled the keyboard while it was asleap.  Let her try */
3859     if (btm_cb.api.p_auth_complete_callback)
3860     {
3861         /* report the suthentication status */
3862         if (old_state != BTM_PAIR_STATE_IDLE)
3863             (*btm_cb.api.p_auth_complete_callback) (p_dev_rec->bd_addr,
3864                                                     p_dev_rec->dev_class,
3865                                                     p_dev_rec->sec_bd_name, status);
3866     }
3867 
3868     p_dev_rec->sec_state = BTM_SEC_STATE_IDLE;
3869 
3870     /* If this is a bonding procedure can disconnect the link now */
3871     if (are_bonding)
3872     {
3873         p_dev_rec->security_required &= ~BTM_SEC_OUT_AUTHENTICATE;
3874 
3875         if (status != HCI_SUCCESS)
3876             btm_sec_send_hci_disconnect (p_dev_rec, HCI_ERR_PEER_USER);
3877         else
3878             l2cu_start_post_bond_timer (p_dev_rec->hci_handle);
3879 
3880         return;
3881     }
3882 
3883     /* If authentication failed, notify the waiting layer */
3884     if (status != HCI_SUCCESS)
3885     {
3886         if ((old_sm4 & BTM_SM4_RETRY) == 0)
3887         {
3888             /* allow retry only once */
3889             if (status == HCI_ERR_LMP_ERR_TRANS_COLLISION)
3890             {
3891                 /* not retried yet. set the retry bit */
3892                 p_dev_rec->sm4 |= BTM_SM4_RETRY;
3893                 BTM_TRACE_DEBUG2 ("Collision retry sm4:x%x sec_flags:0x%x", p_dev_rec->sm4, p_dev_rec->sec_flags);
3894             }
3895             /* this retry for missing key is for Lisbon or later only.
3896              * Legacy device do not need this. the controller will drive the retry automatically */
3897             else if (HCI_ERR_KEY_MISSING == status && BTM_SEC_IS_SM4(p_dev_rec->sm4))
3898             {
3899                 /* not retried yet. set the retry bit */
3900                 p_dev_rec->sm4 |= BTM_SM4_RETRY;
3901                 p_dev_rec->sec_flags &= ~BTM_SEC_LINK_KEY_KNOWN;
3902                 BTM_TRACE_DEBUG2 ("Retry for missing key sm4:x%x sec_flags:0x%x", p_dev_rec->sm4, p_dev_rec->sec_flags);
3903 
3904                 /* With BRCM controller, we do not need to delete the stored link key in controller.
3905                 If the stack may sit on top of other controller, we may need this
3906                 BTM_DeleteStoredLinkKey (bd_addr, NULL); */
3907             }
3908 
3909             if (p_dev_rec->sm4 & BTM_SM4_RETRY)
3910             {
3911                 btm_sec_execute_procedure (p_dev_rec);
3912                 return;
3913             }
3914         }
3915 
3916         btm_sec_dev_rec_cback_event (p_dev_rec, BTM_ERR_PROCESSING);
3917 
3918         if (btm_cb.pairing_flags & BTM_PAIR_FLAGS_DISC_WHEN_DONE)
3919         {
3920             btm_sec_send_hci_disconnect (p_dev_rec, HCI_ERR_AUTH_FAILURE);
3921         }
3922         return;
3923     }
3924 
3925     p_dev_rec->sec_flags |= BTM_SEC_AUTHENTICATED;
3926 
3927     /* Authentication succeeded, execute the next security procedure, if any */
3928     status = btm_sec_execute_procedure (p_dev_rec);
3929 
3930     /* If there is no next procedure, or procedure failed to start, notify the caller */
3931     if (status != BTM_CMD_STARTED)
3932         btm_sec_dev_rec_cback_event (p_dev_rec, status);
3933 }
3934 
3935 /*******************************************************************************
3936 **
3937 ** Function         btm_sec_mkey_comp_event
3938 **
3939 ** Description      This function is when encryption of the connection is
3940 **                  completed by the LM
3941 **
3942 ** Returns          void
3943 **
3944 *******************************************************************************/
btm_sec_mkey_comp_event(UINT16 handle,UINT8 status,UINT8 key_flg)3945 void btm_sec_mkey_comp_event (UINT16 handle, UINT8 status, UINT8 key_flg)
3946 {
3947     tBTM_SEC_DEV_REC  *p_dev_rec = btm_find_dev_by_handle (handle);
3948     UINT8 bd_addr[BD_ADDR_LEN] = { 0xff, 0xff, 0xff, 0xff, 0xff, 0xff} ;
3949 
3950     BTM_TRACE_EVENT2 ("Security Manager: mkey comp status:%d State:%d",
3951                       status, (p_dev_rec) ? p_dev_rec->sec_state : 0);
3952 
3953     /* If encryption setup failed, notify the waiting layer */
3954     /* There is no next procedure or start of procedure failed, notify the waiting layer */
3955     if (btm_cb.mkey_cback)
3956     {
3957         if (!p_dev_rec)
3958             (btm_cb.mkey_cback)(bd_addr, status, key_flg );
3959         else
3960             (btm_cb.mkey_cback)(p_dev_rec->bd_addr, status, key_flg );
3961     }
3962 }
3963 
3964 /*******************************************************************************
3965 **
3966 ** Function         btm_sec_encrypt_change
3967 **
3968 ** Description      This function is when encryption of the connection is
3969 **                  completed by the LM
3970 **
3971 ** Returns          void
3972 **
3973 *******************************************************************************/
btm_sec_encrypt_change(UINT16 handle,UINT8 status,UINT8 encr_enable)3974 void btm_sec_encrypt_change (UINT16 handle, UINT8 status, UINT8 encr_enable)
3975 {
3976     tBTM_SEC_DEV_REC  *p_dev_rec = btm_find_dev_by_handle (handle);
3977 #if BLE_INCLUDED == TRUE && SMP_INCLUDED == TRUE
3978     tACL_CONN         *p_acl;
3979 #endif
3980     BTM_TRACE_EVENT3 ("Security Manager: encrypt_change status:%d State:%d, encr_enable = %d",
3981                       status, (p_dev_rec) ? p_dev_rec->sec_state : 0, encr_enable);
3982     BTM_TRACE_DEBUG1 ("before update p_dev_rec->sec_flags=0x%x", (p_dev_rec) ? p_dev_rec->sec_flags : 0 );
3983 
3984     /* For transaction collision we need to wait and repeat.  There is no need */
3985     /* for random timeout because only slave should receive the result */
3986     if ((status == HCI_ERR_LMP_ERR_TRANS_COLLISION) || (status == HCI_ERR_DIFF_TRANSACTION_COLLISION))
3987     {
3988         btm_sec_auth_collision(handle);
3989         return;
3990     }
3991     btm_cb.collision_start_time = 0;
3992 
3993     if (!p_dev_rec)
3994         return;
3995 
3996     if ((status == HCI_SUCCESS) && encr_enable)
3997         p_dev_rec->sec_flags |= (BTM_SEC_AUTHENTICATED | BTM_SEC_ENCRYPTED);
3998 
3999     /* It is possible that we decrypted the link to perform role switch */
4000     /* mark link not to be encrypted, so that when we execute security next time it will kick in again */
4001     if ((status == HCI_SUCCESS) && !encr_enable)
4002         p_dev_rec->sec_flags &= ~BTM_SEC_ENCRYPTED;
4003 
4004     BTM_TRACE_DEBUG1 ("after update p_dev_rec->sec_flags=0x%x", p_dev_rec->sec_flags );
4005 
4006 #if BLE_INCLUDED == TRUE && SMP_INCLUDED == TRUE
4007     p_acl = btm_bda_to_acl(p_dev_rec->bd_addr);
4008 
4009     if (p_acl && p_acl->is_le_link)
4010     {
4011         btm_ble_link_encrypted(p_dev_rec->bd_addr, encr_enable);
4012         return;
4013     }
4014     else
4015         /* BR/EDR connection, update the encryption key size to be 16 as always */
4016         p_dev_rec->enc_key_size = 16;
4017 #endif
4018 
4019     /* If this encryption was started by peer do not need to do anything */
4020     if (p_dev_rec->sec_state != BTM_SEC_STATE_ENCRYPTING)
4021     {
4022         if (BTM_SEC_STATE_DELAY_FOR_ENC == p_dev_rec->sec_state)
4023         {
4024             p_dev_rec->sec_state = BTM_SEC_STATE_IDLE;
4025             p_dev_rec->p_callback = NULL;
4026             l2cu_resubmit_pending_sec_req (p_dev_rec->bd_addr);
4027         }
4028         return;
4029     }
4030 
4031     p_dev_rec->sec_state = BTM_SEC_STATE_IDLE;
4032 
4033     /* If encryption setup failed, notify the waiting layer */
4034     if (status != HCI_SUCCESS)
4035     {
4036         btm_sec_dev_rec_cback_event (p_dev_rec, BTM_ERR_PROCESSING);
4037         return;
4038     }
4039 
4040     /* Encryption setup succeeded, execute the next security procedure, if any */
4041     status = (UINT8)btm_sec_execute_procedure (p_dev_rec);
4042 
4043     /* If there is no next procedure, or procedure failed to start, notify the caller */
4044     if (status != BTM_CMD_STARTED)
4045         btm_sec_dev_rec_cback_event (p_dev_rec, status);
4046 }
4047 
4048 /*******************************************************************************
4049 **
4050 ** Function         btm_sec_create_conn
4051 **
4052 ** Description      This function records current role and forwards request to
4053 **                  HCI
4054 **
4055 ** Returns          void
4056 **
4057 *******************************************************************************/
btm_sec_create_conn(BD_ADDR bda,UINT16 packet_types,UINT8 page_scan_rep_mode,UINT8 page_scan_mode,UINT16 clock_offset,UINT8 allow_switch)4058 BOOLEAN btm_sec_create_conn (BD_ADDR bda, UINT16 packet_types,
4059                              UINT8 page_scan_rep_mode, UINT8 page_scan_mode,
4060                              UINT16 clock_offset, UINT8 allow_switch)
4061 {
4062     tBTM_SEC_DEV_REC *p_dev_rec = btm_find_or_alloc_dev (bda);
4063 
4064     memcpy (btm_cb.connecting_bda, p_dev_rec->bd_addr,   BD_ADDR_LEN);
4065     memcpy (btm_cb.connecting_dc,  p_dev_rec->dev_class, DEV_CLASS_LEN);
4066 
4067     btm_cb.acl_disc_reason = 0xff ;
4068 
4069     p_dev_rec->sec_state   = BTM_SEC_STATE_IDLE;
4070     p_dev_rec->role_master = TRUE;
4071 
4072     /* If any SCO link up, do not allow a switch */
4073     if (BTM_GetNumScoLinks() != 0)
4074         allow_switch = HCI_CR_CONN_NOT_ALLOW_SWITCH;
4075 
4076     return(btsnd_hcic_create_conn (bda, packet_types, page_scan_rep_mode,
4077                                    page_scan_mode, clock_offset, allow_switch));
4078 }
4079 
4080 /*******************************************************************************
4081 **
4082 ** Function         btm_sec_connect_after_reject_timeout
4083 **
4084 ** Description      Connection for bonding could not start because of the collision
4085 **                  Initiate outgoing connection
4086 **
4087 ** Returns          Pointer to the TLE struct
4088 **
4089 *******************************************************************************/
btm_sec_connect_after_reject_timeout(TIMER_LIST_ENT * p_tle)4090 static void btm_sec_connect_after_reject_timeout (TIMER_LIST_ENT *p_tle)
4091 {
4092     tBTM_SEC_DEV_REC *p_dev_rec = btm_cb.p_collided_dev_rec;
4093 
4094     BTM_TRACE_EVENT0 ("btm_sec_connect_after_reject_timeout()");
4095     btm_cb.sec_collision_tle.param = 0;
4096     btm_cb.p_collided_dev_rec = 0;
4097 
4098     if (btm_sec_dd_create_conn(p_dev_rec) != BTM_CMD_STARTED)
4099     {
4100         BTM_TRACE_WARNING0 ("Security Manager: btm_sec_connect_after_reject_timeout: failed to start connection");
4101 
4102         btm_sec_change_pairing_state (BTM_PAIR_STATE_IDLE);
4103 
4104         (*btm_cb.api.p_auth_complete_callback) (p_dev_rec->bd_addr,  p_dev_rec->dev_class,
4105                                                 p_dev_rec->sec_bd_name, HCI_ERR_MEMORY_FULL);
4106     }
4107 }
4108 
4109 /*******************************************************************************
4110 **
4111 ** Function         btm_sec_connected
4112 **
4113 ** Description      This function is when a connection to the peer device is
4114 **                  establsihed
4115 **
4116 ** Returns          void
4117 **
4118 *******************************************************************************/
btm_sec_connected(UINT8 * bda,UINT16 handle,UINT8 status,UINT8 enc_mode)4119 void btm_sec_connected (UINT8 *bda, UINT16 handle, UINT8 status, UINT8 enc_mode)
4120 {
4121     tBTM_SEC_DEV_REC *p_dev_rec = btm_find_dev (bda);
4122     UINT8            res;
4123     BOOLEAN          is_pairing_device = FALSE;
4124     tACL_CONN        *p_acl_cb;
4125 
4126     btm_acl_resubmit_page();
4127 
4128     /* Commenting out trace due to obf/compilation problems.
4129     */
4130 #if (BT_USE_TRACES == TRUE)
4131     if (p_dev_rec)
4132     {
4133         BTM_TRACE_EVENT6 ("Security Manager: btm_sec_connected in state: %s  handle:%d status:%d enc_mode:%d  bda:%x RName:%s",
4134                           btm_pair_state_descr(btm_cb.pairing_state), handle, status, enc_mode,
4135                           (bda[2]<<24)+(bda[3]<<16)+(bda[4]<<8)+bda[5],
4136                           p_dev_rec->sec_bd_name);
4137     }
4138     else
4139     {
4140         BTM_TRACE_EVENT5 ("Security Manager: btm_sec_connected in state: %s  handle:%d status:%d enc_mode:%d  bda:%x ",
4141                           btm_pair_state_descr(btm_cb.pairing_state), handle, status, enc_mode,
4142                           (bda[2]<<24)+(bda[3]<<16)+(bda[4]<<8)+bda[5]);
4143     }
4144 #endif
4145 
4146     if (!p_dev_rec)
4147     {
4148         /* There is no device record for new connection.  Allocate one */
4149         if (status == HCI_SUCCESS)
4150         {
4151             p_dev_rec = btm_sec_alloc_dev (bda);
4152 #if BLE_INCLUDED == TRUE
4153             p_dev_rec->device_type |= BT_DEVICE_TYPE_BREDR;
4154 #endif
4155         }
4156         else
4157         {
4158             /* can not find the device record and the status is error,
4159              * just ignore it */
4160             return;
4161         }
4162     }
4163     else    /* Update the timestamp for this device */
4164     {
4165         p_dev_rec->timestamp = btm_cb.dev_rec_count++;
4166         if (p_dev_rec->sm4 & BTM_SM4_CONN_PEND)
4167         {
4168             /* tell L2CAP it's a bonding connection. */
4169             if ( (btm_cb.pairing_state != BTM_PAIR_STATE_IDLE)
4170                  &&  (memcmp (btm_cb.pairing_bda, p_dev_rec->bd_addr, BD_ADDR_LEN) == 0)
4171                  &&  (btm_cb.pairing_flags & BTM_PAIR_FLAGS_WE_STARTED_DD) )
4172             {
4173                 /* if incoming connection failed while pairing, then try to connect and continue */
4174                 /* Motorola S9 disconnects without asking pin code */
4175                 if ((status != HCI_SUCCESS)&&(btm_cb.pairing_state == BTM_PAIR_STATE_WAIT_PIN_REQ))
4176                 {
4177                     BTM_TRACE_WARNING0 ("Security Manager: btm_sec_connected: incoming connection failed without asking PIN");
4178 
4179                     p_dev_rec->sm4 &= ~BTM_SM4_CONN_PEND;
4180                     if (p_dev_rec->sec_flags & BTM_SEC_NAME_KNOWN)
4181                     {
4182                         /* Start timer with 0 to initiate connection with new LCB */
4183                         /* because L2CAP will delete current LCB with this event  */
4184                         btm_cb.p_collided_dev_rec = p_dev_rec;
4185                         btm_cb.sec_collision_tle.param = (UINT32) btm_sec_connect_after_reject_timeout;
4186                         btu_start_timer (&btm_cb.sec_collision_tle, BTU_TTYPE_USER_FUNC, 0);
4187                     }
4188                     else
4189                     {
4190                         btm_sec_change_pairing_state (BTM_PAIR_STATE_GET_REM_NAME);
4191                         BTM_ReadRemoteDeviceName(p_dev_rec->bd_addr, NULL);
4192                     }
4193 #if BTM_DISC_DURING_RS == TRUE
4194                     p_dev_rec->rs_disc_pending   = BTM_SEC_RS_NOT_PENDING;     /* reset flag */
4195 #endif
4196                     return;
4197                 }
4198                 else
4199                 {
4200                     l2cu_update_lcb_4_bonding(p_dev_rec->bd_addr, TRUE);
4201                 }
4202             }
4203             /* always clear the pending flag */
4204             p_dev_rec->sm4 &= ~BTM_SM4_CONN_PEND;
4205         }
4206     }
4207 
4208 #if BTM_DISC_DURING_RS == TRUE
4209     p_dev_rec->rs_disc_pending   = BTM_SEC_RS_NOT_PENDING;     /* reset flag */
4210 #endif
4211 
4212     p_dev_rec->rs_disc_pending   = BTM_SEC_RS_NOT_PENDING;     /* reset flag */
4213 
4214     if ( (btm_cb.pairing_state != BTM_PAIR_STATE_IDLE)
4215          && (memcmp (btm_cb.pairing_bda, bda, BD_ADDR_LEN) == 0) )
4216     {
4217         /* if we rejected incoming connection from bonding device */
4218         if ((status == HCI_ERR_HOST_REJECT_DEVICE)
4219             &&(btm_cb.pairing_flags & BTM_PAIR_FLAGS_REJECTED_CONNECT))
4220         {
4221             BTM_TRACE_WARNING2 ("Security Manager: btm_sec_connected: HCI_Conn_Comp Flags:0x%04x, sm4: 0x%x",
4222                 btm_cb.pairing_flags, p_dev_rec->sm4);
4223 
4224             btm_cb.pairing_flags &= ~BTM_PAIR_FLAGS_REJECTED_CONNECT;
4225             if (BTM_SEC_IS_SM4_UNKNOWN(p_dev_rec->sm4))
4226             {
4227                 /* Try again: RNR when no ACL causes HCI_RMT_HOST_SUP_FEAT_NOTIFY_EVT */
4228                 btm_sec_change_pairing_state (BTM_PAIR_STATE_GET_REM_NAME);
4229                 BTM_ReadRemoteDeviceName(bda, NULL);
4230                 return;
4231             }
4232 
4233             /* if we already have pin code */
4234             if (btm_cb.pairing_state != BTM_PAIR_STATE_WAIT_LOCAL_PIN)
4235             {
4236                 /* Start timer with 0 to initiate connection with new LCB */
4237                 /* because L2CAP will delete current LCB with this event  */
4238                 btm_cb.p_collided_dev_rec = p_dev_rec;
4239                 btm_cb.sec_collision_tle.param = (UINT32) btm_sec_connect_after_reject_timeout;
4240                 btu_start_timer (&btm_cb.sec_collision_tle, BTU_TTYPE_USER_FUNC, 0);
4241             }
4242 
4243             return;
4244         }
4245         /* wait for incoming connection without resetting pairing state */
4246         else if (status == HCI_ERR_CONNECTION_EXISTS)
4247         {
4248             BTM_TRACE_WARNING0 ("Security Manager: btm_sec_connected: Wait for incoming connection");
4249             return;
4250         }
4251 
4252         is_pairing_device = TRUE;
4253     }
4254 
4255     /* If connection was made to do bonding restore link security if changed */
4256     btm_restore_mode();
4257 
4258     /* if connection fails during pin request, notify application */
4259     if (status != HCI_SUCCESS)
4260     {
4261         /* If connection failed because of during pairing, need to tell user */
4262         if (is_pairing_device)
4263         {
4264             p_dev_rec->security_required &= ~BTM_SEC_OUT_AUTHENTICATE;
4265             p_dev_rec->sec_flags &= ~(BTM_SEC_LINK_KEY_KNOWN | BTM_SEC_LINK_KEY_AUTHED);
4266             BTM_TRACE_DEBUG1 ("security_required:%x ", p_dev_rec->security_required );
4267 
4268             btm_sec_change_pairing_state (BTM_PAIR_STATE_IDLE);
4269 
4270             /* We need to notify host that the key is not known any more */
4271             if (btm_cb.api.p_auth_complete_callback)
4272             {
4273                 (*btm_cb.api.p_auth_complete_callback) (p_dev_rec->bd_addr,
4274                                                         p_dev_rec->dev_class,
4275                                                         p_dev_rec->sec_bd_name, status);
4276             }
4277         }
4278         else if ((status == HCI_ERR_AUTH_FAILURE)                   ||
4279                  (status == HCI_ERR_KEY_MISSING)                         ||
4280                  (status == HCI_ERR_HOST_REJECT_SECURITY)                ||
4281                  (status == HCI_ERR_PAIRING_NOT_ALLOWED)                 ||
4282                  (status == HCI_ERR_UNIT_KEY_USED)                       ||
4283                  (status == HCI_ERR_PAIRING_WITH_UNIT_KEY_NOT_SUPPORTED) ||
4284                  (status == HCI_ERR_ENCRY_MODE_NOT_ACCEPTABLE)           ||
4285                  (status == HCI_ERR_REPEATED_ATTEMPTS))
4286         {
4287             p_dev_rec->security_required &= ~BTM_SEC_OUT_AUTHENTICATE;
4288             p_dev_rec->sec_flags &= ~BTM_SEC_LINK_KEY_KNOWN;
4289 
4290             /* We need to notify host that the key is not known any more */
4291             if (btm_cb.api.p_auth_complete_callback)
4292             {
4293                 (*btm_cb.api.p_auth_complete_callback) (p_dev_rec->bd_addr,
4294                                                         p_dev_rec->dev_class,
4295                                                         p_dev_rec->sec_bd_name, status);
4296             }
4297         }
4298 
4299         if (status == HCI_ERR_CONNECTION_TOUT || status == HCI_ERR_LMP_RESPONSE_TIMEOUT  ||
4300             status == HCI_ERR_UNSPECIFIED     || status == HCI_ERR_PAGE_TIMEOUT)
4301             btm_sec_dev_rec_cback_event (p_dev_rec, BTM_DEVICE_TIMEOUT);
4302         else
4303             btm_sec_dev_rec_cback_event (p_dev_rec, BTM_ERR_PROCESSING);
4304 
4305         return;
4306     }
4307 
4308     /* If initiated dedicated bonding, return the link key now, and initiate disconnect */
4309     /* If dedicated bonding, and we now have a link key, we are all done */
4310     if ( is_pairing_device
4311          && (p_dev_rec->sec_flags & BTM_SEC_LINK_KEY_KNOWN) )
4312     {
4313         if (p_dev_rec->link_key_not_sent)
4314         {
4315             p_dev_rec->link_key_not_sent = FALSE;
4316             btm_send_link_key_notif(p_dev_rec);
4317         }
4318 
4319         p_dev_rec->security_required &= ~BTM_SEC_OUT_AUTHENTICATE;
4320 
4321         /* remember flag before it is initialized */
4322         if (btm_cb.pairing_flags & BTM_PAIR_FLAGS_WE_STARTED_DD)
4323             res = TRUE;
4324         else
4325             res = FALSE;
4326 
4327         if (btm_cb.api.p_auth_complete_callback)
4328             (*btm_cb.api.p_auth_complete_callback) (p_dev_rec->bd_addr,
4329                                                     p_dev_rec->dev_class,
4330                                                     p_dev_rec->sec_bd_name, HCI_SUCCESS);
4331 
4332         btm_sec_change_pairing_state (BTM_PAIR_STATE_IDLE);
4333 
4334         if ( res )
4335         {
4336             /* Let l2cap start bond timer */
4337             l2cu_update_lcb_4_bonding (p_dev_rec->bd_addr, TRUE);
4338         }
4339 
4340         return;
4341     }
4342 
4343     p_dev_rec->hci_handle = handle;
4344 
4345     /* role may not be correct here, it will be updated by l2cap, but we need to */
4346     /* notify btm_acl that link is up, so starting of rmt name request will not */
4347     /* set paging flag up */
4348     p_acl_cb = btm_bda_to_acl(bda);
4349     if (p_acl_cb)
4350     {
4351         /* whatever is in btm_establish_continue() without reporting the BTM_BL_CONN_EVT event */
4352 #if (!defined(BTM_BYPASS_EXTRA_ACL_SETUP) || BTM_BYPASS_EXTRA_ACL_SETUP == FALSE)
4353         /* For now there are a some devices that do not like sending */
4354         /* commands events and data at the same time. */
4355         /* Set the packet types to the default allowed by the device */
4356         btm_set_packet_types (p_acl_cb, btm_cb.btm_acl_pkt_types_supported);
4357 
4358         if (btm_cb.btm_def_link_policy)
4359             BTM_SetLinkPolicy (p_acl_cb->remote_addr, &btm_cb.btm_def_link_policy);
4360 #endif
4361     }
4362     btm_acl_created (bda, p_dev_rec->dev_class, p_dev_rec->sec_bd_name, handle, HCI_ROLE_SLAVE, FALSE);
4363 
4364     /* Initialize security flags.  We need to do that because some            */
4365     /* authorization complete could have come after the connection is dropped */
4366     /* and that would set wrong flag that link has been authorized already    */
4367     p_dev_rec->sec_flags &= ~(BTM_SEC_AUTHORIZED | BTM_SEC_AUTHENTICATED |
4368                               BTM_SEC_ENCRYPTED | BTM_SEC_ROLE_SWITCHED);
4369 
4370     if (enc_mode != HCI_ENCRYPT_MODE_DISABLED)
4371         p_dev_rec->sec_flags |= (BTM_SEC_AUTHENTICATED | BTM_SEC_ENCRYPTED);
4372 
4373     if (btm_cb.security_mode == BTM_SEC_MODE_LINK)
4374         p_dev_rec->sec_flags |= BTM_SEC_AUTHENTICATED;
4375 
4376     p_dev_rec->link_key_changed = FALSE;
4377 
4378     /* After connection is established we perform security if we do not know */
4379     /* the name, or if we are originator because some procedure can have */
4380     /* been scheduled while connection was down */
4381     BTM_TRACE_DEBUG1 ("is_originator:%d ", p_dev_rec->is_originator);
4382     if (!(p_dev_rec->sec_flags & BTM_SEC_NAME_KNOWN) || p_dev_rec->is_originator)
4383     {
4384         if ((res = btm_sec_execute_procedure (p_dev_rec)) != BTM_CMD_STARTED)
4385             btm_sec_dev_rec_cback_event (p_dev_rec, res);
4386     }
4387     return;
4388 }
4389 
4390 /*******************************************************************************
4391 **
4392 ** Function         btm_sec_role_changed
4393 **
4394 ** Description      This function is colled when controller reports role
4395 **                  changed, or failed command status for Role Change request
4396 **
4397 ** Returns          void
4398 **
4399 *******************************************************************************/
btm_sec_role_changed(void * p_ref_data)4400 void btm_sec_role_changed (void *p_ref_data)
4401 {
4402     tBTM_SEC_DEV_REC *p_dev_rec = (tBTM_SEC_DEV_REC *)p_ref_data;
4403     UINT8 res;
4404 
4405     BTM_TRACE_EVENT0 ("Security Manager: role changed");
4406 
4407     /* If this role switch was started by peer do not need to do anything */
4408     if (p_dev_rec->sec_state != BTM_SEC_STATE_SWITCHING_ROLE)
4409         return;
4410 
4411     /* If serurity required was to FORCE switch and it failed, notify the waiting layer */
4412     if (((p_dev_rec->security_required & BTM_SEC_FORCE_MASTER) && !p_dev_rec->role_master)
4413         || ((p_dev_rec->security_required & BTM_SEC_FORCE_SLAVE)  &&  p_dev_rec->role_master))
4414     {
4415         btm_sec_dev_rec_cback_event (p_dev_rec, BTM_ERR_PROCESSING);
4416         return;
4417     }
4418 
4419     p_dev_rec->sec_flags |= BTM_SEC_ROLE_SWITCHED;
4420 
4421     p_dev_rec->security_required &= ~(BTM_SEC_FORCE_MASTER | BTM_SEC_ATTEMPT_MASTER |
4422                                       BTM_SEC_FORCE_SLAVE  | BTM_SEC_ATTEMPT_SLAVE);
4423 
4424     p_dev_rec->sec_state = BTM_SEC_STATE_IDLE;
4425 
4426     if ((res = (UINT8)btm_sec_execute_procedure (p_dev_rec)) != BTM_CMD_STARTED)
4427     {
4428         btm_sec_dev_rec_cback_event (p_dev_rec, res);
4429     }
4430 }
4431 
4432 /*******************************************************************************
4433 **
4434 ** Function         btm_sec_disconnect
4435 **
4436 ** Description      This function is called to disconnect HCI link
4437 **
4438 ** Returns          btm status
4439 **
4440 *******************************************************************************/
btm_sec_disconnect(UINT16 handle,UINT8 reason)4441 tBTM_STATUS btm_sec_disconnect (UINT16 handle, UINT8 reason)
4442 {
4443     tBTM_SEC_DEV_REC  *p_dev_rec = btm_find_dev_by_handle (handle);
4444 
4445     /* In some weird race condition we may not have a record */
4446     if (!p_dev_rec)
4447     {
4448         btsnd_hcic_disconnect (handle, reason);
4449         return(BTM_SUCCESS);
4450     }
4451 
4452     /* If we are in the process of bonding we need to tell client that auth failed */
4453     if ( (btm_cb.pairing_state != BTM_PAIR_STATE_IDLE)
4454          &&  (memcmp (btm_cb.pairing_bda, p_dev_rec->bd_addr, BD_ADDR_LEN) == 0)
4455          &&  (btm_cb.pairing_flags & BTM_PAIR_FLAGS_WE_STARTED_DD) )
4456     {
4457         /* we are currently doing bonding.  Link will be disconnected when done */
4458         btm_cb.pairing_flags |= BTM_PAIR_FLAGS_DISC_WHEN_DONE;
4459         return(BTM_BUSY);
4460     }
4461 
4462     return(btm_sec_send_hci_disconnect(p_dev_rec, reason));
4463 }
4464 
4465 /*******************************************************************************
4466 **
4467 ** Function         btm_sec_disconnected
4468 **
4469 ** Description      This function is when a connection to the peer device is
4470 **                  dropped
4471 **
4472 ** Returns          void
4473 **
4474 *******************************************************************************/
btm_sec_disconnected(UINT16 handle,UINT8 reason)4475 void btm_sec_disconnected (UINT16 handle, UINT8 reason)
4476 {
4477     tBTM_SEC_DEV_REC  *p_dev_rec = btm_find_dev_by_handle (handle);
4478     UINT8             old_pairing_flags = btm_cb.pairing_flags;
4479     int               result = HCI_ERR_AUTH_FAILURE;
4480     tBTM_SEC_CALLBACK   *p_callback = NULL;
4481 
4482     /* If page was delayed for disc complete, can do it now */
4483     btm_cb.discing = FALSE;
4484 
4485     btm_acl_resubmit_page();
4486 
4487     if (!p_dev_rec)
4488         return;
4489 
4490     p_dev_rec->rs_disc_pending = BTM_SEC_RS_NOT_PENDING;     /* reset flag */
4491 
4492 #if BTM_DISC_DURING_RS == TRUE
4493     BTM_TRACE_ERROR0("btm_sec_disconnected - Clearing Pending flag");
4494     p_dev_rec->rs_disc_pending = BTM_SEC_RS_NOT_PENDING;     /* reset flag */
4495 #endif
4496 
4497     /* clear unused flags */
4498     p_dev_rec->sm4 &= BTM_SM4_TRUE;
4499 
4500     BTM_TRACE_EVENT6("btm_sec_disconnected() sec_req:x%x  State: %s   reason:%d bda:%04x%08x RName:%s",
4501                      p_dev_rec->security_required, btm_pair_state_descr(btm_cb.pairing_state), reason,  (p_dev_rec->bd_addr[0]<<8)+p_dev_rec->bd_addr[1],
4502                      (p_dev_rec->bd_addr[2]<<24)+(p_dev_rec->bd_addr[3]<<16)+(p_dev_rec->bd_addr[4]<<8)+p_dev_rec->bd_addr[5], p_dev_rec->sec_bd_name);
4503 
4504     BTM_TRACE_EVENT1("before Update sec_flags=0x%x", p_dev_rec->sec_flags);
4505 
4506     /* If we are in the process of bonding we need to tell client that auth failed */
4507     if ( (btm_cb.pairing_state != BTM_PAIR_STATE_IDLE)
4508          && (memcmp (btm_cb.pairing_bda, p_dev_rec->bd_addr, BD_ADDR_LEN) == 0))
4509     {
4510         btm_sec_change_pairing_state (BTM_PAIR_STATE_IDLE);
4511         p_dev_rec->sec_flags &= ~BTM_SEC_LINK_KEY_KNOWN;
4512         if (btm_cb.api.p_auth_complete_callback)
4513         {
4514             /* If the disconnection reason is REPEATED_ATTEMPTS,
4515                send this error message to complete callback function
4516                to display the error message of Repeated attempts.
4517                All others, send HCI_ERR_AUTH_FAILURE. */
4518             if (reason == HCI_ERR_REPEATED_ATTEMPTS)
4519             {
4520                 result = HCI_ERR_REPEATED_ATTEMPTS;
4521             }
4522             else if (old_pairing_flags & BTM_PAIR_FLAGS_WE_STARTED_DD)
4523             {
4524                 result = HCI_ERR_HOST_REJECT_SECURITY;
4525             }
4526             (*btm_cb.api.p_auth_complete_callback) (p_dev_rec->bd_addr,     p_dev_rec->dev_class,
4527                                                     p_dev_rec->sec_bd_name, result);
4528         }
4529     }
4530 
4531     p_dev_rec->hci_handle = BTM_SEC_INVALID_HANDLE;
4532     p_dev_rec->sec_state  = BTM_SEC_STATE_IDLE;
4533 
4534 #if BLE_INCLUDED == TRUE && SMP_INCLUDED == TRUE
4535     p_dev_rec->enc_key_size = 0;
4536     btm_ble_update_mode_operation(HCI_ROLE_UNKNOWN, p_dev_rec->bd_addr, FALSE);
4537     /* see sec_flags processing in btm_acl_removed */
4538 #endif
4539     p_dev_rec->sec_flags &= ~(BTM_SEC_AUTHORIZED | BTM_SEC_AUTHENTICATED | BTM_SEC_ENCRYPTED | BTM_SEC_ROLE_SWITCHED);
4540 
4541     p_dev_rec->security_required = BTM_SEC_NONE;
4542 
4543     p_callback = p_dev_rec->p_callback;
4544 
4545     /* if security is pending, send callback to clean up the security state */
4546     if(p_callback)
4547     {
4548         p_dev_rec->p_callback = NULL; /* when the peer device time out the authentication before
4549                                          we do, this call back must be reset here */
4550         (*p_callback) (p_dev_rec->bd_addr, p_dev_rec->p_ref_data, BTM_ERR_PROCESSING);
4551     }
4552 
4553     BTM_TRACE_EVENT1("after Update sec_flags=0x%x", p_dev_rec->sec_flags);
4554 }
4555 
4556 /*******************************************************************************
4557 **
4558 ** Function         btm_sec_link_key_notification
4559 **
4560 ** Description      This function is called when a new connection link key is
4561 **                  generated
4562 **
4563 ** Returns          Pointer to the record or NULL
4564 **
4565 *******************************************************************************/
btm_sec_link_key_notification(UINT8 * p_bda,UINT8 * p_link_key,UINT8 key_type)4566 void btm_sec_link_key_notification (UINT8 *p_bda, UINT8 *p_link_key, UINT8 key_type)
4567 {
4568     tBTM_SEC_DEV_REC *p_dev_rec = btm_find_or_alloc_dev (p_bda);
4569     BOOLEAN          we_are_bonding = FALSE;
4570 
4571     BTM_TRACE_EVENT3 ("btm_sec_link_key_notification()  BDA:%04x%08x, TYPE: %d",
4572                       (p_bda[0]<<8)+p_bda[1], (p_bda[2]<<24)+(p_bda[3]<<16)+(p_bda[4]<<8)+p_bda[5],
4573                       key_type);
4574 
4575     /* If connection was made to do bonding restore link security if changed */
4576     btm_restore_mode();
4577 
4578     /* Override the key type if version is pre-1.1 */
4579     if (btm_cb.devcb.local_version.hci_version < HCI_VERSION_1_1)
4580         p_dev_rec->link_key_type = BTM_LKEY_TYPE_IGNORE;
4581     if (key_type != BTM_LKEY_TYPE_CHANGED_COMB)
4582         p_dev_rec->link_key_type = key_type;
4583 
4584     p_dev_rec->sec_flags |= BTM_SEC_LINK_KEY_KNOWN;
4585 #if (BLE_INCLUDED == TRUE)
4586     /* BR/EDR connection, update the encryption key size to be 16 as always */
4587     p_dev_rec->enc_key_size = 16;
4588 #endif
4589     memcpy (p_dev_rec->link_key, p_link_key, LINK_KEY_LEN);
4590 
4591     if ( (btm_cb.pairing_state != BTM_PAIR_STATE_IDLE)
4592          && (memcmp (btm_cb.pairing_bda, p_bda, BD_ADDR_LEN) == 0) )
4593     {
4594         if (btm_cb.pairing_flags & BTM_PAIR_FLAGS_WE_STARTED_DD)
4595             we_are_bonding = TRUE;
4596         else
4597             btm_sec_change_pairing_state (BTM_PAIR_STATE_IDLE);
4598     }
4599 
4600     /* If name is not known at this point delay calling callback until the name is   */
4601     /* resolved. Unless it is a HID Device and we really need to send all link keys. */
4602     if ((!(p_dev_rec->sec_flags & BTM_SEC_NAME_KNOWN)
4603         &&  ((p_dev_rec->dev_class[1] & BTM_COD_MAJOR_CLASS_MASK) != BTM_COD_MAJOR_PERIPHERAL)) )
4604     {
4605         BTM_TRACE_EVENT3 ("btm_sec_link_key_notification()  Delayed BDA: %08x%04x Type:%d",
4606                           (p_bda[0]<<24) + (p_bda[1]<<16) + (p_bda[2]<<8) + p_bda[3], (p_bda[4] << 8) + p_bda[5], key_type);
4607 
4608         p_dev_rec->link_key_not_sent = TRUE;
4609 
4610         /* If it is for bonding nothing else will follow, so we need to start name resolution */
4611         if (we_are_bonding)
4612         {
4613             if (!(btsnd_hcic_rmt_name_req (p_bda, HCI_PAGE_SCAN_REP_MODE_R1, HCI_MANDATARY_PAGE_SCAN_MODE, 0)))
4614                 btm_inq_rmt_name_failed();
4615         }
4616 
4617         BTM_TRACE_EVENT3 ("rmt_io_caps:%d, sec_flags:x%x, dev_class[1]:x%02x", p_dev_rec->rmt_io_caps, p_dev_rec->sec_flags, p_dev_rec->dev_class[1])
4618         return;
4619     }
4620 
4621     /* If its not us who perform authentication, we should tell stackserver */
4622     /* that some authentication has been completed                          */
4623     /* This is required when different entities receive link notification and auth complete */
4624     if (!(p_dev_rec->security_required & BTM_SEC_OUT_AUTHENTICATE))
4625     {
4626         if (btm_cb.api.p_auth_complete_callback)
4627             (*btm_cb.api.p_auth_complete_callback) (p_dev_rec->bd_addr, p_dev_rec->dev_class,
4628                                                     p_dev_rec->sec_bd_name, HCI_SUCCESS);
4629     }
4630 
4631     /* We will save link key only if the user authorized it - BTE report link key in all cases */
4632 #ifdef BRCM_NONE_BTE
4633     if (p_dev_rec->sec_flags & BTM_SEC_LINK_KEY_AUTHED)
4634 #endif
4635     {
4636         if (btm_cb.api.p_link_key_callback)
4637         {
4638             (*btm_cb.api.p_link_key_callback) (p_bda, p_dev_rec->dev_class,  p_dev_rec->sec_bd_name,
4639                                                p_link_key, p_dev_rec->link_key_type);
4640         }
4641     }
4642 }
4643 
4644 /*******************************************************************************
4645 **
4646 ** Function         btm_sec_link_key_request
4647 **
4648 ** Description      This function is called when controller requests link key
4649 **
4650 ** Returns          Pointer to the record or NULL
4651 **
4652 *******************************************************************************/
btm_sec_link_key_request(UINT8 * p_bda)4653 void btm_sec_link_key_request (UINT8 *p_bda)
4654 {
4655     tBTM_SEC_DEV_REC *p_dev_rec = btm_find_or_alloc_dev (p_bda);
4656 
4657     BTM_TRACE_EVENT6 ("btm_sec_link_key_request()  BDA: %02x:%02x:%02x:%02x:%02x:%02x",
4658                       p_bda[0], p_bda[1], p_bda[2], p_bda[3], p_bda[4], p_bda[5]);
4659 
4660     if (p_dev_rec->sec_flags & BTM_SEC_LINK_KEY_KNOWN)
4661     {
4662         btsnd_hcic_link_key_req_reply (p_bda, p_dev_rec->link_key);
4663         return;
4664     }
4665 
4666     /* Notify L2CAP to increase timeout */
4667     l2c_pin_code_request (p_bda);
4668 
4669     /* Only ask the host for a key if this guy is not already bonding */
4670     if ( (btm_cb.pairing_state == BTM_PAIR_STATE_IDLE)
4671          || (memcmp (p_bda, btm_cb.pairing_bda, BD_ADDR_LEN) != 0) )
4672     {
4673         if (btm_cb.api.p_link_key_req_callback)
4674         {
4675             if ((*btm_cb.api.p_link_key_req_callback)(p_bda, p_dev_rec->link_key) == BTM_SUCCESS)
4676             {
4677                 btsnd_hcic_link_key_req_reply (p_bda, p_dev_rec->link_key);
4678                 return;
4679             }
4680         }
4681     }
4682 
4683     /* The link key is not in the database and it is not known to the manager */
4684     btsnd_hcic_link_key_neg_reply (p_bda);
4685 }
4686 
4687 /*******************************************************************************
4688 **
4689 ** Function         btm_sec_pairing_timeout
4690 **
4691 ** Description      This function is called when host does not provide PIN
4692 **                  within requested time
4693 **
4694 ** Returns          Pointer to the TLE struct
4695 **
4696 *******************************************************************************/
btm_sec_pairing_timeout(TIMER_LIST_ENT * p_tle)4697 static void btm_sec_pairing_timeout (TIMER_LIST_ENT *p_tle)
4698 {
4699     tBTM_CB *p_cb = &btm_cb;
4700     tBTM_SEC_DEV_REC *p_dev_rec;
4701 #if BTM_OOB_INCLUDED == TRUE
4702 #if (BTM_LOCAL_IO_CAPS == BTM_IO_CAP_NONE)
4703     tBTM_AUTH_REQ   auth_req = BTM_AUTH_AP_NO;
4704 #else
4705     tBTM_AUTH_REQ   auth_req = BTM_AUTH_AP_YES;
4706 #endif
4707 #endif
4708     UINT8   name[2];
4709 
4710     p_cb->pairing_tle.param = 0;
4711 /* Coverity: FALSE-POSITIVE error from Coverity tool. Please do NOT remove following comment. */
4712 /* coverity[UNUSED_VALUE] pointer p_dev_rec is actually used several times... This is a Coverity false-positive, i.e. a fake issue.
4713 */
4714     p_dev_rec = btm_find_dev (p_cb->pairing_bda);
4715 
4716     BTM_TRACE_EVENT2 ("btm_sec_pairing_timeout()  State: %s   Flags: %u",
4717                       btm_pair_state_descr(p_cb->pairing_state), p_cb->pairing_flags);
4718 
4719     switch (p_cb->pairing_state)
4720     {
4721         case BTM_PAIR_STATE_WAIT_PIN_REQ:
4722             btm_sec_bond_cancel_complete();
4723             break;
4724 
4725         case BTM_PAIR_STATE_WAIT_LOCAL_PIN:
4726             if ( (btm_cb.pairing_flags & BTM_PAIR_FLAGS_PRE_FETCH_PIN) == 0)
4727                 btsnd_hcic_pin_code_neg_reply (p_cb->pairing_bda);
4728             btm_sec_change_pairing_state (BTM_PAIR_STATE_IDLE);
4729             /* We need to notify the UI that no longer need the PIN */
4730             if (btm_cb.api.p_auth_complete_callback)
4731             {
4732                 if (p_dev_rec == NULL)
4733                 {
4734                     name[0] = 0;
4735                     (*btm_cb.api.p_auth_complete_callback) (p_cb->pairing_bda,
4736                                                             NULL,
4737                                                             name, HCI_ERR_CONNECTION_TOUT);
4738                 }
4739                 else
4740                     (*btm_cb.api.p_auth_complete_callback) (p_dev_rec->bd_addr,
4741                                                             p_dev_rec->dev_class,
4742                                                             p_dev_rec->sec_bd_name, HCI_ERR_CONNECTION_TOUT);
4743             }
4744             break;
4745 
4746         case BTM_PAIR_STATE_WAIT_NUMERIC_CONFIRM:
4747             btsnd_hcic_user_conf_reply (p_cb->pairing_bda, FALSE);
4748             /* btm_sec_change_pairing_state (BTM_PAIR_STATE_IDLE); */
4749             break;
4750 
4751 #if (BTM_LOCAL_IO_CAPS != BTM_IO_CAP_NONE)
4752         case BTM_PAIR_STATE_KEY_ENTRY:
4753             btsnd_hcic_user_passkey_neg_reply(p_cb->pairing_bda);
4754             /* btm_sec_change_pairing_state (BTM_PAIR_STATE_IDLE); */
4755             break;
4756 #endif /* !BTM_IO_CAP_NONE */
4757 
4758 #if BTM_OOB_INCLUDED == TRUE
4759         case BTM_PAIR_STATE_WAIT_LOCAL_IOCAPS:
4760             if (btm_cb.pairing_flags & BTM_PAIR_FLAGS_WE_STARTED_DD)
4761                 auth_req |= BTM_AUTH_DD_BOND;
4762 
4763             btsnd_hcic_io_cap_req_reply (p_cb->pairing_bda, btm_cb.devcb.loc_io_caps,
4764                                          BTM_OOB_NONE, auth_req);
4765             btm_sec_change_pairing_state (BTM_PAIR_STATE_IDLE);
4766             break;
4767 
4768         case BTM_PAIR_STATE_WAIT_LOCAL_OOB_RSP:
4769             btsnd_hcic_rem_oob_neg_reply (p_cb->pairing_bda);
4770             btm_sec_change_pairing_state (BTM_PAIR_STATE_IDLE);
4771             break;
4772 #endif /* BTM_OOB_INCLUDED */
4773 
4774         case BTM_PAIR_STATE_WAIT_DISCONNECT:
4775             /* simple pairing failed. Started a 1-sec timer at simple pairing complete.
4776              * now it's time to tear down the ACL link*/
4777             if (p_dev_rec == NULL)
4778             {
4779                 BTM_TRACE_ERROR2 ("btm_sec_pairing_timeout() BTM_PAIR_STATE_WAIT_DISCONNECT unknown BDA: %08x%04x",
4780                                   (p_cb->pairing_bda[0]<<24) + (p_cb->pairing_bda[1]<<16) + (p_cb->pairing_bda[2]<<8) + p_cb->pairing_bda[3],
4781                                   (p_cb->pairing_bda[4] << 8) + p_cb->pairing_bda[5]);
4782                 break;
4783             }
4784             btm_sec_send_hci_disconnect (p_dev_rec, HCI_ERR_AUTH_FAILURE);
4785             btm_sec_change_pairing_state (BTM_PAIR_STATE_IDLE);
4786             break;
4787 
4788         case BTM_PAIR_STATE_WAIT_AUTH_COMPLETE:
4789             /* We need to notify the UI that timeout has happened while waiting for authentication*/
4790             btm_sec_change_pairing_state (BTM_PAIR_STATE_IDLE);
4791             if (btm_cb.api.p_auth_complete_callback)
4792             {
4793                 if (p_dev_rec == NULL)
4794                 {
4795                     name[0] = 0;
4796                     (*btm_cb.api.p_auth_complete_callback) (p_cb->pairing_bda,
4797                                                             NULL,
4798                                                             name, HCI_ERR_CONNECTION_TOUT);
4799                 }
4800                 else
4801                     (*btm_cb.api.p_auth_complete_callback) (p_dev_rec->bd_addr,
4802                                                             p_dev_rec->dev_class,
4803                                                             p_dev_rec->sec_bd_name, HCI_ERR_CONNECTION_TOUT);
4804             }
4805             break;
4806 
4807         default:
4808             BTM_TRACE_WARNING1 ("btm_sec_pairing_timeout() not processed state: %s", btm_pair_state_descr(btm_cb.pairing_state));
4809             btm_sec_change_pairing_state (BTM_PAIR_STATE_IDLE);
4810             break;
4811     }
4812 }
4813 
4814 /*******************************************************************************
4815 **
4816 ** Function         btm_sec_pin_code_request
4817 **
4818 ** Description      This function is called when controller requests PIN code
4819 **
4820 ** Returns          Pointer to the record or NULL
4821 **
4822 *******************************************************************************/
btm_sec_pin_code_request(UINT8 * p_bda)4823 void btm_sec_pin_code_request (UINT8 *p_bda)
4824 {
4825     tBTM_SEC_DEV_REC *p_dev_rec;
4826     tBTM_CB          *p_cb = &btm_cb;
4827 
4828     BTM_TRACE_EVENT3 ("btm_sec_pin_code_request()  State: %s, BDA:%04x%08x",
4829                       btm_pair_state_descr(btm_cb.pairing_state),
4830                       (p_bda[0]<<8)+p_bda[1], (p_bda[2]<<24)+(p_bda[3]<<16)+(p_bda[4]<<8)+p_bda[5] );
4831 
4832     if (btm_cb.pairing_state != BTM_PAIR_STATE_IDLE)
4833     {
4834         if ( (memcmp (p_bda, btm_cb.pairing_bda, BD_ADDR_LEN) == 0)  &&
4835              (btm_cb.pairing_state == BTM_PAIR_STATE_WAIT_AUTH_COMPLETE) )
4836         {
4837              /* fake this out - porshe carkit issue - */
4838 //            btm_cb.pairing_state = BTM_PAIR_STATE_IDLE;
4839              if(! btm_cb.pin_code_len_saved)
4840              {
4841                  btsnd_hcic_pin_code_neg_reply (p_bda);
4842                  return;
4843              }
4844              else
4845              {
4846                  btsnd_hcic_pin_code_req_reply (p_bda, btm_cb.pin_code_len_saved, p_cb->pin_code);
4847       	         return;
4848              }
4849         }
4850         else if ((btm_cb.pairing_state != BTM_PAIR_STATE_WAIT_PIN_REQ)
4851                  || memcmp (p_bda, btm_cb.pairing_bda, BD_ADDR_LEN) != 0)
4852         {
4853             BTM_TRACE_WARNING1 ("btm_sec_pin_code_request() rejected - state: %s",
4854                                 btm_pair_state_descr(btm_cb.pairing_state));
4855 
4856 #ifdef PORCHE_PAIRING_CONFLICT
4857             /* reply pin code again due to counter in_rand when local initiates pairing */
4858             BTM_TRACE_EVENT0 ("btm_sec_pin_code_request from remote dev. for local initiated pairing");
4859             if(! btm_cb.pin_code_len_saved)
4860             {
4861                 btsnd_hcic_pin_code_neg_reply (p_bda);
4862             }
4863             else
4864             {
4865                 btm_sec_change_pairing_state (BTM_PAIR_STATE_WAIT_AUTH_COMPLETE);
4866                 btsnd_hcic_pin_code_req_reply (p_bda, btm_cb.pin_code_len_saved, p_cb->pin_code);
4867             }
4868 #else
4869             btsnd_hcic_pin_code_neg_reply (p_bda);
4870 #endif
4871             return;
4872         }
4873     }
4874 
4875     p_dev_rec = btm_find_or_alloc_dev (p_bda);
4876     /* received PIN code request. must be non-sm4 */
4877     p_dev_rec->sm4 = BTM_SM4_KNOWN;
4878 
4879     if (btm_cb.pairing_state == BTM_PAIR_STATE_IDLE)
4880     {
4881         memcpy (btm_cb.pairing_bda, p_bda, BD_ADDR_LEN);
4882 
4883         btm_cb.pairing_flags = BTM_PAIR_FLAGS_PEER_STARTED_DD;
4884         /* Make sure we reset the trusted mask to help against attacks */
4885         BTM_SEC_CLR_TRUSTED_DEVICE(p_dev_rec->trusted_mask);
4886     }
4887 
4888     if (!p_cb->pairing_disabled && (p_cb->cfg.pin_type == HCI_PIN_TYPE_FIXED))
4889     {
4890         BTM_TRACE_EVENT0 ("btm_sec_pin_code_request fixed pin replying");
4891         btm_sec_change_pairing_state (BTM_PAIR_STATE_WAIT_AUTH_COMPLETE);
4892         btsnd_hcic_pin_code_req_reply (p_bda, p_cb->cfg.pin_code_len, p_cb->cfg.pin_code);
4893         return;
4894     }
4895 
4896     /* Use the connecting device's CoD for the connection */
4897     if ( (!memcmp (p_bda, p_cb->connecting_bda, BD_ADDR_LEN))
4898          &&  (p_cb->connecting_dc[0] || p_cb->connecting_dc[1] || p_cb->connecting_dc[2]) )
4899         memcpy (p_dev_rec->dev_class, p_cb->connecting_dc, DEV_CLASS_LEN);
4900 
4901     /* We could have started connection after asking user for the PIN code */
4902     if (btm_cb.pin_code_len != 0)
4903     {
4904         BTM_TRACE_EVENT0 ("btm_sec_pin_code_request bonding sending reply");
4905         btsnd_hcic_pin_code_req_reply (p_bda, btm_cb.pin_code_len, p_cb->pin_code);
4906 
4907 #ifdef PORCHE_PAIRING_CONFLICT
4908         btm_cb.pin_code_len_saved = btm_cb.pin_code_len;
4909 #endif
4910 
4911         /* Mark that we forwarded received from the user PIN code */
4912         btm_cb.pin_code_len = 0;
4913 
4914         /* We can change mode back right away, that other connection being established */
4915         /* is not forced to be secure - found a FW issue, so we can not do this
4916         btm_restore_mode(); */
4917 
4918         btm_sec_change_pairing_state (BTM_PAIR_STATE_WAIT_AUTH_COMPLETE);
4919     }
4920 
4921     /* If pairing disabled OR (no PIN callback and not bonding) */
4922     /* OR we could not allocate entry in the database reject pairing request */
4923     else if (p_cb->pairing_disabled
4924              || (p_cb->api.p_pin_callback == NULL)
4925 
4926              /* OR Microsoft keyboard can for some reason try to establish connection */
4927              /*  the only thing we can do here is to shut it up.  Normally we will be originator */
4928              /*  for keyboard bonding */
4929              || (!p_dev_rec->is_originator
4930                  && ((p_dev_rec->dev_class[1] & BTM_COD_MAJOR_CLASS_MASK) == BTM_COD_MAJOR_PERIPHERAL)
4931                  &&  (p_dev_rec->dev_class[2] & BTM_COD_MINOR_KEYBOARD)) )
4932     {
4933         BTM_TRACE_WARNING3("btm_sec_pin_code_request(): Pairing disabled:%d; PIN callback:%x, Dev Rec:%x!",
4934                            p_cb->pairing_disabled, p_cb->api.p_pin_callback, p_dev_rec);
4935 
4936         btsnd_hcic_pin_code_neg_reply (p_bda);
4937     }
4938     /* Notify upper layer of PIN request and start expiration timer */
4939     else
4940     {
4941         btm_cb.pin_code_len_saved = 0;
4942         btm_sec_change_pairing_state (BTM_PAIR_STATE_WAIT_LOCAL_PIN);
4943         /* Pin code request can not come at the same time as connection request */
4944         memcpy (p_cb->connecting_bda, p_bda, BD_ADDR_LEN);
4945         memcpy (p_cb->connecting_dc,  p_dev_rec->dev_class, DEV_CLASS_LEN);
4946 
4947         /* Check if the name is known */
4948         /* Even if name is not known we might not be able to get one */
4949         /* this is the case when we are already getting something from the */
4950         /* device, so HCI level is flow controlled */
4951         /* Also cannot send remote name request while paging, i.e. connection is not completed */
4952         if (p_dev_rec->sec_flags & BTM_SEC_NAME_KNOWN)
4953         {
4954             BTM_TRACE_EVENT0 ("btm_sec_pin_code_request going for callback");
4955 
4956             btm_cb.pairing_flags |= BTM_PAIR_FLAGS_PIN_REQD;
4957             if (p_cb->api.p_pin_callback)
4958                 (*p_cb->api.p_pin_callback) (p_bda, p_dev_rec->dev_class, p_dev_rec->sec_bd_name);
4959         }
4960         else
4961         {
4962             BTM_TRACE_EVENT0 ("btm_sec_pin_code_request going for remote name");
4963 
4964             /* We received PIN code request for the device with unknown name */
4965             /* it is not user friendly just to ask for the PIN without name */
4966             /* try to get name at first */
4967             if (!btsnd_hcic_rmt_name_req (p_dev_rec->bd_addr,
4968                                           HCI_PAGE_SCAN_REP_MODE_R1,
4969                                           HCI_MANDATARY_PAGE_SCAN_MODE, 0))
4970             {
4971                 p_dev_rec->sec_flags |= BTM_SEC_NAME_KNOWN;
4972                 p_dev_rec->sec_bd_name[0] = 'f';
4973                 p_dev_rec->sec_bd_name[1] = '0';
4974                 BTM_TRACE_ERROR0 ("can not send rmt_name_req?? fake a name and call callback");
4975 
4976                 btm_cb.pairing_flags |= BTM_PAIR_FLAGS_PIN_REQD;
4977                 if (p_cb->api.p_pin_callback)
4978                     (*p_cb->api.p_pin_callback) (p_bda, p_dev_rec->dev_class, p_dev_rec->sec_bd_name);
4979             }
4980         }
4981     }
4982 
4983     return;
4984 }
4985 
4986 /*******************************************************************************
4987 **
4988 ** Function         btm_sec_update_clock_offset
4989 **
4990 ** Description      This function is called to update clock offset
4991 **
4992 ** Returns          void
4993 **
4994 *******************************************************************************/
btm_sec_update_clock_offset(UINT16 handle,UINT16 clock_offset)4995 void btm_sec_update_clock_offset (UINT16 handle, UINT16 clock_offset)
4996 {
4997     tBTM_SEC_DEV_REC  *p_dev_rec;
4998     tBTM_INQ_INFO     *p_inq_info;
4999 
5000     if ((p_dev_rec = btm_find_dev_by_handle (handle)) == NULL)
5001         return;
5002 
5003     p_dev_rec->clock_offset = clock_offset | BTM_CLOCK_OFFSET_VALID;
5004 
5005     if ((p_inq_info = BTM_InqDbRead(p_dev_rec->bd_addr)) == NULL)
5006         return;
5007 
5008     p_inq_info->results.clock_offset = clock_offset | BTM_CLOCK_OFFSET_VALID;
5009 }
5010 
5011 
5012 /******************************************************************
5013 ** S T A T I C     F U N C T I O N S
5014 *******************************************************************/
5015 
5016 /*******************************************************************************
5017 **
5018 ** Function         btm_sec_execute_procedure
5019 **
5020 ** Description      This function is called to start required security
5021 **                  procedure.  There is a case when multiplexing protocol
5022 **                  calls this function on the originating side, connection to
5023 **                  the peer will not be established.  This function in this
5024 **                  case performs only authorization.
5025 **
5026 ** Returns          BTM_SUCCESS     - permission is granted
5027 **                  BTM_CMD_STARTED - in process
5028 **                  BTM_NO_RESOURCES  - permission declined
5029 **
5030 *******************************************************************************/
btm_sec_execute_procedure(tBTM_SEC_DEV_REC * p_dev_rec)5031 static tBTM_STATUS btm_sec_execute_procedure (tBTM_SEC_DEV_REC *p_dev_rec)
5032 {
5033     BTM_TRACE_EVENT3 ("btm_sec_execute_procedure: Required:0x%x Flags:0x%x State:%d",
5034                       p_dev_rec->security_required, p_dev_rec->sec_flags, p_dev_rec->sec_state);
5035 
5036     /* There is a chance that we are getting name.  Wait until done. */
5037     if (p_dev_rec->sec_state != 0)
5038         return(BTM_CMD_STARTED);
5039 
5040     /* If any security is required, get the name first */
5041     if (!(p_dev_rec->sec_flags & BTM_SEC_NAME_KNOWN)
5042         && (p_dev_rec->hci_handle != BTM_SEC_INVALID_HANDLE))
5043     {
5044         BTM_TRACE_EVENT0 ("Security Manager: Start get name");
5045         if (!btm_sec_start_get_name (p_dev_rec))
5046         {
5047             return(BTM_NO_RESOURCES);
5048         }
5049         return(BTM_CMD_STARTED);
5050     }
5051 
5052     /* If connection is not authenticated and authentication is required */
5053     /* start authentication and return PENDING to the caller */
5054     if ((!(p_dev_rec->sec_flags & BTM_SEC_AUTHENTICATED))
5055         && (( p_dev_rec->is_originator && (p_dev_rec->security_required & BTM_SEC_OUT_AUTHENTICATE))
5056             || (!p_dev_rec->is_originator && (p_dev_rec->security_required & BTM_SEC_IN_AUTHENTICATE)))
5057         && (p_dev_rec->hci_handle != BTM_SEC_INVALID_HANDLE))
5058     {
5059 #if (L2CAP_UCD_INCLUDED == TRUE)
5060         /* if incoming UCD packet, discard it */
5061         if ( !p_dev_rec->is_originator && (p_dev_rec->is_ucd == TRUE ))
5062             return(BTM_FAILED_ON_SECURITY);
5063 #endif
5064 
5065         BTM_TRACE_EVENT0 ("Security Manager: Start authentication");
5066 
5067         if (!btm_sec_start_authentication (p_dev_rec))
5068         {
5069             return(BTM_NO_RESOURCES);
5070         }
5071         return(BTM_CMD_STARTED);
5072     }
5073 
5074     /* If connection is not encrypted and encryption is required */
5075     /* start encryption and return PENDING to the caller */
5076     if (!(p_dev_rec->sec_flags & BTM_SEC_ENCRYPTED)
5077         && (( p_dev_rec->is_originator && (p_dev_rec->security_required & BTM_SEC_OUT_ENCRYPT))
5078             || (!p_dev_rec->is_originator && (p_dev_rec->security_required & BTM_SEC_IN_ENCRYPT)))
5079         && (p_dev_rec->hci_handle != BTM_SEC_INVALID_HANDLE))
5080     {
5081 #if (L2CAP_UCD_INCLUDED == TRUE)
5082         /* if incoming UCD packet, discard it */
5083         if ( !p_dev_rec->is_originator && (p_dev_rec->is_ucd == TRUE ))
5084             return(BTM_FAILED_ON_SECURITY);
5085 #endif
5086 
5087         BTM_TRACE_EVENT0 ("Security Manager: Start encryption");
5088 
5089         if (!btm_sec_start_encryption (p_dev_rec))
5090         {
5091             return(BTM_NO_RESOURCES);
5092         }
5093         return(BTM_CMD_STARTED);
5094     }
5095 
5096     /* If connection is not authorized and authorization is required */
5097     /* start authorization and return PENDING to the caller */
5098     if (!(p_dev_rec->sec_flags & BTM_SEC_AUTHORIZED)
5099         && (( p_dev_rec->is_originator && (p_dev_rec->security_required & BTM_SEC_OUT_AUTHORIZE))
5100             || (!p_dev_rec->is_originator && (p_dev_rec->security_required & BTM_SEC_IN_AUTHORIZE))))
5101     {
5102         BTM_TRACE_EVENT2 ("service id:%d, is trusted:%d",
5103                           p_dev_rec->p_cur_service->service_id,
5104                           (BTM_SEC_IS_SERVICE_TRUSTED(p_dev_rec->trusted_mask,
5105                                                       p_dev_rec->p_cur_service->service_id)));
5106         if ((btm_sec_are_all_trusted(p_dev_rec->trusted_mask) == FALSE) &&
5107             (p_dev_rec->p_cur_service->service_id < BTM_SEC_MAX_SERVICES) &&
5108             (BTM_SEC_IS_SERVICE_TRUSTED(p_dev_rec->trusted_mask,
5109                                         p_dev_rec->p_cur_service->service_id) == FALSE))
5110         {
5111             BTM_TRACE_EVENT0 ("Security Manager: Start authorization");
5112             return(btm_sec_start_authorization (p_dev_rec));
5113         }
5114     }
5115 
5116     /* All required  security procedures already established */
5117     p_dev_rec->security_required &= ~(BTM_SEC_OUT_AUTHORIZE | BTM_SEC_IN_AUTHORIZE |
5118                                       BTM_SEC_OUT_AUTHENTICATE | BTM_SEC_IN_AUTHENTICATE |
5119                                       BTM_SEC_OUT_ENCRYPT | BTM_SEC_IN_ENCRYPT |
5120                                       BTM_SEC_FORCE_MASTER | BTM_SEC_ATTEMPT_MASTER |
5121                                       BTM_SEC_FORCE_SLAVE | BTM_SEC_ATTEMPT_SLAVE);
5122 
5123     BTM_TRACE_EVENT2 ("Security Manager: trusted:0x%04x%04x", p_dev_rec->trusted_mask[1], p_dev_rec->trusted_mask[0]);
5124     BTM_TRACE_EVENT0 ("Security Manager: access granted");
5125 
5126     return(BTM_SUCCESS);
5127 }
5128 
5129 
5130 /*******************************************************************************
5131 **
5132 ** Function         btm_sec_start_get_name
5133 **
5134 ** Description      This function is called to start get name procedure
5135 **
5136 ** Returns          TRUE if started
5137 **
5138 *******************************************************************************/
btm_sec_start_get_name(tBTM_SEC_DEV_REC * p_dev_rec)5139 static BOOLEAN btm_sec_start_get_name (tBTM_SEC_DEV_REC *p_dev_rec)
5140 {
5141     UINT8 tempstate = p_dev_rec->sec_state;
5142 
5143     p_dev_rec->sec_state = BTM_SEC_STATE_GETTING_NAME;
5144 
5145     /* Device should be connected, no need to provide correct page params */
5146     /* 0 and NULL are as timeout and callback params because they are not used in security get name case */
5147     if ((btm_initiate_rem_name (p_dev_rec->bd_addr, NULL, BTM_RMT_NAME_SEC,
5148                                 0, NULL)) != BTM_CMD_STARTED)
5149     {
5150         p_dev_rec->sec_state = tempstate;
5151         return(FALSE);
5152     }
5153 
5154     return(TRUE);
5155 }
5156 
5157 /*******************************************************************************
5158 **
5159 ** Function         btm_sec_start_authentication
5160 **
5161 ** Description      This function is called to start authentication
5162 **
5163 ** Returns          TRUE if started
5164 **
5165 *******************************************************************************/
btm_sec_start_authentication(tBTM_SEC_DEV_REC * p_dev_rec)5166 static BOOLEAN btm_sec_start_authentication (tBTM_SEC_DEV_REC *p_dev_rec)
5167 {
5168     p_dev_rec->sec_state = BTM_SEC_STATE_AUTHENTICATING;
5169 
5170     return(btsnd_hcic_auth_request (p_dev_rec->hci_handle));
5171 }
5172 
5173 /*******************************************************************************
5174 **
5175 ** Function         btm_sec_start_encryption
5176 **
5177 ** Description      This function is called to start encryption
5178 **
5179 ** Returns          TRUE if started
5180 **
5181 *******************************************************************************/
btm_sec_start_encryption(tBTM_SEC_DEV_REC * p_dev_rec)5182 static BOOLEAN btm_sec_start_encryption (tBTM_SEC_DEV_REC *p_dev_rec)
5183 {
5184     if (!btsnd_hcic_set_conn_encrypt (p_dev_rec->hci_handle, TRUE))
5185         return(FALSE);
5186 
5187     p_dev_rec->sec_state = BTM_SEC_STATE_ENCRYPTING;
5188     return(TRUE);
5189 }
5190 
5191 
5192 /*******************************************************************************
5193 **
5194 ** Function         btm_sec_start_authorization
5195 **
5196 ** Description      This function is called to start authorization
5197 **
5198 ** Returns          TRUE if started
5199 **
5200 *******************************************************************************/
btm_sec_start_authorization(tBTM_SEC_DEV_REC * p_dev_rec)5201 static UINT8 btm_sec_start_authorization (tBTM_SEC_DEV_REC *p_dev_rec)
5202 {
5203     UINT8    result;
5204     UINT8   *p_service_name = NULL;
5205     UINT8    service_id;
5206 
5207     if ((p_dev_rec->sec_flags & BTM_SEC_NAME_KNOWN)
5208         || (p_dev_rec->hci_handle == BTM_SEC_INVALID_HANDLE))
5209     {
5210         if (!btm_cb.api.p_authorize_callback)
5211             return(BTM_MODE_UNSUPPORTED);
5212 
5213         if (p_dev_rec->p_cur_service)
5214         {
5215 #if BTM_SEC_SERVICE_NAME_LEN > 0
5216             if (p_dev_rec->is_originator)
5217                 p_service_name = p_dev_rec->p_cur_service->orig_service_name;
5218             else
5219                 p_service_name = p_dev_rec->p_cur_service->term_service_name;
5220 #endif
5221             service_id = p_dev_rec->p_cur_service->service_id;
5222         }
5223         else
5224             service_id = 0;
5225 
5226         /* Send authorization request if not already sent during this service connection */
5227         if (p_dev_rec->last_author_service_id == BTM_SEC_NO_LAST_SERVICE_ID
5228             || p_dev_rec->last_author_service_id != service_id)
5229         {
5230             p_dev_rec->sec_state = BTM_SEC_STATE_AUTHORIZING;
5231             result = (*btm_cb.api.p_authorize_callback) (p_dev_rec->bd_addr,
5232                                                      p_dev_rec->dev_class,
5233                                                      p_dev_rec->sec_bd_name,
5234                                                      p_service_name,
5235                                                      service_id,
5236                                                      p_dev_rec->is_originator);
5237         }
5238 
5239         else    /* Already authorized once for this L2CAP bringup */
5240         {
5241             BTM_TRACE_DEBUG1 ("btm_sec_start_authorization: (Ignoring extra Authorization prompt for service %d)", service_id);
5242             return (BTM_SUCCESS);
5243         }
5244 
5245         if (result == BTM_SUCCESS)
5246         {
5247             p_dev_rec->sec_flags |= BTM_SEC_AUTHORIZED;
5248 
5249             /* Save the currently authorized service in case we are asked again by another multiplexer layer */
5250             if (!p_dev_rec->is_originator)
5251                 p_dev_rec->last_author_service_id = service_id;
5252 
5253             p_dev_rec->sec_state = BTM_SEC_STATE_IDLE;
5254         }
5255         return(result);
5256     }
5257     btm_sec_start_get_name (p_dev_rec);
5258     return(BTM_CMD_STARTED);
5259 }
5260 
5261 /*******************************************************************************
5262 **
5263 ** Function         btm_sec_are_all_trusted
5264 **
5265 ** Description      This function is called check if all services are trusted
5266 **
5267 ** Returns          TRUE if all are trusted, otherwise FALSE
5268 **
5269 *******************************************************************************/
btm_sec_are_all_trusted(UINT32 p_mask[])5270 BOOLEAN btm_sec_are_all_trusted(UINT32 p_mask[])
5271 {
5272     UINT32 trusted_inx;
5273     for (trusted_inx = 0; trusted_inx < BTM_SEC_SERVICE_ARRAY_SIZE; trusted_inx++)
5274     {
5275         if (p_mask[trusted_inx] != BTM_SEC_TRUST_ALL)
5276             return(FALSE);
5277     }
5278 
5279     return(TRUE);
5280 }
5281 
5282 /*******************************************************************************
5283 **
5284 ** Function         btm_sec_find_first_serv
5285 **
5286 ** Description      Look for the first record in the service database
5287 **                  with specified PSM
5288 **
5289 ** Returns          Pointer to the record or NULL
5290 **
5291 *******************************************************************************/
btm_sec_find_first_serv(CONNECTION_TYPE conn_type,UINT16 psm)5292 static tBTM_SEC_SERV_REC *btm_sec_find_first_serv (CONNECTION_TYPE conn_type, UINT16 psm)
5293 {
5294     tBTM_SEC_SERV_REC *p_serv_rec = &btm_cb.sec_serv_rec[0];
5295     int i;
5296     BOOLEAN is_originator;
5297 
5298 #if (L2CAP_UCD_INCLUDED == TRUE)
5299 
5300     if ( conn_type & CONNECTION_TYPE_ORIG_MASK )
5301         is_originator = TRUE;
5302     else
5303         is_originator = FALSE;
5304 #else
5305     is_originator = conn_type;
5306 #endif
5307 
5308     if (is_originator && btm_cb.p_out_serv && btm_cb.p_out_serv->psm == psm)
5309     {
5310         /* If this is outgoing connection and the PSM matches p_out_serv,
5311          * use it as the current service */
5312         return btm_cb.p_out_serv;
5313     }
5314 
5315     /* otherwise, just find the first record with the specified PSM */
5316     for (i = 0; i < BTM_SEC_MAX_SERVICE_RECORDS; i++, p_serv_rec++)
5317     {
5318         if ( (p_serv_rec->security_flags & BTM_SEC_IN_USE) && (p_serv_rec->psm == psm) )
5319             return(p_serv_rec);
5320     }
5321     return(NULL);
5322 }
5323 
5324 
5325 /*******************************************************************************
5326 **
5327 ** Function         btm_sec_find_next_serv
5328 **
5329 ** Description      Look for the next record in the service database
5330 **                  with specified PSM
5331 **
5332 ** Returns          Pointer to the record or NULL
5333 **
5334 *******************************************************************************/
btm_sec_find_next_serv(tBTM_SEC_SERV_REC * p_cur)5335 static tBTM_SEC_SERV_REC *btm_sec_find_next_serv (tBTM_SEC_SERV_REC *p_cur)
5336 {
5337     tBTM_SEC_SERV_REC *p_serv_rec   = &btm_cb.sec_serv_rec[0];
5338     int               i;
5339 
5340     for (i = 0; i < BTM_SEC_MAX_SERVICE_RECORDS; i++, p_serv_rec++)
5341     {
5342         if ((p_serv_rec->security_flags & BTM_SEC_IN_USE)
5343             && (p_serv_rec->psm == p_cur->psm) )
5344         {
5345             if (p_cur != p_serv_rec)
5346             {
5347                 return(p_serv_rec);
5348             }
5349         }
5350     }
5351     return(NULL);
5352 }
5353 
5354 
5355 /*******************************************************************************
5356 **
5357 ** Function         btm_sec_find_mx_serv
5358 **
5359 ** Description      Look for the record in the service database with specified
5360 **                  PSM and multiplexor channel information
5361 **
5362 ** Returns          Pointer to the record or NULL
5363 **
5364 *******************************************************************************/
btm_sec_find_mx_serv(UINT8 is_originator,UINT16 psm,UINT32 mx_proto_id,UINT32 mx_chan_id)5365 static tBTM_SEC_SERV_REC *btm_sec_find_mx_serv (UINT8 is_originator, UINT16 psm,
5366                                                 UINT32 mx_proto_id, UINT32 mx_chan_id)
5367 {
5368     tBTM_SEC_SERV_REC *p_out_serv = btm_cb.p_out_serv;
5369     tBTM_SEC_SERV_REC *p_serv_rec = &btm_cb.sec_serv_rec[0];
5370     int i;
5371 
5372     BTM_TRACE_DEBUG0 ("btm_sec_find_mx_serv");
5373     if (is_originator && p_out_serv && p_out_serv->psm == psm
5374         && p_out_serv->mx_proto_id == mx_proto_id
5375         && p_out_serv->orig_mx_chan_id == mx_chan_id)
5376     {
5377         /* If this is outgoing connection and the parameters match p_out_serv,
5378          * use it as the current service */
5379         return btm_cb.p_out_serv;
5380     }
5381 
5382     /* otherwise, the old way */
5383     for (i = 0; i < BTM_SEC_MAX_SERVICE_RECORDS; i++, p_serv_rec++)
5384     {
5385         if ((p_serv_rec->security_flags & BTM_SEC_IN_USE)
5386             && (p_serv_rec->psm == psm)
5387             && (p_serv_rec->mx_proto_id == mx_proto_id)
5388             && (( is_originator && (p_serv_rec->orig_mx_chan_id  == mx_chan_id))
5389                 || (!is_originator && (p_serv_rec->term_mx_chan_id  == mx_chan_id))))
5390         {
5391             return(p_serv_rec);
5392         }
5393     }
5394     return(NULL);
5395 }
5396 
5397 
5398 /*******************************************************************************
5399 **
5400 ** Function         btm_sec_collision_timeout
5401 **
5402 ** Description      Encryption could not start because of the collision
5403 **                  try to do it again
5404 **
5405 ** Returns          Pointer to the TLE struct
5406 **
5407 *******************************************************************************/
btm_sec_collision_timeout(TIMER_LIST_ENT * p_tle)5408 static void btm_sec_collision_timeout (TIMER_LIST_ENT *p_tle)
5409 {
5410     tBTM_STATUS status;
5411 
5412     BTM_TRACE_EVENT0 ("btm_sec_collision_timeout()");
5413     btm_cb.sec_collision_tle.param = 0;
5414 
5415     status = btm_sec_execute_procedure (btm_cb.p_collided_dev_rec);
5416 
5417     /* If result is pending reply from the user or from the device is pending */
5418     if (status != BTM_CMD_STARTED)
5419     {
5420         /* There is no next procedure or start of procedure failed, notify the waiting layer */
5421         btm_sec_dev_rec_cback_event (btm_cb.p_collided_dev_rec, status);
5422     }
5423 }
5424 
5425 /*******************************************************************************
5426 **
5427 ** Function         btm_sec_link_key_request
5428 **
5429 ** Description      This function is called when controller requests link key
5430 **
5431 ** Returns          Pointer to the record or NULL
5432 **
5433 *******************************************************************************/
btm_send_link_key_notif(tBTM_SEC_DEV_REC * p_dev_rec)5434 static void btm_send_link_key_notif (tBTM_SEC_DEV_REC *p_dev_rec)
5435 {
5436     if (btm_cb.api.p_link_key_callback)
5437         (*btm_cb.api.p_link_key_callback) (p_dev_rec->bd_addr, p_dev_rec->dev_class,
5438                                            p_dev_rec->sec_bd_name, p_dev_rec->link_key,
5439                                            p_dev_rec->link_key_type);
5440 }
5441 
5442 /*******************************************************************************
5443 **
5444 ** Function         BTM_ReadTrustedMask
5445 **
5446 ** Description      Get trusted mask for the peer device
5447 **
5448 ** Parameters:      bd_addr   - Address of the device
5449 **
5450 ** Returns          NULL, if the device record is not found.
5451 **                  otherwise, the trusted mask
5452 **
5453 *******************************************************************************/
BTM_ReadTrustedMask(BD_ADDR bd_addr)5454 UINT32 * BTM_ReadTrustedMask (BD_ADDR bd_addr)
5455 {
5456     tBTM_SEC_DEV_REC *p_dev_rec;
5457 
5458     if ((p_dev_rec = btm_find_dev (bd_addr)) != NULL)
5459     {
5460         return(p_dev_rec->trusted_mask);
5461     }
5462     else
5463     {
5464         return NULL;
5465     }
5466 }
5467 
5468 /*******************************************************************************
5469 **
5470 ** Function         btm_restore_mode
5471 **
5472 ** Description      This function returns the security mode to previous setting
5473 **                  if it was changed during bonding.
5474 **
5475 **
5476 ** Parameters:      void
5477 **
5478 *******************************************************************************/
btm_restore_mode(void)5479 static void btm_restore_mode(void)
5480 {
5481     if (btm_cb.security_mode_changed)
5482     {
5483         btm_cb.security_mode_changed = FALSE;
5484         BTM_TRACE_DEBUG1("btm_restore_mode: Authen Enable -> %d", (btm_cb.security_mode == BTM_SEC_MODE_LINK));
5485         btsnd_hcic_write_auth_enable ((UINT8)(btm_cb.security_mode == BTM_SEC_MODE_LINK));
5486     }
5487 
5488     if (btm_cb.pin_type_changed)
5489     {
5490         btm_cb.pin_type_changed = FALSE;
5491         btsnd_hcic_write_pin_type (btm_cb.cfg.pin_type);
5492     }
5493 }
5494 
5495 
5496 /*******************************************************************************
5497 **
5498 ** Function         btm_sec_find_dev_by_sec_state
5499 **
5500 ** Description      Look for the record in the device database for the device
5501 **                  which is being authenticated or encrypted
5502 **
5503 ** Returns          Pointer to the record or NULL
5504 **
5505 *******************************************************************************/
btm_sec_find_dev_by_sec_state(UINT8 state)5506 tBTM_SEC_DEV_REC *btm_sec_find_dev_by_sec_state (UINT8 state)
5507 {
5508     tBTM_SEC_DEV_REC *p_dev_rec = &btm_cb.sec_dev_rec[0];
5509     int i;
5510 
5511     for (i = 0; i < BTM_SEC_MAX_DEVICE_RECORDS; i++, p_dev_rec++)
5512     {
5513         if ((p_dev_rec->sec_flags & BTM_SEC_IN_USE)
5514             && (p_dev_rec->sec_state == state))
5515             return(p_dev_rec);
5516     }
5517     return(NULL);
5518 }
5519 
5520 /*******************************************************************************
5521 **
5522 ** Function         BTM_snd_conn_encrypt
5523 **
5524 ** Description      This function is called to start/stop encryption
5525 **                  Used by JSR-82
5526 **
5527 ** Returns          TRUE if request started
5528 **
5529 *******************************************************************************/
BTM_snd_conn_encrypt(UINT16 handle,BOOLEAN enable)5530 BOOLEAN BTM_snd_conn_encrypt (UINT16  handle, BOOLEAN enable)
5531 {
5532     tBTM_SEC_DEV_REC  *p_dev_rec = btm_find_dev_by_handle (handle);
5533 
5534     BTM_TRACE_EVENT2 ("BTM_snd_conn_encrypt Security Manager: encrypt_change p_dev_rec : 0x%x, enable = %s", p_dev_rec, (enable == TRUE) ? "TRUE" : "FALSE");
5535 
5536     if (!p_dev_rec)
5537     {
5538         BTM_TRACE_EVENT1 ("BTM_snd_conn_encrypt Error no  p_dev_rec : 0x%x\n", p_dev_rec);
5539         return(FALSE);
5540     }
5541 
5542     if ( p_dev_rec->sec_state == BTM_SEC_STATE_IDLE)
5543     {
5544         if (!btsnd_hcic_set_conn_encrypt (handle, enable))
5545             return(FALSE);
5546 
5547         p_dev_rec->sec_state = BTM_SEC_STATE_ENCRYPTING;
5548 
5549         return(TRUE);
5550     }
5551     else
5552         return(FALSE);
5553 }
5554 
5555 /*******************************************************************************
5556 **
5557 ** Function         btm_sec_change_pairing_state
5558 **
5559 ** Description      This function is called to change pairing state
5560 **
5561 *******************************************************************************/
btm_sec_change_pairing_state(tBTM_PAIRING_STATE new_state)5562 static void btm_sec_change_pairing_state (tBTM_PAIRING_STATE new_state)
5563 {
5564     tBTM_PAIRING_STATE  old_state = btm_cb.pairing_state;
5565 
5566     BTM_TRACE_EVENT1 ("btm_sec_change_pairing_state  Old: %s",  btm_pair_state_descr(btm_cb.pairing_state));
5567     BTM_TRACE_EVENT2 ("btm_sec_change_pairing_state  New: %s pairing_flags:0x%x",btm_pair_state_descr(new_state), btm_cb.pairing_flags);
5568 
5569     btm_cb.pairing_state = new_state;
5570 
5571     if (new_state == BTM_PAIR_STATE_IDLE)
5572     {
5573         btu_stop_timer (&btm_cb.pairing_tle);
5574 
5575         btm_cb.pairing_flags = 0;
5576         btm_cb.pin_code_len  = 0;
5577 
5578         /* Make sure the the lcb shows we are not bonding */
5579         l2cu_update_lcb_4_bonding (btm_cb.pairing_bda, FALSE);
5580 
5581         btm_restore_mode();
5582         btm_sec_check_pending_reqs();
5583         btm_inq_clear_ssp();
5584 
5585         memset (btm_cb.pairing_bda, 0xFF, BD_ADDR_LEN);
5586     }
5587     else
5588     {
5589         /* If transitionng out of idle, mark the lcb as bonding */
5590         if (old_state == BTM_PAIR_STATE_IDLE)
5591             l2cu_update_lcb_4_bonding (btm_cb.pairing_bda, TRUE);
5592 
5593         btm_cb.pairing_tle.param = (TIMER_PARAM_TYPE)btm_sec_pairing_timeout;
5594 
5595         btu_start_timer (&btm_cb.pairing_tle, BTU_TTYPE_USER_FUNC, BTM_SEC_TIMEOUT_VALUE);
5596     }
5597 }
5598 
5599 
5600 /*******************************************************************************
5601 **
5602 ** Function         btm_pair_state_descr
5603 **
5604 ** Description      Return state description for tracing
5605 **
5606 *******************************************************************************/
5607 #if (BT_USE_TRACES == TRUE)
btm_pair_state_descr(tBTM_PAIRING_STATE state)5608 static char *btm_pair_state_descr (tBTM_PAIRING_STATE state)
5609 {
5610 #if (BT_TRACE_VERBOSE == TRUE)
5611     switch (state)
5612     {
5613         case BTM_PAIR_STATE_IDLE:                   return("IDLE");
5614         case BTM_PAIR_STATE_GET_REM_NAME:           return("GET_REM_NAME");
5615         case BTM_PAIR_STATE_WAIT_PIN_REQ:           return("WAIT_PIN_REQ");
5616         case BTM_PAIR_STATE_WAIT_LOCAL_PIN:         return("WAIT_LOCAL_PIN");
5617         case BTM_PAIR_STATE_WAIT_NUMERIC_CONFIRM:   return("WAIT_NUM_CONFIRM");
5618         case BTM_PAIR_STATE_KEY_ENTRY:              return("KEY_ENTRY");
5619         case BTM_PAIR_STATE_WAIT_LOCAL_OOB_RSP:     return("WAIT_LOCAL_OOB_RSP");
5620         case BTM_PAIR_STATE_WAIT_LOCAL_IOCAPS:      return("WAIT_LOCAL_IOCAPS");
5621         case BTM_PAIR_STATE_INCOMING_SSP:           return("INCOMING_SSP");
5622         case BTM_PAIR_STATE_WAIT_AUTH_COMPLETE:     return("WAIT_AUTH_COMPLETE");
5623         case BTM_PAIR_STATE_WAIT_DISCONNECT:        return("WAIT_DISCONNECT");
5624     }
5625 
5626     return("???");
5627 #else
5628     sprintf(btm_cb.state_temp_buffer,"%hu",state);
5629 
5630     return(btm_cb.state_temp_buffer);
5631 #endif
5632 }
5633 #endif
5634 
5635 
5636 /*******************************************************************************
5637 **
5638 ** Function         btm_sec_dev_rec_cback_event
5639 **
5640 ** Description      This function calls the callback function with the given
5641 **                  result and clear the callback function.
5642 **
5643 ** Parameters:      void
5644 **
5645 *******************************************************************************/
btm_sec_dev_rec_cback_event(tBTM_SEC_DEV_REC * p_dev_rec,UINT8 res)5646 void btm_sec_dev_rec_cback_event (tBTM_SEC_DEV_REC *p_dev_rec, UINT8 res)
5647 {
5648     tBTM_SEC_CALLBACK   *p_callback = p_dev_rec->p_callback;
5649 
5650     if (p_dev_rec->p_callback)
5651     {
5652         p_dev_rec->p_callback = NULL;
5653 
5654         (*p_callback) (p_dev_rec->bd_addr, p_dev_rec->p_ref_data, res);
5655 
5656     }
5657     btm_sec_check_pending_reqs();
5658 }
5659 
5660 /*******************************************************************************
5661 **
5662 ** Function         btm_sec_queue_mx_request
5663 **
5664 ** Description      Return state description for tracing
5665 **
5666 *******************************************************************************/
btm_sec_queue_mx_request(BD_ADDR bd_addr,UINT16 psm,BOOLEAN is_orig,UINT32 mx_proto_id,UINT32 mx_chan_id,tBTM_SEC_CALLBACK * p_callback,void * p_ref_data)5667 static BOOLEAN btm_sec_queue_mx_request (BD_ADDR bd_addr,  UINT16 psm,  BOOLEAN is_orig,
5668                                          UINT32 mx_proto_id, UINT32 mx_chan_id,
5669                                          tBTM_SEC_CALLBACK *p_callback, void *p_ref_data)
5670 {
5671     tBTM_SEC_QUEUE_ENTRY    *p_e;
5672 
5673     p_e = (tBTM_SEC_QUEUE_ENTRY *)GKI_getbuf (sizeof(tBTM_SEC_QUEUE_ENTRY));
5674 
5675     if (p_e)
5676     {
5677         p_e->psm            = psm;
5678         p_e->is_orig        = is_orig;
5679         p_e->p_callback     = p_callback;
5680         p_e->p_ref_data     = p_ref_data;
5681         p_e->mx_proto_id    = mx_proto_id;
5682         p_e->mx_chan_id     = mx_chan_id;
5683 
5684         memcpy (p_e->bd_addr, bd_addr, BD_ADDR_LEN);
5685 
5686         BTM_TRACE_EVENT4 ("btm_sec_queue_mx_request() PSM: 0x%04x  Is_Orig: %u  mx_proto_id: %u  mx_chan_id: %u",
5687                           psm, is_orig, mx_proto_id, mx_chan_id);
5688 
5689         GKI_enqueue (&btm_cb.sec_pending_q, p_e);
5690 
5691         return(TRUE);
5692     }
5693 
5694     return(FALSE);
5695 }
5696 
btm_sec_check_prefetch_pin(tBTM_SEC_DEV_REC * p_dev_rec)5697 static BOOLEAN btm_sec_check_prefetch_pin (tBTM_SEC_DEV_REC  *p_dev_rec)
5698 {
5699     UINT8 major = (UINT8)(p_dev_rec->dev_class[1] & BTM_COD_MAJOR_CLASS_MASK);
5700     UINT8 minor = (UINT8)(p_dev_rec->dev_class[2] & BTM_COD_MINOR_CLASS_MASK);
5701     BOOLEAN rv = FALSE;
5702 
5703     if ((major == BTM_COD_MAJOR_AUDIO)
5704         &&  ((minor == BTM_COD_MINOR_CONFM_HANDSFREE) || (minor == BTM_COD_MINOR_CAR_AUDIO)) )
5705     {
5706         BTM_TRACE_EVENT2 ("btm_sec_check_prefetch_pin: Skipping pre-fetch PIN for carkit COD Major: 0x%02x Minor: 0x%02x", major, minor);
5707 
5708         if (btm_cb.security_mode_changed == FALSE)
5709         {
5710             btm_cb.security_mode_changed = TRUE;
5711 #ifdef APPL_AUTH_WRITE_EXCEPTION
5712             if(!(APPL_AUTH_WRITE_EXCEPTION)(p_dev_rec->bd_addr))
5713 #endif
5714                 btsnd_hcic_write_auth_enable (TRUE);
5715         }
5716     }
5717     else
5718     {
5719         btm_sec_change_pairing_state (BTM_PAIR_STATE_WAIT_LOCAL_PIN);
5720 
5721         /* If we got a PIN, use that, else try to get one */
5722         if (btm_cb.pin_code_len)
5723         {
5724             BTM_PINCodeReply (p_dev_rec->bd_addr, BTM_SUCCESS, btm_cb.pin_code_len, btm_cb.pin_code, p_dev_rec->trusted_mask);
5725         }
5726         else
5727         {
5728             /* pin was not supplied - pre-fetch pin code now */
5729             if (btm_cb.api.p_pin_callback && ((btm_cb.pairing_flags & BTM_PAIR_FLAGS_PIN_REQD) == 0))
5730             {
5731                 BTM_TRACE_DEBUG0("btm_sec_check_prefetch_pin: PIN code callback called");
5732                 if (btm_bda_to_acl(p_dev_rec->bd_addr) == NULL)
5733                 btm_cb.pairing_flags |= BTM_PAIR_FLAGS_PIN_REQD;
5734                 (btm_cb.api.p_pin_callback) (p_dev_rec->bd_addr, p_dev_rec->dev_class, p_dev_rec->sec_bd_name);
5735             }
5736         }
5737 
5738         rv = TRUE;
5739     }
5740 
5741     return rv;
5742 }
5743 
5744 #if (BLE_INCLUDED == TRUE)
5745 /*******************************************************************************
5746 **
5747 ** Function         btm_sec_clear_ble_keys
5748 **
5749 ** Description      This function is called to clear out the BLE keys.
5750 **                  Typically when devices are removed in BTM_SecDeleteDevice,
5751 **                  or when a new BT Link key is generated.
5752 **
5753 ** Returns          void
5754 **
5755 *******************************************************************************/
btm_sec_clear_ble_keys(tBTM_SEC_DEV_REC * p_dev_rec)5756 void btm_sec_clear_ble_keys (tBTM_SEC_DEV_REC  *p_dev_rec)
5757 {
5758 
5759     BTM_TRACE_DEBUG0 ("btm_sec_clear_ble_keys: Clearing BLE Keys");
5760 #if (SMP_INCLUDED== TRUE)
5761     p_dev_rec->ble.key_type = 0;
5762     memset (&p_dev_rec->ble.keys, 0, sizeof(tBTM_SEC_BLE_KEYS));
5763 #endif
5764     gatt_delete_dev_from_srv_chg_clt_list(p_dev_rec->bd_addr);
5765 }
5766 
5767 
5768 /*******************************************************************************
5769 **
5770 ** Function         btm_sec_is_a_bonded_dev
5771 **
5772 ** Description       Is the specified device is a bonded device
5773 **
5774 ** Returns          TRUE - dev is bonded
5775 **
5776 *******************************************************************************/
btm_sec_is_a_bonded_dev(BD_ADDR bda)5777 BOOLEAN btm_sec_is_a_bonded_dev (BD_ADDR bda)
5778 {
5779 
5780     tBTM_SEC_DEV_REC *p_dev_rec= btm_find_dev (bda);
5781     BOOLEAN is_bonded= FALSE;
5782 
5783 #if (SMP_INCLUDED== TRUE)
5784     if (p_dev_rec && (p_dev_rec->ble.key_type || (p_dev_rec->sec_flags & BTM_SEC_LINK_KEY_KNOWN)))
5785     {
5786         is_bonded = TRUE;
5787     }
5788 #endif
5789     BTM_TRACE_DEBUG1 ("btm_sec_is_a_bonded_dev is_bonded=%d", is_bonded);
5790     return(is_bonded);
5791 }
5792 
5793 /*******************************************************************************
5794 **
5795 ** Function         btm_sec_is_le_capable_dev
5796 **
5797 ** Description       Is the specified device is dual mode or LE only device
5798 **
5799 ** Returns          TRUE - dev is a dual mode
5800 **
5801 *******************************************************************************/
btm_sec_is_le_capable_dev(BD_ADDR bda)5802 BOOLEAN btm_sec_is_le_capable_dev (BD_ADDR bda)
5803 {
5804     tBTM_SEC_DEV_REC *p_dev_rec= btm_find_dev (bda);
5805     BOOLEAN le_capable = FALSE;
5806 
5807 #if (BLE_INCLUDED== TRUE)
5808     if (p_dev_rec && ((p_dev_rec->device_type == BT_DEVICE_TYPE_DUMO) ||
5809          (p_dev_rec->device_type == BT_DEVICE_TYPE_BLE) ) )
5810     {
5811         le_capable  = TRUE;
5812     }
5813 #endif
5814     return le_capable;
5815 }
5816 
5817 /*******************************************************************************
5818 **
5819 ** Function         btm_sec_find_bonded_dev
5820 **
5821 ** Description      Find a bonded device starting from the specified index
5822 **
5823 ** Returns          TRUE - found a bonded device
5824 **
5825 *******************************************************************************/
btm_sec_find_bonded_dev(UINT8 start_idx,UINT8 * p_found_idx,tBTM_SEC_DEV_REC * p_rec)5826 BOOLEAN btm_sec_find_bonded_dev (UINT8 start_idx, UINT8 *p_found_idx, tBTM_SEC_DEV_REC *p_rec)
5827 {
5828     BOOLEAN found= FALSE;
5829 
5830 #if (SMP_INCLUDED== TRUE)
5831     tBTM_SEC_DEV_REC *p_dev_rec;
5832     int i;
5833     if (start_idx >= BTM_SEC_MAX_DEVICE_RECORDS)
5834     {
5835         BTM_TRACE_DEBUG0 ("LE bonded device not found");
5836         return found;
5837     }
5838 
5839     p_dev_rec = &btm_cb.sec_dev_rec[start_idx];
5840     for (i = start_idx; i < BTM_SEC_MAX_DEVICE_RECORDS; i++, p_dev_rec++)
5841     {
5842         if (p_dev_rec->ble.key_type || (p_dev_rec->sec_flags & BTM_SEC_LINK_KEY_KNOWN))
5843         {
5844             *p_found_idx = i;
5845             p_rec = p_dev_rec;
5846             break;
5847         }
5848     }
5849     BTM_TRACE_DEBUG1 ("btm_sec_find_bonded_dev=%d", found);
5850 #endif
5851     return(found);
5852 }
5853 #endif /* BLE_INCLUDED */
5854 
5855