1 /******************************************************************************
2 *
3 * Copyright (C) 1999-2012 Broadcom Corporation
4 *
5 * Licensed under the Apache License, Version 2.0 (the "License");
6 * you may not use this file except in compliance with the License.
7 * You may obtain a copy of the License at:
8 *
9 * http://www.apache.org/licenses/LICENSE-2.0
10 *
11 * Unless required by applicable law or agreed to in writing, software
12 * distributed under the License is distributed on an "AS IS" BASIS,
13 * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
14 * See the License for the specific language governing permissions and
15 * limitations under the License.
16 *
17 ******************************************************************************/
18
19 /******************************************************************************
20 *
21 * This file contains functions for the Bluetooth Security Manager
22 *
23 ******************************************************************************/
24
25 #include <string.h>
26 #include "bt_types.h"
27 #include "hcimsgs.h"
28 #include "btu.h"
29 #include "btm_int.h"
30 #include "l2c_int.h"
31
32 #if (BT_USE_TRACES == TRUE && BT_TRACE_VERBOSE == FALSE)
33 /* needed for sprintf() */
34 #include <stdio.h>
35 #endif
36
37 #if BLE_INCLUDED == TRUE
38 #include "gatt_int.h"
39 #endif
40
41 #define BTM_SEC_MAX_COLLISION_DELAY (GKI_SECS_TO_TICKS(5))
42
43 #ifdef APPL_AUTH_WRITE_EXCEPTION
44 BOOLEAN (APPL_AUTH_WRITE_EXCEPTION)(BD_ADDR bd_addr);
45 #endif
46
47
48 /********************************************************************************
49 ** L O C A L F U N C T I O N P R O T O T Y P E S *
50 *********************************************************************************/
51 static tBTM_SEC_SERV_REC *btm_sec_find_first_serv (BOOLEAN is_originator, UINT16 psm);
52 static tBTM_SEC_SERV_REC *btm_sec_find_next_serv (tBTM_SEC_SERV_REC *p_cur);
53 static tBTM_SEC_SERV_REC *btm_sec_find_mx_serv (UINT8 is_originator, UINT16 psm,
54 UINT32 mx_proto_id,
55 UINT32 mx_chan_id);
56
57 static tBTM_STATUS btm_sec_execute_procedure (tBTM_SEC_DEV_REC *p_dev_rec);
58 static BOOLEAN btm_sec_start_get_name (tBTM_SEC_DEV_REC *p_dev_rec);
59 static BOOLEAN btm_sec_start_authentication (tBTM_SEC_DEV_REC *p_dev_rec);
60 static BOOLEAN btm_sec_start_encryption (tBTM_SEC_DEV_REC *p_dev_rec);
61 static void btm_sec_collision_timeout (TIMER_LIST_ENT *p_tle);
62 static void btm_restore_mode(void);
63 static void btm_sec_pairing_timeout (TIMER_LIST_ENT *p_tle);
64 static tBTM_STATUS btm_sec_dd_create_conn (tBTM_SEC_DEV_REC *p_dev_rec);
65 static void btm_sec_change_pairing_state (tBTM_PAIRING_STATE new_state);
66
67 #if (BT_USE_TRACES == TRUE)
68 static char *btm_pair_state_descr (tBTM_PAIRING_STATE state);
69 #endif
70
71 static void btm_sec_check_pending_reqs(void);
72 static BOOLEAN btm_sec_queue_mx_request (BD_ADDR bd_addr, UINT16 psm, BOOLEAN is_orig,
73 UINT32 mx_proto_id, UINT32 mx_chan_id,
74 tBTM_SEC_CALLBACK *p_callback, void *p_ref_data);
75 static void btm_sec_bond_cancel_complete (void);
76 static void btm_send_link_key_notif (tBTM_SEC_DEV_REC *p_dev_rec);
77 static BOOLEAN btm_sec_check_prefetch_pin (tBTM_SEC_DEV_REC *p_dev_rec);
78
79 static UINT8 btm_sec_start_authorization (tBTM_SEC_DEV_REC *p_dev_rec);
80 BOOLEAN btm_sec_are_all_trusted(UINT32 p_mask[]);
81
82 static tBTM_STATUS btm_sec_send_hci_disconnect (tBTM_SEC_DEV_REC *p_dev_rec, UINT8 reason);
83 tBTM_SEC_DEV_REC *btm_sec_find_dev_by_sec_state (UINT8 state);
84
85 static BOOLEAN btm_sec_set_security_level ( CONNECTION_TYPE conn_type, char *p_name, UINT8 service_id,
86 UINT16 sec_level, UINT16 psm, UINT32 mx_proto_id,
87 UINT32 mx_chan_id);
88
89 /* TRUE - authenticated link key is possible */
90 static const BOOLEAN btm_sec_io_map [BTM_IO_CAP_MAX][BTM_IO_CAP_MAX] =
91 {
92 /* OUT, IO, IN, NONE */
93 /* OUT */ {FALSE, FALSE, TRUE, FALSE},
94 /* IO */ {FALSE, TRUE, TRUE, FALSE},
95 /* IN */ {TRUE, TRUE, TRUE, FALSE},
96 /* NONE */ {FALSE, FALSE, FALSE, FALSE}
97 };
98 /* BTM_IO_CAP_OUT 0 DisplayOnly */
99 /* BTM_IO_CAP_IO 1 DisplayYesNo */
100 /* BTM_IO_CAP_IN 2 KeyboardOnly */
101 /* BTM_IO_CAP_NONE 3 NoInputNoOutput */
102
103 /*******************************************************************************
104 **
105 ** Function BTM_SecRegister
106 **
107 ** Description Application manager calls this function to register for
108 ** security services. There can be one and only one application
109 ** saving link keys. BTM allows only first registration.
110 **
111 ** Returns TRUE if registered OK, else FALSE
112 **
113 *******************************************************************************/
BTM_SecRegister(tBTM_APPL_INFO * p_cb_info)114 BOOLEAN BTM_SecRegister (tBTM_APPL_INFO *p_cb_info)
115 {
116 #if BLE_INCLUDED == TRUE
117 BT_OCTET16 temp_value = {0};
118 #endif
119
120 BTM_TRACE_EVENT0 ("BTM_Sec: application registered");
121
122 #if BLE_INCLUDED == TRUE && SMP_INCLUDED == TRUE
123 BTM_TRACE_ERROR1 ("BTM_SecRegister:p_cb_info->p_le_callback == 0x%x ", p_cb_info->p_le_callback);
124
125 if (p_cb_info->p_le_callback)
126 {
127 #if SMP_INCLUDED == TRUE
128 BTM_TRACE_EVENT0 ("BTM_Sec: SMP_Register( btm_proc_smp_cback )");
129 SMP_Register(btm_proc_smp_cback);
130 #endif
131 /* if no IR is loaded, need to regenerate all the keys */
132 if (memcmp(btm_cb.devcb.id_keys.ir, &temp_value, sizeof(BT_OCTET16)) == 0)
133 {
134 btm_ble_reset_id();
135 }
136 }
137 else
138 {
139 BTM_TRACE_ERROR0 ("BTM_SecRegister:p_cb_info->p_le_callback == NULL ");
140 }
141 #endif
142
143
144
145 btm_cb.api = *p_cb_info;
146 #if BLE_INCLUDED == TRUE && SMP_INCLUDED == TRUE
147 BTM_TRACE_ERROR1 ("BTM_SecRegister: btm_cb.api.p_le_callback = 0x%x ", btm_cb.api.p_le_callback);
148 #endif
149 BTM_TRACE_EVENT0 ("BTM_Sec: application registered");
150 return(TRUE);
151 }
152
153
154 /*******************************************************************************
155 **
156 ** Function BTM_SecRegisterLinkKeyNotificationCallback
157 **
158 ** Description Application manager calls this function to register for
159 ** link key notification. When there is nobody registered
160 ** we should avoid changing link key
161 **
162 ** Returns TRUE if registered OK, else FALSE
163 **
164 *******************************************************************************/
BTM_SecRegisterLinkKeyNotificationCallback(tBTM_LINK_KEY_CALLBACK * p_callback)165 BOOLEAN BTM_SecRegisterLinkKeyNotificationCallback (tBTM_LINK_KEY_CALLBACK *p_callback)
166 {
167 btm_cb.api.p_link_key_callback = p_callback;
168 return(TRUE);
169 }
170
171
172 /*******************************************************************************
173 **
174 ** Function BTM_SecAddRmtNameNotifyCallback
175 **
176 ** Description Any profile can register to be notified when name of the
177 ** remote device is resolved.
178 **
179 ** Returns TRUE if registered OK, else FALSE
180 **
181 *******************************************************************************/
BTM_SecAddRmtNameNotifyCallback(tBTM_RMT_NAME_CALLBACK * p_callback)182 BOOLEAN BTM_SecAddRmtNameNotifyCallback (tBTM_RMT_NAME_CALLBACK *p_callback)
183 {
184 int i;
185
186 for (i = 0; i < BTM_SEC_MAX_RMT_NAME_CALLBACKS; i++)
187 {
188 if (btm_cb.p_rmt_name_callback[i] == NULL)
189 {
190 btm_cb.p_rmt_name_callback[i] = p_callback;
191 return(TRUE);
192 }
193 }
194
195 return(FALSE);
196 }
197
198
199 /*******************************************************************************
200 **
201 ** Function BTM_SecDeleteRmtNameNotifyCallback
202 **
203 ** Description Any profile can deregister notification when a new Link Key
204 ** is generated per connection.
205 **
206 ** Returns TRUE if OK, else FALSE
207 **
208 *******************************************************************************/
BTM_SecDeleteRmtNameNotifyCallback(tBTM_RMT_NAME_CALLBACK * p_callback)209 BOOLEAN BTM_SecDeleteRmtNameNotifyCallback (tBTM_RMT_NAME_CALLBACK *p_callback)
210 {
211 int i;
212
213 for (i = 0; i < BTM_SEC_MAX_RMT_NAME_CALLBACKS; i++)
214 {
215 if (btm_cb.p_rmt_name_callback[i] == p_callback)
216 {
217 btm_cb.p_rmt_name_callback[i] = NULL;
218 return(TRUE);
219 }
220 }
221
222 return(FALSE);
223 }
224
225
226 /*******************************************************************************
227 **
228 ** Function BTM_SecSetConnectFilterCallback
229 **
230 ** Description Host can register to be asked whenever a HCI connection
231 ** request is received. In the registered function host
232 ** suppose to check connectibility filters. Yes/No result
233 ** should be returned syncronously
234 **
235 ** Returns void
236 **
237 *******************************************************************************/
BTM_SecSetConnectFilterCallback(tBTM_FILTER_CB * p_callback)238 void BTM_SecSetConnectFilterCallback (tBTM_FILTER_CB *p_callback)
239 {
240 btm_cb.p_conn_filter_cb = p_callback;
241 }
242
243 /*******************************************************************************
244 **
245 ** Function BTM_GetSecurityMode
246 **
247 ** Description Get security mode for the device
248 **
249 ** Returns void
250 **
251 *******************************************************************************/
BTM_GetSecurityMode(void)252 UINT8 BTM_GetSecurityMode (void)
253 {
254 return(btm_cb.security_mode);
255 }
256
257 /*******************************************************************************
258 **
259 ** Function BTM_GetSecurityFlags
260 **
261 ** Description Get security flags for the device
262 **
263 ** Returns BOOLEAN TRUE or FALSE is device found
264 **
265 *******************************************************************************/
BTM_GetSecurityFlags(BD_ADDR bd_addr,UINT8 * p_sec_flags)266 BOOLEAN BTM_GetSecurityFlags (BD_ADDR bd_addr, UINT8 * p_sec_flags)
267 {
268 tBTM_SEC_DEV_REC *p_dev_rec;
269
270 if ((p_dev_rec = btm_find_dev (bd_addr)) != NULL)
271 {
272 *p_sec_flags = p_dev_rec->sec_flags;
273 return(TRUE);
274 }
275 BTM_TRACE_ERROR0 ("BTM_GetSecurityFlags false");
276 return(FALSE);
277 }
278
279 /*******************************************************************************
280 **
281 ** Function BTM_SetSecurityMode
282 **
283 ** Description Set security mode for the device
284 **
285 ** Returns void
286 **
287 *******************************************************************************/
BTM_SetSecurityMode(UINT8 security_mode)288 void BTM_SetSecurityMode (UINT8 security_mode)
289 {
290 UINT8 old_mode = btm_cb.security_mode;
291
292 UINT8 sp_mode = HCI_SP_MODE_ENABLED;
293 UINT8 sp_debug_mode = HCI_SPD_MODE_DISABLED;
294
295 switch (security_mode)
296 {
297 #if (BTM_PRE_LISBON_INCLUDED == TRUE)
298 case BTM_SEC_MODE_NONE:
299 case BTM_SEC_MODE_SERVICE:
300 case BTM_SEC_MODE_LINK:
301 break;
302 #endif
303
304 case BTM_SEC_MODE_SP_DEBUG:
305 sp_debug_mode = HCI_SPD_MODE_ENABLED;
306 break;
307 case BTM_SEC_MODE_SP:
308 /* the default is enabled */
309 break;
310 default:
311 BTM_TRACE_ERROR1 ("BTM_SetSecurityMode: unknown mode:%d", security_mode);
312 return;
313 }
314 btm_cb.security_mode = security_mode;
315
316 if (HCI_SIMPLE_PAIRING_SUPPORTED(btm_cb.devcb.local_lmp_features[HCI_EXT_FEATURES_PAGE_0]))
317 {
318 /* Lisbon devices and only use BTM_SEC_MODE_SP */
319 btm_cb.security_mode = BTM_SEC_MODE_SP;
320 BTM_TRACE_DEBUG2("BTM_SetSecurityMode: SP:%d, debug:%d", sp_mode, sp_debug_mode);
321 btsnd_hcic_write_simple_pairing_mode(sp_mode);
322 btsnd_hcic_write_simp_pair_debug_mode(sp_debug_mode);
323 return;
324 }
325
326 /* must be a pre-Lisbon device */
327 #if (BTM_PRE_LISBON_INCLUDED == TRUE)
328 /* If previously security mode was Link Level and now lesser notify */
329 /* controller not to perform authentication, encryption on startup */
330 if ((old_mode == BTM_SEC_MODE_LINK)
331 && ( security_mode != BTM_SEC_MODE_LINK))
332 {
333 BTM_TRACE_DEBUG0("BTM_SetSecurityMode: Authen Enable -> FALSE");
334 btsnd_hcic_write_auth_enable (FALSE);
335 btsnd_hcic_write_encr_mode (HCI_ENCRYPT_MODE_DISABLED);
336 }
337
338 /* If previously security is increased to Link Level notify */
339 /* controller to perform authentication, encryption on startup */
340 if ((old_mode != BTM_SEC_MODE_LINK)
341 && ( security_mode == BTM_SEC_MODE_LINK))
342 {
343 BTM_TRACE_DEBUG0("BTM_SetSecurityMode: Authen Enable -> TRUE");
344 btsnd_hcic_write_auth_enable (TRUE);
345 btsnd_hcic_write_encr_mode (HCI_ENCRYPT_MODE_POINT_TO_POINT);
346 }
347 #endif /* BTM_PRE_LISBON_INCLUDED == TRUE */
348 }
349
350 /*******************************************************************************
351 **
352 ** Function BTM_SetPinType
353 **
354 ** Description Set PIN type for the device.
355 **
356 ** Returns void
357 **
358 *******************************************************************************/
BTM_SetPinType(UINT8 pin_type,PIN_CODE pin_code,UINT8 pin_code_len)359 void BTM_SetPinType (UINT8 pin_type, PIN_CODE pin_code, UINT8 pin_code_len)
360 {
361 BTM_TRACE_API3 ("BTM_SetPinType: pin type %d [variable-0, fixed-1], code %s, length %d",
362 pin_type, (char *) pin_code, pin_code_len);
363
364 /* If device is not up security mode will be set as a part of startup */
365 if ( (btm_cb.cfg.pin_type != pin_type)
366 && (btm_cb.devcb.state > BTM_DEV_STATE_WAIT_AFTER_RESET) )
367 {
368 btsnd_hcic_write_pin_type (pin_type);
369 }
370
371 btm_cb.cfg.pin_type = pin_type;
372 btm_cb.cfg.pin_code_len = pin_code_len;
373 memcpy (btm_cb.cfg.pin_code, pin_code, pin_code_len);
374 }
375
376 /*******************************************************************************
377 **
378 ** Function BTM_SetPairableMode
379 **
380 ** Description Enable or disable pairing
381 **
382 ** Parameters allow_pairing - (TRUE or FALSE) whether or not the device
383 ** allows pairing.
384 ** connect_only_paired - (TRUE or FALSE) whether or not to
385 ** only allow paired devices to connect.
386 **
387 ** Returns void
388 **
389 *******************************************************************************/
BTM_SetPairableMode(BOOLEAN allow_pairing,BOOLEAN connect_only_paired)390 void BTM_SetPairableMode (BOOLEAN allow_pairing, BOOLEAN connect_only_paired)
391 {
392 BTM_TRACE_API2 ("BTM_SetPairableMode() allow_pairing: %u connect_only_paired: %u", allow_pairing, connect_only_paired);
393
394 btm_cb.pairing_disabled = !allow_pairing;
395 btm_cb.connect_only_paired = connect_only_paired;
396 }
397
398
399 #define BTM_NO_AVAIL_SEC_SERVICES ((UINT16) 0xffff)
400
401 /*******************************************************************************
402 **
403 ** Function BTM_SetUCDSecurityLevel
404 **
405 ** Description Register UCD service security level with Security Manager
406 **
407 ** Parameters: is_originator - TRUE if originating the connection, FALSE if not
408 ** p_name - Name of the service relevant only if
409 ** authorization will show this name to user. ignored
410 ** if BTM_SEC_SERVICE_NAME_LEN is 0.
411 ** service_id - service ID for the service passed to authorization callback
412 ** sec_level - bit mask of the security features
413 ** psm - L2CAP PSM
414 ** mx_proto_id - protocol ID of multiplexing proto below
415 ** mx_chan_id - channel ID of multiplexing proto below
416 **
417 ** Returns TRUE if registered OK, else FALSE
418 **
419 *******************************************************************************/
BTM_SetUCDSecurityLevel(BOOLEAN is_originator,char * p_name,UINT8 service_id,UINT16 sec_level,UINT16 psm,UINT32 mx_proto_id,UINT32 mx_chan_id)420 BOOLEAN BTM_SetUCDSecurityLevel (BOOLEAN is_originator, char *p_name, UINT8 service_id,
421 UINT16 sec_level, UINT16 psm, UINT32 mx_proto_id,
422 UINT32 mx_chan_id)
423 {
424 #if (L2CAP_UCD_INCLUDED == TRUE)
425 CONNECTION_TYPE conn_type;
426
427 if (is_originator)
428 conn_type = CONNLESS_ORIG;
429 else
430 conn_type = CONNLESS_TERM;
431
432 return(btm_sec_set_security_level (conn_type, p_name, service_id,
433 sec_level, psm, mx_proto_id, mx_chan_id));
434 #else
435 return FALSE;
436 #endif
437 }
438
439 /*******************************************************************************
440 **
441 ** Function BTM_SetSecurityLevel
442 **
443 ** Description Register service security level with Security Manager
444 **
445 ** Parameters: is_originator - TRUE if originating the connection, FALSE if not
446 ** p_name - Name of the service relevant only if
447 ** authorization will show this name to user. ignored
448 ** if BTM_SEC_SERVICE_NAME_LEN is 0.
449 ** service_id - service ID for the service passed to authorization callback
450 ** sec_level - bit mask of the security features
451 ** psm - L2CAP PSM
452 ** mx_proto_id - protocol ID of multiplexing proto below
453 ** mx_chan_id - channel ID of multiplexing proto below
454 **
455 ** Returns TRUE if registered OK, else FALSE
456 **
457 *******************************************************************************/
BTM_SetSecurityLevel(BOOLEAN is_originator,char * p_name,UINT8 service_id,UINT16 sec_level,UINT16 psm,UINT32 mx_proto_id,UINT32 mx_chan_id)458 BOOLEAN BTM_SetSecurityLevel (BOOLEAN is_originator, char *p_name, UINT8 service_id,
459 UINT16 sec_level, UINT16 psm, UINT32 mx_proto_id,
460 UINT32 mx_chan_id)
461 {
462 #if (L2CAP_UCD_INCLUDED == TRUE)
463 CONNECTION_TYPE conn_type;
464
465 if (is_originator)
466 conn_type = CONN_ORIENT_ORIG;
467 else
468 conn_type = CONN_ORIENT_TERM;
469
470 return(btm_sec_set_security_level (conn_type, p_name, service_id,
471 sec_level, psm, mx_proto_id, mx_chan_id));
472 #else
473 return(btm_sec_set_security_level (is_originator, p_name, service_id,
474 sec_level, psm, mx_proto_id, mx_chan_id));
475 #endif
476 }
477
478 /*******************************************************************************
479 **
480 ** Function btm_sec_set_security_level
481 **
482 ** Description Register service security level with Security Manager
483 **
484 ** Parameters: conn_type - TRUE if originating the connection, FALSE if not
485 ** p_name - Name of the service relevant only if
486 ** authorization will show this name to user. ignored
487 ** if BTM_SEC_SERVICE_NAME_LEN is 0.
488 ** service_id - service ID for the service passed to authorization callback
489 ** sec_level - bit mask of the security features
490 ** psm - L2CAP PSM
491 ** mx_proto_id - protocol ID of multiplexing proto below
492 ** mx_chan_id - channel ID of multiplexing proto below
493 **
494 ** Returns TRUE if registered OK, else FALSE
495 **
496 *******************************************************************************/
btm_sec_set_security_level(CONNECTION_TYPE conn_type,char * p_name,UINT8 service_id,UINT16 sec_level,UINT16 psm,UINT32 mx_proto_id,UINT32 mx_chan_id)497 static BOOLEAN btm_sec_set_security_level (CONNECTION_TYPE conn_type, char *p_name, UINT8 service_id,
498 UINT16 sec_level, UINT16 psm, UINT32 mx_proto_id,
499 UINT32 mx_chan_id)
500 {
501 tBTM_SEC_SERV_REC *p_srec;
502 UINT16 index;
503 UINT16 first_unused_record = BTM_NO_AVAIL_SEC_SERVICES;
504 BOOLEAN record_allocated = FALSE;
505 BOOLEAN is_originator;
506 #if (L2CAP_UCD_INCLUDED == TRUE)
507 BOOLEAN is_ucd;
508
509 if (conn_type & CONNECTION_TYPE_ORIG_MASK)
510 is_originator = TRUE;
511 else
512 is_originator = FALSE;
513
514 if (conn_type & CONNECTION_TYPE_CONNLESS_MASK )
515 {
516 is_ucd = TRUE;
517 }
518 else
519 {
520 is_ucd = FALSE;
521 }
522 #else
523 is_originator = conn_type;
524 #endif
525
526 /* See if the record can be reused (same service name, psm, mx_proto_id,
527 service_id, and mx_chan_id), or obtain the next unused record */
528
529 p_srec = &btm_cb.sec_serv_rec[0];
530
531
532 for (index = 0; index < BTM_SEC_MAX_SERVICE_RECORDS; index++, p_srec++)
533 {
534 /* Check if there is already a record for this service */
535 if (p_srec->security_flags & BTM_SEC_IN_USE)
536 {
537 #if BTM_SEC_SERVICE_NAME_LEN > 0
538 if (p_srec->psm == psm &&
539 p_srec->mx_proto_id == mx_proto_id &&
540 service_id == p_srec->service_id &&
541 (!strncmp (p_name, (char *) p_srec->orig_service_name,
542 BTM_SEC_SERVICE_NAME_LEN) ||
543 !strncmp (p_name, (char *) p_srec->term_service_name,
544 BTM_SEC_SERVICE_NAME_LEN)))
545 #else
546 if (p_srec->psm == psm &&
547 p_srec->mx_proto_id == mx_proto_id &&
548 service_id == p_srec->service_id)
549 #endif
550 {
551 record_allocated = TRUE;
552 break;
553 }
554 }
555 /* Mark the first available service record */
556 else if (!record_allocated)
557 {
558 memset (p_srec, 0, sizeof(tBTM_SEC_SERV_REC));
559 record_allocated = TRUE;
560 first_unused_record = index;
561 }
562 }
563
564 if (!record_allocated)
565 {
566 BTM_TRACE_WARNING1("BTM_SEC_REG: Out of Service Records (%d)", BTM_SEC_MAX_SERVICE_RECORDS);
567 return(record_allocated);
568 }
569
570 /* Process the request if service record is valid */
571 /* If a duplicate service wasn't found, use the first available */
572 if (index >= BTM_SEC_MAX_SERVICE_RECORDS)
573 {
574 index = first_unused_record;
575 p_srec = &btm_cb.sec_serv_rec[index];
576 }
577
578 p_srec->psm = psm;
579 p_srec->service_id = service_id;
580 p_srec->mx_proto_id = mx_proto_id;
581
582 if (is_originator)
583 {
584 p_srec->orig_mx_chan_id = mx_chan_id;
585 #if BTM_SEC_SERVICE_NAME_LEN > 0
586 BCM_STRNCPY_S ((char *)p_srec->orig_service_name, sizeof(p_srec->orig_service_name), p_name, BTM_SEC_SERVICE_NAME_LEN);
587 #endif
588 /* clear out the old setting, just in case it exists */
589 #if (L2CAP_UCD_INCLUDED == TRUE)
590 if ( is_ucd )
591 {
592 p_srec->ucd_security_flags &=
593 ~(BTM_SEC_OUT_AUTHORIZE | BTM_SEC_OUT_ENCRYPT | BTM_SEC_OUT_AUTHENTICATE | BTM_SEC_OUT_MITM |
594 BTM_SEC_FORCE_MASTER | BTM_SEC_ATTEMPT_MASTER | BTM_SEC_FORCE_SLAVE | BTM_SEC_ATTEMPT_SLAVE);
595 }
596 else
597 #endif
598 {
599 p_srec->security_flags &=
600 ~(BTM_SEC_OUT_AUTHORIZE | BTM_SEC_OUT_ENCRYPT | BTM_SEC_OUT_AUTHENTICATE | BTM_SEC_OUT_MITM |
601 BTM_SEC_FORCE_MASTER | BTM_SEC_ATTEMPT_MASTER | BTM_SEC_FORCE_SLAVE | BTM_SEC_ATTEMPT_SLAVE);
602 }
603
604 /* Parameter validation. Originator should not set requirements for incoming connections */
605 sec_level &= ~(BTM_SEC_IN_AUTHORIZE | BTM_SEC_IN_ENCRYPT | BTM_SEC_IN_AUTHENTICATE | BTM_SEC_IN_MITM);
606
607 if (btm_cb.security_mode == BTM_SEC_MODE_SP)
608 {
609 if (sec_level & BTM_SEC_OUT_AUTHENTICATE)
610 sec_level |= BTM_SEC_OUT_MITM;
611 }
612
613 /* Make sure the authenticate bit is set, when encrypt bit is set */
614 if (sec_level & BTM_SEC_OUT_ENCRYPT)
615 sec_level |= BTM_SEC_OUT_AUTHENTICATE;
616
617 /* outgoing connections usually set the security level right before
618 * the connection is initiated.
619 * set it to be the outgoing service */
620 #if (L2CAP_UCD_INCLUDED == TRUE)
621 if ( is_ucd == FALSE )
622 #endif
623 {
624 btm_cb.p_out_serv = p_srec;
625 }
626 }
627 else
628 {
629 p_srec->term_mx_chan_id = mx_chan_id;
630 #if BTM_SEC_SERVICE_NAME_LEN > 0
631 BCM_STRNCPY_S ((char *)p_srec->term_service_name, sizeof(p_srec->term_service_name), p_name, BTM_SEC_SERVICE_NAME_LEN);
632 #endif
633 /* clear out the old setting, just in case it exists */
634 #if (L2CAP_UCD_INCLUDED == TRUE)
635 if ( is_ucd )
636 {
637 p_srec->ucd_security_flags &=
638 ~(BTM_SEC_IN_AUTHORIZE | BTM_SEC_IN_ENCRYPT | BTM_SEC_IN_AUTHENTICATE | BTM_SEC_IN_MITM |
639 BTM_SEC_FORCE_MASTER | BTM_SEC_ATTEMPT_MASTER | BTM_SEC_FORCE_SLAVE | BTM_SEC_ATTEMPT_SLAVE);
640 }
641 else
642 #endif
643 {
644 p_srec->security_flags &=
645 ~(BTM_SEC_IN_AUTHORIZE | BTM_SEC_IN_ENCRYPT | BTM_SEC_IN_AUTHENTICATE | BTM_SEC_IN_MITM |
646 BTM_SEC_FORCE_MASTER | BTM_SEC_ATTEMPT_MASTER | BTM_SEC_FORCE_SLAVE | BTM_SEC_ATTEMPT_SLAVE);
647 }
648
649 /* Parameter validation. Acceptor should not set requirements for outgoing connections */
650 sec_level &= ~(BTM_SEC_OUT_AUTHORIZE | BTM_SEC_OUT_ENCRYPT | BTM_SEC_OUT_AUTHENTICATE | BTM_SEC_OUT_MITM);
651
652 if (btm_cb.security_mode == BTM_SEC_MODE_SP)
653 {
654 if (sec_level & BTM_SEC_IN_AUTHENTICATE)
655 sec_level |= BTM_SEC_IN_MITM;
656 }
657
658 /* Make sure the authenticate bit is set, when encrypt bit is set */
659 if (sec_level & BTM_SEC_IN_ENCRYPT)
660 sec_level |= BTM_SEC_IN_AUTHENTICATE;
661 }
662
663 #if (L2CAP_UCD_INCLUDED == TRUE)
664 if ( is_ucd )
665 {
666 p_srec->security_flags |= (UINT16)(BTM_SEC_IN_USE);
667 p_srec->ucd_security_flags |= (UINT16)(sec_level | BTM_SEC_IN_USE);
668 }
669 else
670 {
671 p_srec->security_flags |= (UINT16)(sec_level | BTM_SEC_IN_USE);
672 }
673
674 BTM_TRACE_API6("BTM_SEC_REG[%d]: id %d, conn_type 0x%x, psm 0x%04x, proto_id %d, chan_id %d",
675 index, service_id, conn_type, psm, mx_proto_id, mx_chan_id);
676
677 BTM_TRACE_API2(" : security_flags: 0x%04x, ucd_security_flags: 0x%04x",
678 p_srec->security_flags, p_srec->ucd_security_flags);
679
680 #if BTM_SEC_SERVICE_NAME_LEN > 0
681 BTM_TRACE_API2(" : service name [%s] (up to %d chars saved)",
682 p_name, BTM_SEC_SERVICE_NAME_LEN);
683 #endif
684 #else
685 p_srec->security_flags |= (UINT16)(sec_level | BTM_SEC_IN_USE);
686
687 BTM_TRACE_API6("BTM_SEC_REG[%d]: id %d, is_orig %d, psm 0x%04x, proto_id %d, chan_id %d",
688 index, service_id, is_originator, psm, mx_proto_id, mx_chan_id);
689
690 #if BTM_SEC_SERVICE_NAME_LEN > 0
691 BTM_TRACE_API3(" : sec: 0x%x, service name [%s] (up to %d chars saved)",
692 p_srec->security_flags, p_name, BTM_SEC_SERVICE_NAME_LEN);
693 #endif
694 #endif
695
696
697 return(record_allocated);
698 }
699
700 /*******************************************************************************
701 **
702 ** Function BTM_SecClrService
703 **
704 ** Description Removes specified service record(s) from the security database.
705 ** All service records with the specified name are removed.
706 ** Typically used only by devices with limited RAM so that it can
707 ** reuse an old security service record.
708 **
709 ** Note: Unpredictable results may occur if a service is cleared
710 ** that is still in use by an application/profile.
711 **
712 ** Parameters Service ID - Id of the service to remove. ('0' removes all service
713 ** records (except SDP).
714 **
715 ** Returns Number of records that were freed.
716 **
717 *******************************************************************************/
BTM_SecClrService(UINT8 service_id)718 UINT8 BTM_SecClrService (UINT8 service_id)
719 {
720 tBTM_SEC_SERV_REC *p_srec = &btm_cb.sec_serv_rec[0];
721 UINT8 num_freed = 0;
722 int i;
723
724 for (i = 0; i < BTM_SEC_MAX_SERVICE_RECORDS; i++, p_srec++)
725 {
726 /* Delete services with specified name (if in use and not SDP) */
727 if ((p_srec->security_flags & BTM_SEC_IN_USE) && (p_srec->psm != BT_PSM_SDP) &&
728 (!service_id || (service_id == p_srec->service_id)))
729 {
730 BTM_TRACE_API2("BTM_SEC_CLR[%d]: id %d", i, service_id);
731 p_srec->security_flags = 0;
732 #if (L2CAP_UCD_INCLUDED == TRUE)
733 p_srec->ucd_security_flags = 0;
734 #endif
735 num_freed++;
736 }
737 }
738
739 return(num_freed);
740 }
741
742 /*******************************************************************************
743 **
744 ** Function btm_sec_clr_service_by_psm
745 **
746 ** Description Removes specified service record from the security database.
747 ** All service records with the specified psm are removed.
748 ** Typically used by L2CAP to free up the service record used
749 ** by dynamic PSM clients when the channel is closed.
750 ** The given psm must be a virtual psm.
751 **
752 ** Parameters Service ID - Id of the service to remove. ('0' removes all service
753 ** records (except SDP).
754 **
755 ** Returns Number of records that were freed.
756 **
757 *******************************************************************************/
btm_sec_clr_service_by_psm(UINT16 psm)758 UINT8 btm_sec_clr_service_by_psm (UINT16 psm)
759 {
760 tBTM_SEC_SERV_REC *p_srec = &btm_cb.sec_serv_rec[0];
761 UINT8 num_freed = 0;
762 int i;
763
764 for (i = 0; i < BTM_SEC_MAX_SERVICE_RECORDS; i++, p_srec++)
765 {
766 /* Delete services with specified name (if in use and not SDP) */
767 if ((p_srec->security_flags & BTM_SEC_IN_USE) && (p_srec->psm == psm) )
768 {
769 BTM_TRACE_API2("BTM_SEC_CLR[%d]: id %d ", i, p_srec->service_id);
770 p_srec->security_flags = 0;
771 num_freed++;
772 }
773 }
774 BTM_TRACE_API2("btm_sec_clr_service_by_psm psm:0x%x num_freed:%d", psm, num_freed);
775
776 return(num_freed);
777 }
778
779 /*******************************************************************************
780 **
781 ** Function btm_sec_clr_temp_auth_service
782 **
783 ** Description Removes specified device record's temporary authorization
784 ** flag from the security database.
785 **
786 ** Parameters Device address to be cleared
787 **
788 ** Returns void.
789 **
790 *******************************************************************************/
btm_sec_clr_temp_auth_service(BD_ADDR bda)791 void btm_sec_clr_temp_auth_service (BD_ADDR bda)
792 {
793 tBTM_SEC_DEV_REC *p_dev_rec;
794
795 if ((p_dev_rec = btm_find_dev (bda)) == NULL)
796 {
797 BTM_TRACE_WARNING0 ("btm_sec_clr_temp_auth_service() - no dev CB");
798 return;
799 }
800
801 /* Reset the temporary authorized flag so that next time (untrusted) service is accessed autorization will take place */
802 if (p_dev_rec->last_author_service_id != BTM_SEC_NO_LAST_SERVICE_ID && p_dev_rec->p_cur_service)
803 {
804 BTM_TRACE_DEBUG6 ("btm_sec_clr_auth_service_by_psm [clearing device: %02x:%02x:%02x:%02x:%02x:%02x]",
805 bda[0], bda[1], bda[2], bda[3], bda[4], bda[5]);
806
807 p_dev_rec->last_author_service_id = BTM_SEC_NO_LAST_SERVICE_ID;
808 }
809 }
810
811 /*******************************************************************************
812 **
813 **
814 ** Function BTM_SecClrUCDService
815 **
816 ** Description
817 **
818 ** Parameters Service ID - Id of the service to remove.
819 ** ('0' removes all service records )
820 **
821 ** Returns Number of records that were cleared.
822 **
823 *******************************************************************************/
BTM_SecClrUCDService(UINT8 service_id)824 UINT8 BTM_SecClrUCDService (UINT8 service_id)
825 {
826 #if (L2CAP_UCD_INCLUDED == TRUE)
827 tBTM_SEC_SERV_REC *p_srec = &btm_cb.sec_serv_rec[0];
828 UINT8 num_cleared = 0;
829 int i;
830
831 for (i = 0; i < BTM_SEC_MAX_SERVICE_RECORDS; i++, p_srec++)
832 {
833 /* Delete services with specified name (if in use and not SDP) */
834 if ((p_srec->security_flags & BTM_SEC_IN_USE) &&
835 (!service_id || (service_id == (UINT32)p_srec->service_id)))
836 {
837 BTM_TRACE_API2("BTM_UCD_SEC_CLR[%d]: id %d", i, service_id);
838 p_srec->ucd_security_flags = 0;
839 num_cleared++;
840 }
841 }
842
843 return(num_cleared);
844 #else
845 return(0);
846 #endif
847 }
848
849 /*******************************************************************************
850 **
851 ** Function BTM_PINCodeReply
852 **
853 ** Description This function is called after Security Manager submitted
854 ** PIN code request to the UI.
855 **
856 ** Parameters: bd_addr - Address of the device for which PIN was requested
857 ** res - result of the operation BTM_SUCCESS if success
858 ** pin_len - length in bytes of the PIN Code
859 ** p_pin - pointer to array with the PIN Code
860 ** trusted_mask - bitwise OR of trusted services (array of UINT32)
861 **
862 *******************************************************************************/
BTM_PINCodeReply(BD_ADDR bd_addr,UINT8 res,UINT8 pin_len,UINT8 * p_pin,UINT32 trusted_mask[])863 void BTM_PINCodeReply (BD_ADDR bd_addr, UINT8 res, UINT8 pin_len, UINT8 *p_pin, UINT32 trusted_mask[])
864 {
865 tBTM_SEC_DEV_REC *p_dev_rec;
866
867 BTM_TRACE_API4 ("BTM_PINCodeReply(): PairState: %s PairFlags: 0x%02x PinLen:%d Result:%d",
868 btm_pair_state_descr(btm_cb.pairing_state), btm_cb.pairing_flags, pin_len, res);
869
870 /* If timeout already expired or has been canceled, ignore the reply */
871 if (btm_cb.pairing_state != BTM_PAIR_STATE_WAIT_LOCAL_PIN)
872 {
873 BTM_TRACE_WARNING1 ("BTM_PINCodeReply() - Wrong State: %d", btm_cb.pairing_state);
874 return;
875 }
876
877 if (memcmp (bd_addr, btm_cb.pairing_bda, BD_ADDR_LEN) != 0)
878 {
879 BTM_TRACE_ERROR0 ("BTM_PINCodeReply() - Wrong BD Addr");
880 return;
881 }
882
883 if ((p_dev_rec = btm_find_dev (bd_addr)) == NULL)
884 {
885 BTM_TRACE_ERROR0 ("BTM_PINCodeReply() - no dev CB");
886 return;
887 }
888
889 if ( (pin_len > PIN_CODE_LEN) || (pin_len == 0) || (p_pin == NULL) )
890 res = BTM_ILLEGAL_VALUE;
891
892 if (res != BTM_SUCCESS)
893 {
894 /* if peer started dd OR we started dd and pre-fetch pin was not used send negative reply */
895 if ((btm_cb.pairing_flags & BTM_PAIR_FLAGS_PEER_STARTED_DD) ||
896 ((btm_cb.pairing_flags & BTM_PAIR_FLAGS_WE_STARTED_DD) &&
897 (btm_cb.pairing_flags & BTM_PAIR_FLAGS_DISC_WHEN_DONE)) )
898 {
899 /* use BTM_PAIR_STATE_WAIT_AUTH_COMPLETE to report authentication failed event */
900 btm_sec_change_pairing_state (BTM_PAIR_STATE_WAIT_AUTH_COMPLETE);
901 btm_cb.acl_disc_reason = HCI_ERR_HOST_REJECT_SECURITY;
902
903 btsnd_hcic_pin_code_neg_reply (bd_addr);
904 }
905 else
906 {
907 p_dev_rec->security_required = BTM_SEC_NONE;
908 btm_sec_change_pairing_state (BTM_PAIR_STATE_IDLE);
909 }
910 return;
911 }
912 if (trusted_mask)
913 BTM_SEC_COPY_TRUSTED_DEVICE(trusted_mask, p_dev_rec->trusted_mask);
914 p_dev_rec->sec_flags |= BTM_SEC_LINK_KEY_AUTHED;
915
916 if ( (btm_cb.pairing_flags & BTM_PAIR_FLAGS_WE_STARTED_DD)
917 && (p_dev_rec->hci_handle == BTM_SEC_INVALID_HANDLE)
918 && (btm_cb.security_mode_changed == FALSE) )
919 {
920 /* This is start of the dedicated bonding if local device is 2.0 */
921 btm_cb.pin_code_len = pin_len;
922 memcpy (btm_cb.pin_code, p_pin, pin_len);
923
924 btm_cb.security_mode_changed = TRUE;
925 #ifdef APPL_AUTH_WRITE_EXCEPTION
926 if(!(APPL_AUTH_WRITE_EXCEPTION)(p_dev_rec->bd_addr))
927 #endif
928 btsnd_hcic_write_auth_enable (TRUE);
929
930 btm_cb.acl_disc_reason = 0xff ;
931
932 /* if we rejected incoming connection request, we have to wait HCI_Connection_Complete event */
933 /* before originating */
934 if (btm_cb.pairing_flags & BTM_PAIR_FLAGS_REJECTED_CONNECT)
935 {
936 BTM_TRACE_WARNING0 ("BTM_PINCodeReply(): waiting HCI_Connection_Complete after rejected incoming connection");
937 /* we change state little bit early so btm_sec_connected() will originate connection */
938 /* when existing ACL link is down completely */
939 btm_sec_change_pairing_state (BTM_PAIR_STATE_WAIT_PIN_REQ);
940 }
941 /* if we already accepted incoming connection from pairing device */
942 else if (p_dev_rec->sm4 & BTM_SM4_CONN_PEND)
943 {
944 BTM_TRACE_WARNING0 ("BTM_PINCodeReply(): link is connecting so wait pin code request from peer");
945 btm_sec_change_pairing_state (BTM_PAIR_STATE_WAIT_PIN_REQ);
946 }
947 else if (btm_sec_dd_create_conn(p_dev_rec) != BTM_CMD_STARTED)
948 {
949 btm_sec_change_pairing_state (BTM_PAIR_STATE_IDLE);
950 p_dev_rec->sec_flags &= ~BTM_SEC_LINK_KEY_AUTHED;
951
952 (*btm_cb.api.p_auth_complete_callback) (p_dev_rec->bd_addr, p_dev_rec->dev_class,
953 p_dev_rec->sec_bd_name, HCI_ERR_AUTH_FAILURE);
954 }
955 return;
956 }
957
958 btm_sec_change_pairing_state (BTM_PAIR_STATE_WAIT_AUTH_COMPLETE);
959 btm_cb.acl_disc_reason = HCI_SUCCESS;
960
961 #ifdef PORCHE_PAIRING_CONFLICT
962 BTM_TRACE_EVENT2("BTM_PINCodeReply(): Saving pin_len: %d btm_cb.pin_code_len: %d", pin_len, btm_cb.pin_code_len);
963 /* if this was not pre-fetched, save the PIN */
964 if (btm_cb.pin_code_len == 0)
965 memcpy (btm_cb.pin_code, p_pin, pin_len);
966 btm_cb.pin_code_len_saved = pin_len;
967 #endif
968 btsnd_hcic_pin_code_req_reply (bd_addr, pin_len, p_pin);
969 }
970
971
972 /*******************************************************************************
973 **
974 ** Function BTM_DeviceAuthorized
975 **
976 ** Description This function is called after Security Manager submitted
977 ** authorization request to the UI.
978 **
979 ** Parameters: bd_addr - Address of the device for which PIN was requested
980 ** res - result of the operation BTM_SUCCESS if success
981 **
982 *******************************************************************************/
BTM_DeviceAuthorized(BD_ADDR bd_addr,UINT8 res,UINT32 trusted_mask[])983 void BTM_DeviceAuthorized (BD_ADDR bd_addr, UINT8 res, UINT32 trusted_mask[])
984 {
985 tBTM_SEC_DEV_REC *p_dev_rec;
986
987 if ((p_dev_rec = btm_find_dev (bd_addr)) == NULL)
988 {
989 BTM_TRACE_WARNING6 ("Security Manager: Attempting Authorization of Unknown Device Address [%02x%02x%02x%02x%02x%02x]",
990 bd_addr[0], bd_addr[1], bd_addr[2], bd_addr[3], bd_addr[4], bd_addr[5]);
991 return;
992 }
993
994 BTM_TRACE_EVENT4 ("Security Manager: authorized status:%d State:%d Trusted:%08x %08x",
995 res, (p_dev_rec) ? p_dev_rec->sec_state : 0, trusted_mask[0], trusted_mask[1]);
996
997 if (res == BTM_SUCCESS)
998 {
999 p_dev_rec->sec_flags |= BTM_SEC_AUTHORIZED;
1000 if (trusted_mask)
1001 {
1002 BTM_SEC_COPY_TRUSTED_DEVICE(trusted_mask, p_dev_rec->trusted_mask);
1003 }
1004
1005 /* Save the currently authorized service in case we are asked again
1006 by another multiplexer layer */
1007 if (!p_dev_rec->is_originator)
1008 {
1009 BTM_TRACE_DEBUG1("BTM_DeviceAuthorized: Setting last_author_service_id to %d",
1010 p_dev_rec->p_cur_service->service_id);
1011 p_dev_rec->last_author_service_id = p_dev_rec->p_cur_service->service_id;
1012 }
1013 }
1014
1015 if (p_dev_rec->sec_state != BTM_SEC_STATE_AUTHORIZING)
1016 return;
1017
1018 p_dev_rec->sec_state = BTM_SEC_STATE_IDLE;
1019
1020 if (res != BTM_SUCCESS)
1021 {
1022 btm_sec_dev_rec_cback_event (p_dev_rec, res);
1023 return;
1024 }
1025
1026 if ((res = (UINT8)btm_sec_execute_procedure (p_dev_rec)) != BTM_CMD_STARTED)
1027 {
1028 btm_sec_dev_rec_cback_event (p_dev_rec, res);
1029 }
1030 }
1031
1032
1033
1034 /*******************************************************************************
1035 **
1036 ** Function BTM_SecBond
1037 **
1038 ** Description This function is called to perform bonding with peer device.
1039 ** If the connection is already up, but not secure, pairing
1040 ** is attempted. If already paired BTM_SUCCESS is returned.
1041 **
1042 ** Parameters: bd_addr - Address of the device to bond
1043 ** pin_len - length in bytes of the PIN Code
1044 ** p_pin - pointer to array with the PIN Code
1045 ** trusted_mask - bitwise OR of trusted services (array of UINT32)
1046 **
1047 ** Note: After 2.1 parameters are not used and preserved here not to change API
1048 *******************************************************************************/
BTM_SecBond(BD_ADDR bd_addr,UINT8 pin_len,UINT8 * p_pin,UINT32 trusted_mask[])1049 tBTM_STATUS BTM_SecBond (BD_ADDR bd_addr, UINT8 pin_len, UINT8 *p_pin, UINT32 trusted_mask[])
1050 {
1051 tBTM_SEC_DEV_REC *p_dev_rec;
1052 tBTM_STATUS status;
1053 UINT8 *p_features;
1054 UINT8 ii;
1055
1056 BTM_TRACE_API6 ("BTM_SecBond BDA: %02x:%02x:%02x:%02x:%02x:%02x",
1057 bd_addr[0], bd_addr[1], bd_addr[2], bd_addr[3], bd_addr[4], bd_addr[5]);
1058
1059 /* Other security process is in progress */
1060 if (btm_cb.pairing_state != BTM_PAIR_STATE_IDLE)
1061 {
1062 BTM_TRACE_ERROR1 ("BTM_SecBond: already busy in state: %s", btm_pair_state_descr(btm_cb.pairing_state));
1063 return(BTM_WRONG_MODE);
1064 }
1065
1066 if ((p_dev_rec = btm_find_or_alloc_dev (bd_addr)) == NULL)
1067 {
1068 return(BTM_NO_RESOURCES);
1069 }
1070
1071 BTM_TRACE_DEBUG1 ("before update sec_flags=0x%x", p_dev_rec->sec_flags);
1072
1073 /* Finished if connection is active and already paired */
1074 if ( (p_dev_rec->hci_handle != BTM_SEC_INVALID_HANDLE)
1075 && (p_dev_rec->sec_flags & BTM_SEC_AUTHENTICATED) )
1076 {
1077 BTM_TRACE_WARNING0("BTM_SecBond -> Already Paired");
1078 return(BTM_SUCCESS);
1079 }
1080
1081 /* Tell controller to get rid of the link key if it has one stored */
1082 if ((BTM_DeleteStoredLinkKey (bd_addr, NULL)) != BTM_SUCCESS)
1083 return(BTM_NO_RESOURCES);
1084
1085 /* Save the PIN code if we got a valid one */
1086 if (p_pin && (pin_len <= PIN_CODE_LEN) && (pin_len != 0))
1087 {
1088 btm_cb.pin_code_len = pin_len;
1089 memcpy (btm_cb.pin_code, p_pin, PIN_CODE_LEN);
1090 }
1091
1092 memcpy (btm_cb.pairing_bda, bd_addr, BD_ADDR_LEN);
1093
1094 btm_cb.pairing_flags = BTM_PAIR_FLAGS_WE_STARTED_DD;
1095
1096 p_dev_rec->security_required = BTM_SEC_OUT_AUTHENTICATE;
1097 p_dev_rec->is_originator = TRUE;
1098 if (trusted_mask)
1099 BTM_SEC_COPY_TRUSTED_DEVICE(trusted_mask, p_dev_rec->trusted_mask);
1100
1101 p_dev_rec->sec_flags &= ~(BTM_SEC_LINK_KEY_KNOWN | BTM_SEC_AUTHENTICATED | BTM_SEC_ENCRYPTED
1102 | BTM_SEC_ROLE_SWITCHED | BTM_SEC_LINK_KEY_AUTHED);
1103
1104
1105 #if BLE_INCLUDED == TRUE && SMP_INCLUDED == TRUE
1106 /* LE device, do SMP pairing */
1107 if (BTM_UseLeLink(bd_addr))
1108 {
1109 if (SMP_Pair(bd_addr) == SMP_STARTED)
1110 {
1111 btm_cb.pairing_state = BTM_PAIR_STATE_WAIT_AUTH_COMPLETE;
1112 p_dev_rec->sec_state = BTM_SEC_STATE_AUTHENTICATING;
1113 return BTM_CMD_STARTED;
1114 }
1115 else
1116 return(BTM_NO_RESOURCES);
1117 }
1118 #endif
1119
1120 BTM_TRACE_DEBUG1 ("after update sec_flags=0x%x", p_dev_rec->sec_flags);
1121 if (!HCI_SIMPLE_PAIRING_SUPPORTED(btm_cb.devcb.local_lmp_features[HCI_EXT_FEATURES_PAGE_0]))
1122 {
1123 /* The special case when we authenticate keyboard. Set pin type to fixed */
1124 /* It would be probably better to do it from the application, but it is */
1125 /* complicated */
1126 if (((p_dev_rec->dev_class[1] & BTM_COD_MAJOR_CLASS_MASK) == BTM_COD_MAJOR_PERIPHERAL)
1127 && (p_dev_rec->dev_class[2] & BTM_COD_MINOR_KEYBOARD)
1128 && (btm_cb.cfg.pin_type != HCI_PIN_TYPE_FIXED))
1129 {
1130 btm_cb.pin_type_changed = TRUE;
1131 btsnd_hcic_write_pin_type (HCI_PIN_TYPE_FIXED);
1132 }
1133 }
1134
1135 for (ii = 0; ii <= HCI_EXT_FEATURES_PAGE_MAX; ii++)
1136 {
1137 p_features = p_dev_rec->features[ii];
1138 BTM_TRACE_EVENT5(" remote_features page[%1d] = %02x-%02x-%02x-%02x",
1139 ii, p_features[0], p_features[1], p_features[2], p_features[3]);
1140 BTM_TRACE_EVENT4(" %02x-%02x-%02x-%02x",
1141 p_features[4], p_features[5], p_features[6], p_features[7]);
1142 }
1143
1144 BTM_TRACE_EVENT2 ("BTM_SecBond: Remote sm4: 0x%x HCI Handle: 0x%04x", p_dev_rec->sm4, p_dev_rec->hci_handle);
1145
1146 #if BTM_SEC_FORCE_RNR_FOR_DBOND == TRUE
1147 p_dev_rec->sec_flags &= ~BTM_SEC_NAME_KNOWN;
1148 #endif
1149
1150 /* If connection already exists... */
1151 if (p_dev_rec->hci_handle != BTM_SEC_INVALID_HANDLE)
1152 {
1153 if (!btm_sec_start_authentication (p_dev_rec))
1154 return(BTM_NO_RESOURCES);
1155
1156 btm_sec_change_pairing_state (BTM_PAIR_STATE_WAIT_PIN_REQ);
1157
1158 /* Mark lcb as bonding */
1159 l2cu_update_lcb_4_bonding (bd_addr, TRUE);
1160 return(BTM_CMD_STARTED);
1161 }
1162
1163 BTM_TRACE_DEBUG2 ("sec mode: %d sm4:x%x", btm_cb.security_mode, p_dev_rec->sm4);
1164 if (!HCI_SIMPLE_PAIRING_SUPPORTED(btm_cb.devcb.local_lmp_features[HCI_EXT_FEATURES_PAGE_0])
1165 || (p_dev_rec->sm4 == BTM_SM4_KNOWN))
1166 {
1167 if ( btm_sec_check_prefetch_pin (p_dev_rec) )
1168 return(BTM_CMD_STARTED);
1169 }
1170 if (BTM_SEC_MODE_SP == btm_cb.security_mode && BTM_SEC_IS_SM4_UNKNOWN(p_dev_rec->sm4))
1171 {
1172 /* local is 2.1 and peer is unknown */
1173 if ((p_dev_rec->sm4 & BTM_SM4_CONN_PEND) == 0)
1174 {
1175 /* we are not accepting connection request from peer
1176 * -> RNR (to learn if peer is 2.1)
1177 * RNR when no ACL causes HCI_RMT_HOST_SUP_FEAT_NOTIFY_EVT */
1178 btm_sec_change_pairing_state (BTM_PAIR_STATE_GET_REM_NAME);
1179 BTM_ReadRemoteDeviceName(bd_addr, NULL);
1180 }
1181 else
1182 {
1183 /* We are accepting connection request from peer */
1184 btm_sec_change_pairing_state (BTM_PAIR_STATE_WAIT_PIN_REQ);
1185 }
1186 BTM_TRACE_DEBUG3 ("State:%s sm4: 0x%x sec_state:%d", btm_pair_state_descr (btm_cb.pairing_state), p_dev_rec->sm4, p_dev_rec->sec_state);
1187 return BTM_CMD_STARTED;
1188 }
1189
1190 /* both local and peer are 2.1 */
1191 status = btm_sec_dd_create_conn(p_dev_rec);
1192
1193 if (status != BTM_CMD_STARTED)
1194 {
1195 btm_sec_change_pairing_state (BTM_PAIR_STATE_IDLE);
1196 }
1197
1198 return status;
1199 }
1200
1201
1202 /*******************************************************************************
1203 **
1204 ** Function BTM_SecBondCancel
1205 **
1206 ** Description This function is called to cancel ongoing bonding process
1207 ** with peer device.
1208 **
1209 ** Parameters: bd_addr - Address of the peer device
1210 **
1211 *******************************************************************************/
BTM_SecBondCancel(BD_ADDR bd_addr)1212 tBTM_STATUS BTM_SecBondCancel (BD_ADDR bd_addr)
1213 {
1214 tBTM_SEC_DEV_REC *p_dev_rec;
1215 #if SMP_INCLUDED == TRUE
1216 tACL_CONN *p=NULL;
1217 #endif
1218
1219 BTM_TRACE_API2 ("BTM_SecBondCancel() State: %s flags:0x%x",
1220 btm_pair_state_descr (btm_cb.pairing_state), btm_cb.pairing_flags);
1221
1222 if (((p_dev_rec = btm_find_dev (bd_addr)) == NULL)
1223 || (memcmp (btm_cb.pairing_bda, bd_addr, BD_ADDR_LEN) != 0) )
1224 return BTM_UNKNOWN_ADDR;
1225
1226 #if SMP_INCLUDED == TRUE
1227 p = btm_bda_to_acl(bd_addr);
1228 if (p && p->is_le_link &&
1229 (p_dev_rec->sec_state == BTM_SEC_STATE_AUTHENTICATING))
1230 {
1231 BTM_TRACE_DEBUG0 ("Cancel LE pairing");
1232 if (SMP_PairCancel(bd_addr))
1233 {
1234 return BTM_CMD_STARTED;
1235 }
1236 else
1237 {
1238 return BTM_WRONG_MODE;
1239 }
1240 }
1241
1242 #endif
1243 BTM_TRACE_DEBUG2 ("hci_handle:0x%x sec_state:%d", p_dev_rec->hci_handle, p_dev_rec->sec_state );
1244 if (BTM_PAIR_STATE_WAIT_LOCAL_PIN == btm_cb.pairing_state &&
1245 BTM_PAIR_FLAGS_WE_STARTED_DD & btm_cb.pairing_flags)
1246 {
1247 /* pre-fetching pin for dedicated bonding */
1248 btm_sec_bond_cancel_complete();
1249 return BTM_SUCCESS;
1250 }
1251
1252 /* If this BDA is in a bonding procedure */
1253 if ( (btm_cb.pairing_state != BTM_PAIR_STATE_IDLE)
1254 && (btm_cb.pairing_flags & BTM_PAIR_FLAGS_WE_STARTED_DD))
1255 {
1256 /* If the HCI link is up */
1257 if (p_dev_rec->hci_handle != BTM_SEC_INVALID_HANDLE)
1258 {
1259 /* If some other thread disconnecting, we do not send second command */
1260 if (p_dev_rec->sec_state == BTM_SEC_STATE_DISCONNECTING)
1261 return(BTM_CMD_STARTED);
1262
1263 /* If the HCI link was set up by Bonding process */
1264 if (btm_cb.pairing_flags & BTM_PAIR_FLAGS_DISC_WHEN_DONE)
1265 return btm_sec_send_hci_disconnect(p_dev_rec, HCI_ERR_PEER_USER);
1266 else
1267 l2cu_update_lcb_4_bonding(bd_addr, FALSE);
1268
1269 return BTM_NOT_AUTHORIZED;
1270 }
1271 else /*HCI link is not up */
1272 {
1273 /* If the HCI link creation was started by Bonding process */
1274 if (btm_cb.pairing_flags & BTM_PAIR_FLAGS_DISC_WHEN_DONE)
1275 {
1276 if (btsnd_hcic_create_conn_cancel(bd_addr))
1277 return BTM_CMD_STARTED;
1278
1279 return BTM_NO_RESOURCES;
1280 }
1281 if (btm_cb.pairing_state == BTM_PAIR_STATE_GET_REM_NAME)
1282 {
1283 BTM_CancelRemoteDeviceName();
1284 btm_cb.pairing_flags |= BTM_PAIR_FLAGS_WE_CANCEL_DD;
1285 return BTM_CMD_STARTED;
1286 }
1287 return BTM_NOT_AUTHORIZED;
1288 }
1289 }
1290
1291 return BTM_WRONG_MODE;
1292 }
1293
1294 /*******************************************************************************
1295 **
1296 ** Function BTM_SecUseMasterLinkKey
1297 **
1298 ** Description This function is called to tell master of the piconet to
1299 ** switch to master link key
1300 **
1301 ** Parameters: use_master_key - If true Master Link Key shoul be used
1302 **
1303 *******************************************************************************/
BTM_SecUseMasterLinkKey(BOOLEAN use_master_key)1304 tBTM_STATUS BTM_SecUseMasterLinkKey (BOOLEAN use_master_key)
1305 {
1306 return(btsnd_hcic_master_link_key (use_master_key) ? BTM_SUCCESS :
1307 BTM_NO_RESOURCES);
1308 }
1309
1310 /*******************************************************************************
1311 **
1312 ** Function BTM_SetMasterKeyCompCback
1313 **
1314 ** Description This function is called to register for the master key complete
1315 ** status event.
1316 **
1317 ** Parameters: mkey_cback - callback registered with the security manager
1318 **
1319 *******************************************************************************/
BTM_SetMasterKeyCompCback(tBTM_MKEY_CALLBACK * mkey_cback)1320 void BTM_SetMasterKeyCompCback( tBTM_MKEY_CALLBACK *mkey_cback )
1321 {
1322 btm_cb.mkey_cback = mkey_cback;
1323 }
1324
1325 /*******************************************************************************
1326 **
1327 ** Function BTM_SecGetDeviceLinkKey
1328 **
1329 ** Description This function is called to obtain link key for the device
1330 ** it returns BTM_SUCCESS if link key is available, or
1331 ** BTM_UNKNOWN_ADDR if Security Manager does not know about
1332 ** the device or device record does not contain link key info
1333 **
1334 ** Parameters: bd_addr - Address of the device
1335 ** link_key - Link Key is copied into this array
1336 **
1337 *******************************************************************************/
BTM_SecGetDeviceLinkKey(BD_ADDR bd_addr,LINK_KEY link_key)1338 tBTM_STATUS BTM_SecGetDeviceLinkKey (BD_ADDR bd_addr, LINK_KEY link_key)
1339 {
1340 tBTM_SEC_DEV_REC *p_dev_rec;
1341
1342 if (((p_dev_rec = btm_find_dev (bd_addr)) != NULL)
1343 && (p_dev_rec->sec_flags & BTM_SEC_LINK_KEY_KNOWN))
1344 {
1345 memcpy (link_key, p_dev_rec->link_key, LINK_KEY_LEN);
1346 return(BTM_SUCCESS);
1347 }
1348 return(BTM_UNKNOWN_ADDR);
1349 }
1350
1351
1352 /*******************************************************************************
1353 **
1354 ** Function BTM_SetEncryption
1355 **
1356 ** Description This function is called to ensure that connection is
1357 ** encrypted. Should be called only on an open connection.
1358 ** Typically only needed for connections that first want to
1359 ** bring up unencrypted links, then later encrypt them.
1360 **
1361 ** Parameters: bd_addr - Address of the peer device
1362 ** p_callback - Pointer to callback function called if
1363 ** this function returns PENDING after required
1364 ** procedures are completed. Can be set to NULL
1365 ** if status is not desired.
1366 ** p_ref_data - pointer to any data the caller wishes to receive
1367 ** in the callback function upon completion.
1368 * can be set to NULL if not used.
1369 **
1370 ** Returns BTM_SUCCESS - already encrypted
1371 ** BTM_PENDING - command will be returned in the callback
1372 ** BTM_WRONG_MODE- connection not up.
1373 ** BTM_BUSY - security procedures are currently active
1374 ** BTM_MODE_UNSUPPORTED - if security manager not linked in.
1375 **
1376 *******************************************************************************/
BTM_SetEncryption(BD_ADDR bd_addr,tBTM_SEC_CBACK * p_callback,void * p_ref_data)1377 tBTM_STATUS BTM_SetEncryption (BD_ADDR bd_addr, tBTM_SEC_CBACK *p_callback,
1378 void *p_ref_data)
1379 {
1380 tBTM_SEC_DEV_REC *p_dev_rec;
1381 tBTM_STATUS rc;
1382
1383 #if BLE_INCLUDED == TRUE
1384 tACL_CONN *p;
1385 p = btm_bda_to_acl(bd_addr);
1386 #endif
1387
1388 p_dev_rec = btm_find_dev (bd_addr);
1389 if (!p_dev_rec || (p_dev_rec->hci_handle == BTM_SEC_INVALID_HANDLE))
1390 {
1391 /* Connection should be up and runnning */
1392 BTM_TRACE_WARNING0 ("Security Manager: BTM_SetEncryption not connected");
1393
1394 if (p_callback)
1395 (*p_callback) (bd_addr, p_ref_data, BTM_WRONG_MODE);
1396
1397 return(BTM_WRONG_MODE);
1398 }
1399
1400
1401 if (
1402 #if BLE_INCLUDED == TRUE
1403 !p->is_le_link &&
1404 #endif
1405 (p_dev_rec->sec_flags & (BTM_SEC_AUTHENTICATED | BTM_SEC_ENCRYPTED))
1406 == (BTM_SEC_AUTHENTICATED | BTM_SEC_ENCRYPTED))
1407 {
1408 BTM_TRACE_EVENT0 ("Security Manager: BTM_SetEncryption already encrypted");
1409
1410 if (p_callback)
1411 (*p_callback) (bd_addr, p_ref_data, BTM_SUCCESS);
1412
1413 return(BTM_SUCCESS);
1414 }
1415
1416 if (p_dev_rec->p_callback)
1417 {
1418 /* Connection should be up and runnning */
1419 BTM_TRACE_WARNING0 ("Security Manager: BTM_SetEncryption busy");
1420
1421 if (p_callback)
1422 (*p_callback) (bd_addr, p_ref_data, BTM_BUSY);
1423
1424 return(BTM_BUSY);
1425 }
1426
1427 p_dev_rec->p_callback = p_callback;
1428 p_dev_rec->p_ref_data = p_ref_data;
1429 p_dev_rec->security_required |= (BTM_SEC_IN_AUTHENTICATE | BTM_SEC_IN_ENCRYPT);
1430 p_dev_rec->is_originator = FALSE;
1431
1432 BTM_TRACE_API4 ("Security Manager: BTM_SetEncryption Handle:%d State:%d Flags:0x%x Required:0x%x",
1433 p_dev_rec->hci_handle, p_dev_rec->sec_state, p_dev_rec->sec_flags,
1434 p_dev_rec->security_required);
1435 #if BLE_INCLUDED == TRUE && SMP_INCLUDED == TRUE
1436 if (p->is_le_link)
1437 {
1438 rc = btm_ble_set_encryption(bd_addr, p_ref_data, p->link_role);
1439 }
1440 else
1441 #endif
1442
1443 rc = btm_sec_execute_procedure (p_dev_rec);
1444
1445 if ( rc != BTM_CMD_STARTED)
1446 {
1447 if (p_callback)
1448 {
1449 p_dev_rec->p_callback = NULL;
1450 (*p_callback) (bd_addr, p_dev_rec->p_ref_data, rc);
1451 }
1452 }
1453 return(rc);
1454 }
1455
1456 /*******************************************************************************
1457 * disconnect the ACL link, if it's not done yet.
1458 *******************************************************************************/
btm_sec_send_hci_disconnect(tBTM_SEC_DEV_REC * p_dev_rec,UINT8 reason)1459 static tBTM_STATUS btm_sec_send_hci_disconnect (tBTM_SEC_DEV_REC *p_dev_rec, UINT8 reason)
1460 {
1461 UINT8 old_state = p_dev_rec->sec_state;
1462 tBTM_STATUS status = BTM_CMD_STARTED;
1463
1464 BTM_TRACE_EVENT2 ("btm_sec_send_hci_disconnect: handle:0x%x, reason=0x%x",
1465 p_dev_rec->hci_handle, reason);
1466
1467 /* if some other thread disconnecting, we do not send second command */
1468 if (BTM_SEC_STATE_DISCONNECTING != old_state)
1469 {
1470 p_dev_rec->sec_state = BTM_SEC_STATE_DISCONNECTING;
1471
1472 #if BTM_DISC_DURING_RS == TRUE
1473 /* If a Role Switch is in progress, delay the HCI Disconnect to avoid controller problem (4329B1) */
1474 if (p_dev_rec->rs_disc_pending == BTM_SEC_RS_PENDING)
1475 {
1476 BTM_TRACE_ERROR0("RS in progress - Set DISC Pending flag in btm_sec_send_hci_disconnect to delay disconnect");
1477 p_dev_rec->rs_disc_pending = BTM_SEC_DISC_PENDING;
1478 status = BTM_SUCCESS;
1479 }
1480 else
1481 #endif
1482 /* Tear down the HCI link */
1483 if (!btsnd_hcic_disconnect (p_dev_rec->hci_handle, reason))
1484 {
1485 /* could not send disconnect. restore old state */
1486 p_dev_rec->sec_state = old_state;
1487 status = BTM_NO_RESOURCES;
1488 }
1489 }
1490 return (status);
1491 }
1492
1493 /*******************************************************************************
1494 **
1495 ** Function BTM_ConfirmReqReply
1496 **
1497 ** Description This function is called to confirm the numeric value for
1498 ** Simple Pairing in response to BTM_SP_CFM_REQ_EVT
1499 **
1500 ** Parameters: res - result of the operation BTM_SUCCESS if success
1501 ** bd_addr - Address of the peer device
1502 **
1503 *******************************************************************************/
BTM_ConfirmReqReply(tBTM_STATUS res,BD_ADDR bd_addr)1504 void BTM_ConfirmReqReply(tBTM_STATUS res, BD_ADDR bd_addr)
1505 {
1506 tBTM_SEC_DEV_REC *p_dev_rec;
1507
1508 BTM_TRACE_EVENT2 ("BTM_ConfirmReqReply() State: %s Res: %u",
1509 btm_pair_state_descr(btm_cb.pairing_state), res);
1510
1511 /* If timeout already expired or has been canceled, ignore the reply */
1512 if ( (btm_cb.pairing_state != BTM_PAIR_STATE_WAIT_NUMERIC_CONFIRM)
1513 || (memcmp (btm_cb.pairing_bda, bd_addr, BD_ADDR_LEN) != 0) )
1514 return;
1515
1516 btm_sec_change_pairing_state (BTM_PAIR_STATE_WAIT_AUTH_COMPLETE);
1517
1518 if ( (res == BTM_SUCCESS) || (res == BTM_SUCCESS_NO_SECURITY) )
1519 {
1520 btm_cb.acl_disc_reason = HCI_SUCCESS;
1521
1522 if (res == BTM_SUCCESS)
1523 {
1524 if ((p_dev_rec = btm_find_dev (bd_addr)) != NULL)
1525 p_dev_rec->sec_flags |= BTM_SEC_LINK_KEY_AUTHED;
1526 }
1527
1528 btsnd_hcic_user_conf_reply (bd_addr, TRUE);
1529 }
1530 else
1531 {
1532 /* Report authentication failed event from state BTM_PAIR_STATE_WAIT_AUTH_COMPLETE */
1533 btm_cb.acl_disc_reason = HCI_ERR_HOST_REJECT_SECURITY;
1534 btsnd_hcic_user_conf_reply (bd_addr, FALSE);
1535 }
1536 }
1537
1538 /*******************************************************************************
1539 **
1540 ** Function BTM_PasskeyReqReply
1541 **
1542 ** Description This function is called to provide the passkey for
1543 ** Simple Pairing in response to BTM_SP_KEY_REQ_EVT
1544 **
1545 ** Parameters: res - result of the operation BTM_SUCCESS if success
1546 ** bd_addr - Address of the peer device
1547 ** passkey - numeric value in the range of
1548 ** BTM_MIN_PASSKEY_VAL(0) - BTM_MAX_PASSKEY_VAL(999999(0xF423F)).
1549 **
1550 *******************************************************************************/
1551 #if (BTM_LOCAL_IO_CAPS != BTM_IO_CAP_NONE)
BTM_PasskeyReqReply(tBTM_STATUS res,BD_ADDR bd_addr,UINT32 passkey)1552 void BTM_PasskeyReqReply(tBTM_STATUS res, BD_ADDR bd_addr, UINT32 passkey)
1553 {
1554 tBTM_SEC_DEV_REC *p_dev_rec;
1555
1556 BTM_TRACE_API2 ("BTM_PasskeyReqReply: State: %s res:%d",
1557 btm_pair_state_descr(btm_cb.pairing_state), res);
1558
1559 if ( (btm_cb.pairing_state == BTM_PAIR_STATE_IDLE)
1560 || (memcmp (btm_cb.pairing_bda, bd_addr, BD_ADDR_LEN) != 0) )
1561 {
1562 return;
1563 }
1564
1565 /* If timeout already expired or has been canceled, ignore the reply */
1566 if ( (btm_cb.pairing_state == BTM_PAIR_STATE_WAIT_AUTH_COMPLETE) && (res != BTM_SUCCESS) )
1567 {
1568 if ((p_dev_rec = btm_find_dev (bd_addr)) != NULL)
1569 {
1570 btm_cb.acl_disc_reason = HCI_ERR_HOST_REJECT_SECURITY;
1571
1572 if (p_dev_rec->hci_handle != BTM_SEC_INVALID_HANDLE)
1573 btm_sec_send_hci_disconnect (p_dev_rec, HCI_ERR_AUTH_FAILURE);
1574 else
1575 BTM_SecBondCancel(bd_addr);
1576
1577 p_dev_rec->sec_flags &= ~(BTM_SEC_LINK_KEY_AUTHED | BTM_SEC_LINK_KEY_KNOWN);
1578
1579 btm_sec_change_pairing_state (BTM_PAIR_STATE_IDLE);
1580 return;
1581 }
1582 }
1583 else if (btm_cb.pairing_state != BTM_PAIR_STATE_KEY_ENTRY)
1584 return;
1585
1586 if (passkey > BTM_MAX_PASSKEY_VAL)
1587 res = BTM_ILLEGAL_VALUE;
1588
1589 btm_sec_change_pairing_state (BTM_PAIR_STATE_WAIT_AUTH_COMPLETE);
1590
1591 if (res != BTM_SUCCESS)
1592 {
1593 /* use BTM_PAIR_STATE_WAIT_AUTH_COMPLETE to report authentication failed event */
1594 btm_cb.acl_disc_reason = HCI_ERR_HOST_REJECT_SECURITY;
1595 btsnd_hcic_user_passkey_neg_reply (bd_addr);
1596 }
1597 else
1598 {
1599 btm_cb.acl_disc_reason = HCI_SUCCESS;
1600 btsnd_hcic_user_passkey_reply (bd_addr, passkey);
1601 }
1602 }
1603 #endif
1604
1605 /*******************************************************************************
1606 **
1607 ** Function BTM_SendKeypressNotif
1608 **
1609 ** Description This function is used during the passkey entry model
1610 ** by a device with KeyboardOnly IO capabilities
1611 ** (very likely to be a HID Device).
1612 ** It is called by a HID Device to inform the remote device when
1613 ** a key has been entered or erased.
1614 **
1615 ** Parameters: bd_addr - Address of the peer device
1616 ** type - notification type
1617 **
1618 *******************************************************************************/
1619 #if (BTM_LOCAL_IO_CAPS != BTM_IO_CAP_NONE)
BTM_SendKeypressNotif(BD_ADDR bd_addr,tBTM_SP_KEY_TYPE type)1620 void BTM_SendKeypressNotif(BD_ADDR bd_addr, tBTM_SP_KEY_TYPE type)
1621 {
1622 /* This API only make sense between PASSKEY_REQ and SP complete */
1623 if (btm_cb.pairing_state == BTM_PAIR_STATE_KEY_ENTRY)
1624 btsnd_hcic_send_keypress_notif (bd_addr, type);
1625 }
1626 #endif
1627
1628 #if BTM_OOB_INCLUDED == TRUE
1629 /*******************************************************************************
1630 **
1631 ** Function BTM_IoCapRsp
1632 **
1633 ** Description This function is called in response to BTM_SP_IO_REQ_EVT
1634 ** When the event data io_req.oob_data is set to BTM_OOB_UNKNOWN
1635 ** by the tBTM_SP_CALLBACK implementation, this function is
1636 ** called to provide the actual response
1637 **
1638 ** Parameters: bd_addr - Address of the peer device
1639 ** io_cap - The IO capability of local device.
1640 ** oob - BTM_OOB_NONE or BTM_OOB_PRESENT.
1641 ** auth_req- MITM protection required or not.
1642 **
1643 *******************************************************************************/
BTM_IoCapRsp(BD_ADDR bd_addr,tBTM_IO_CAP io_cap,tBTM_OOB_DATA oob,tBTM_AUTH_REQ auth_req)1644 void BTM_IoCapRsp(BD_ADDR bd_addr, tBTM_IO_CAP io_cap, tBTM_OOB_DATA oob, tBTM_AUTH_REQ auth_req)
1645 {
1646 BTM_TRACE_EVENT3 ("BTM_IoCapRsp: state: %s oob: %d io_cap: %d",
1647 btm_pair_state_descr(btm_cb.pairing_state), oob, io_cap);
1648
1649 if ( (btm_cb.pairing_state != BTM_PAIR_STATE_WAIT_LOCAL_IOCAPS)
1650 || (memcmp (btm_cb.pairing_bda, bd_addr, BD_ADDR_LEN) != 0) )
1651 return;
1652
1653 if (oob < BTM_OOB_UNKNOWN && io_cap < BTM_IO_CAP_MAX)
1654 {
1655 btm_cb.devcb.loc_auth_req = auth_req;
1656 btm_cb.devcb.loc_io_caps = io_cap;
1657
1658 if (btm_cb.pairing_flags & BTM_PAIR_FLAGS_WE_STARTED_DD)
1659 auth_req = (BTM_AUTH_DD_BOND | (auth_req&BTM_AUTH_YN_BIT));
1660
1661 btsnd_hcic_io_cap_req_reply (bd_addr, io_cap, oob, auth_req);
1662 }
1663 }
1664
1665 /*******************************************************************************
1666 **
1667 ** Function BTM_ReadLocalOobData
1668 **
1669 ** Description This function is called to read the local OOB data from
1670 ** LM
1671 **
1672 *******************************************************************************/
BTM_ReadLocalOobData(void)1673 tBTM_STATUS BTM_ReadLocalOobData(void)
1674 {
1675 tBTM_STATUS status = BTM_SUCCESS;
1676
1677 if (btsnd_hcic_read_local_oob_data() == FALSE)
1678 status = BTM_NO_RESOURCES;
1679
1680 return status;
1681 }
1682
1683 /*******************************************************************************
1684 **
1685 ** Function BTM_RemoteOobDataReply
1686 **
1687 ** Description This function is called to provide the remote OOB data for
1688 ** Simple Pairing in response to BTM_SP_RMT_OOB_EVT
1689 **
1690 ** Parameters: bd_addr - Address of the peer device
1691 ** c - simple pairing Hash C.
1692 ** r - simple pairing Randomizer C.
1693 **
1694 *******************************************************************************/
BTM_RemoteOobDataReply(tBTM_STATUS res,BD_ADDR bd_addr,BT_OCTET16 c,BT_OCTET16 r)1695 void BTM_RemoteOobDataReply(tBTM_STATUS res, BD_ADDR bd_addr, BT_OCTET16 c, BT_OCTET16 r)
1696 {
1697 BTM_TRACE_EVENT2 ("BTM_RemoteOobDataReply(): State: %s res:%d",
1698 btm_pair_state_descr(btm_cb.pairing_state), res);
1699
1700 /* If timeout already expired or has been canceled, ignore the reply */
1701 if (btm_cb.pairing_state != BTM_PAIR_STATE_WAIT_LOCAL_OOB_RSP)
1702 return;
1703
1704 btm_sec_change_pairing_state (BTM_PAIR_STATE_WAIT_AUTH_COMPLETE);
1705
1706 if (res != BTM_SUCCESS)
1707 {
1708 /* use BTM_PAIR_STATE_WAIT_AUTH_COMPLETE to report authentication failed event */
1709 btm_cb.acl_disc_reason = HCI_ERR_HOST_REJECT_SECURITY;
1710 btsnd_hcic_rem_oob_neg_reply (bd_addr);
1711 }
1712 else
1713 {
1714 btm_cb.acl_disc_reason = HCI_SUCCESS;
1715 btsnd_hcic_rem_oob_reply (bd_addr, c, r);
1716 }
1717 }
1718
1719 /*******************************************************************************
1720 **
1721 ** Function BTM_BuildOobData
1722 **
1723 ** Description This function is called to build the OOB data payload to
1724 ** be sent over OOB (non-Bluetooth) link
1725 **
1726 ** Parameters: p_data - the location for OOB data
1727 ** max_len - p_data size.
1728 ** c - simple pairing Hash C.
1729 ** r - simple pairing Randomizer C.
1730 ** name_len- 0, local device name would not be included.
1731 ** otherwise, the local device name is included for
1732 ** up to this specified length
1733 **
1734 ** Returns Number of bytes in p_data.
1735 **
1736 *******************************************************************************/
BTM_BuildOobData(UINT8 * p_data,UINT16 max_len,BT_OCTET16 c,BT_OCTET16 r,UINT8 name_len)1737 UINT16 BTM_BuildOobData(UINT8 *p_data, UINT16 max_len, BT_OCTET16 c,
1738 BT_OCTET16 r, UINT8 name_len)
1739 {
1740 UINT8 *p = p_data;
1741 UINT16 len = 0;
1742 UINT16 delta;
1743 #if BTM_MAX_LOC_BD_NAME_LEN > 0
1744 UINT16 name_size;
1745 UINT8 name_type = BTM_EIR_SHORTENED_LOCAL_NAME_TYPE;
1746 #endif
1747
1748 if (p_data && max_len >= BTM_OOB_MANDATORY_SIZE)
1749 {
1750 /* add mandatory part */
1751 UINT16_TO_STREAM(p, len);
1752 BDADDR_TO_STREAM(p, btm_cb.devcb.local_addr);
1753
1754 len = BTM_OOB_MANDATORY_SIZE;
1755 max_len -= len;
1756
1757 /* now optional part */
1758
1759 /* add Hash C */
1760 delta = BTM_OOB_HASH_C_SIZE + 2;
1761 if (max_len >= delta)
1762 {
1763 *p++ = BTM_OOB_HASH_C_SIZE + 1;
1764 *p++ = BTM_EIR_OOB_SSP_HASH_C_TYPE;
1765 ARRAY_TO_STREAM(p, c, BTM_OOB_HASH_C_SIZE);
1766 len += delta;
1767 max_len -= delta;
1768 }
1769
1770 /* add Rand R */
1771 delta = BTM_OOB_RAND_R_SIZE + 2;
1772 if (max_len >= delta)
1773 {
1774 *p++ = BTM_OOB_RAND_R_SIZE + 1;
1775 *p++ = BTM_EIR_OOB_SSP_RAND_R_TYPE;
1776 ARRAY_TO_STREAM(p, r, BTM_OOB_RAND_R_SIZE);
1777 len += delta;
1778 max_len -= delta;
1779 }
1780
1781 /* add class of device */
1782 delta = BTM_OOB_COD_SIZE + 2;
1783 if (max_len >= delta)
1784 {
1785 *p++ = BTM_OOB_COD_SIZE + 1;
1786 *p++ = BTM_EIR_OOB_COD_TYPE;
1787 DEVCLASS_TO_STREAM(p, btm_cb.devcb.dev_class);
1788 len += delta;
1789 max_len -= delta;
1790 }
1791 #if BTM_MAX_LOC_BD_NAME_LEN > 0
1792 name_size = name_len;
1793 if (name_size > strlen(btm_cb.cfg.bd_name))
1794 {
1795 name_type = BTM_EIR_COMPLETE_LOCAL_NAME_TYPE;
1796 name_size = (UINT16)strlen(btm_cb.cfg.bd_name);
1797 }
1798 delta = name_size + 2;
1799 if (max_len >= delta)
1800 {
1801 *p++ = name_size + 1;
1802 *p++ = name_type;
1803 ARRAY_TO_STREAM (p, btm_cb.cfg.bd_name, name_size);
1804 len += delta;
1805 max_len -= delta;
1806 }
1807 #endif
1808 /* update len */
1809 p = p_data;
1810 UINT16_TO_STREAM(p, len);
1811 }
1812 return len;
1813 }
1814
1815 /*******************************************************************************
1816 **
1817 ** Function BTM_ReadOobData
1818 **
1819 ** Description This function is called to parse the OOB data payload
1820 ** received over OOB (non-Bluetooth) link
1821 **
1822 ** Parameters: p_data - the location for OOB data
1823 ** eir_tag - The associated EIR tag to read the data.
1824 ** *p_len(output) - the length of the data with the given tag.
1825 **
1826 ** Returns the beginning of the data with the given tag.
1827 ** NULL, if the tag is not found.
1828 **
1829 *******************************************************************************/
BTM_ReadOobData(UINT8 * p_data,UINT8 eir_tag,UINT8 * p_len)1830 UINT8 * BTM_ReadOobData(UINT8 *p_data, UINT8 eir_tag, UINT8 *p_len)
1831 {
1832 UINT8 *p = p_data;
1833 UINT16 max_len;
1834 UINT8 len, type;
1835 UINT8 *p_ret = NULL;
1836 UINT8 ret_len = 0;
1837
1838 if (p_data)
1839 {
1840 STREAM_TO_UINT16(max_len, p);
1841 if (max_len >= BTM_OOB_MANDATORY_SIZE)
1842 {
1843 if (BTM_EIR_OOB_BD_ADDR_TYPE == eir_tag)
1844 {
1845 p_ret = p; /* the location for bd_addr */
1846 ret_len = BTM_OOB_BD_ADDR_SIZE;
1847 }
1848 else
1849 {
1850 p += BD_ADDR_LEN;
1851 max_len -= BTM_OOB_MANDATORY_SIZE;
1852 /* now the optional data in EIR format */
1853 while (max_len > 0)
1854 {
1855 len = *p++; /* tag data len + 1 */
1856 type = *p++;
1857 if (eir_tag == type)
1858 {
1859 p_ret = p;
1860 ret_len = len - 1;
1861 break;
1862 }
1863 /* the data size of this tag is len + 1 (tag data len + 2) */
1864 if (max_len > len)
1865 {
1866 max_len -= len;
1867 max_len--;
1868 len--;
1869 p += len;
1870 }
1871 else
1872 max_len = 0;
1873 }
1874 }
1875 }
1876 }
1877
1878 if (p_len)
1879 *p_len = ret_len;
1880
1881 return p_ret;
1882 }
1883 #endif
1884
1885 /*******************************************************************************
1886 **
1887 ** Function BTM_SetOutService
1888 **
1889 ** Description This function is called to set the service for
1890 ** outgoing connections.
1891 **
1892 ** If the profile/application calls BTM_SetSecurityLevel
1893 ** before initiating a connection, this function does not
1894 ** need to be called.
1895 **
1896 ** Returns void
1897 **
1898 *******************************************************************************/
BTM_SetOutService(BD_ADDR bd_addr,UINT8 service_id,UINT32 mx_chan_id)1899 void BTM_SetOutService(BD_ADDR bd_addr, UINT8 service_id, UINT32 mx_chan_id)
1900 {
1901 tBTM_SEC_DEV_REC *p_dev_rec;
1902 tBTM_SEC_SERV_REC *p_serv_rec = &btm_cb.sec_serv_rec[0];
1903 int i;
1904
1905 btm_cb.p_out_serv = p_serv_rec;
1906 p_dev_rec = btm_find_dev (bd_addr);
1907
1908 for (i = 0; i < BTM_SEC_MAX_SERVICE_RECORDS; i++, p_serv_rec++)
1909 {
1910 if ((p_serv_rec->security_flags & BTM_SEC_IN_USE)
1911 && (p_serv_rec->service_id == service_id)
1912 && (p_serv_rec->orig_mx_chan_id == mx_chan_id))
1913 {
1914 BTM_TRACE_API4("BTM_SetOutService p_out_serv id %d, psm 0x%04x, proto_id %d, chan_id %d",
1915 p_serv_rec->service_id, p_serv_rec->psm, p_serv_rec->mx_proto_id, p_serv_rec->orig_mx_chan_id);
1916 btm_cb.p_out_serv = p_serv_rec;
1917 if (p_dev_rec)
1918 p_dev_rec->p_cur_service = p_serv_rec;
1919 break;
1920 }
1921 }
1922 }
1923
1924 /************************************************************************
1925 ** I N T E R N A L F U N C T I O N S
1926 *************************************************************************/
1927 /*******************************************************************************
1928 **
1929 ** Function btm_sec_is_upgrade_possible
1930 **
1931 ** Description This function returns TRUE if the existing link key
1932 ** can be upgraded or if the link key does not exist.
1933 **
1934 ** Returns BOOLEAN
1935 **
1936 *******************************************************************************/
btm_sec_is_upgrade_possible(tBTM_SEC_DEV_REC * p_dev_rec,BOOLEAN is_originator)1937 static BOOLEAN btm_sec_is_upgrade_possible(tBTM_SEC_DEV_REC *p_dev_rec, BOOLEAN is_originator)
1938 {
1939 UINT16 mtm_check = is_originator ? BTM_SEC_OUT_MITM : BTM_SEC_IN_MITM;
1940 BOOLEAN is_possible = TRUE;
1941
1942 if (p_dev_rec->sec_flags & BTM_SEC_LINK_KEY_KNOWN)
1943 {
1944 is_possible = FALSE;
1945 BTM_TRACE_DEBUG5 ("btm_sec_is_upgrade_possible id:%d, link_key_typet:%d, rmt_io_caps:%d, chk flags:x%x, flags:x%x",
1946 p_dev_rec->p_cur_service->service_id, p_dev_rec->link_key_type, p_dev_rec->rmt_io_caps,
1947 mtm_check, p_dev_rec->p_cur_service->security_flags);
1948 /* Already have a link key to the connected peer. Is the link key secure enough?
1949 ** Is a link key upgrade even possible?
1950 */
1951 if ((p_dev_rec->security_required & mtm_check) /* needs MITM */
1952 && (p_dev_rec->link_key_type == BTM_LKEY_TYPE_UNAUTH_COMB) /* has unauthenticated link key */
1953 && (p_dev_rec->rmt_io_caps < BTM_IO_CAP_MAX) /* a valid peer IO cap */
1954 && (btm_sec_io_map[p_dev_rec->rmt_io_caps][btm_cb.devcb.loc_io_caps])) /* authenticated link key is possible */
1955 {
1956 /* upgrade is possible: check if the application wants the upgrade.
1957 * If the application is configured to use a global MITM flag,
1958 * it probably would not want to upgrade the link key based on the security level database */
1959 is_possible = TRUE;
1960 }
1961 }
1962 BTM_TRACE_DEBUG2 ("btm_sec_is_upgrade_possible is_possible:%d sec_flags:0x%x", is_possible, p_dev_rec->sec_flags);
1963 return is_possible;
1964 }
1965
1966 /*******************************************************************************
1967 **
1968 ** Function btm_sec_check_upgrade
1969 **
1970 ** Description This function is called to check if the existing link key
1971 ** needs to be upgraded.
1972 **
1973 ** Returns void
1974 **
1975 *******************************************************************************/
btm_sec_check_upgrade(tBTM_SEC_DEV_REC * p_dev_rec,BOOLEAN is_originator)1976 static void btm_sec_check_upgrade(tBTM_SEC_DEV_REC *p_dev_rec, BOOLEAN is_originator)
1977 {
1978 tBTM_SP_UPGRADE evt_data;
1979
1980 BTM_TRACE_DEBUG0 ("btm_sec_check_upgrade...");
1981
1982 /* Only check if link key already exists */
1983 if (!(p_dev_rec->sec_flags & BTM_SEC_LINK_KEY_KNOWN))
1984 return;
1985 if (btm_sec_is_upgrade_possible (p_dev_rec, is_originator) == TRUE)
1986 {
1987 BTM_TRACE_DEBUG1 ("need upgrade!! sec_flags:0x%x", p_dev_rec->sec_flags);
1988 /* upgrade is possible: check if the application wants the upgrade.
1989 * If the application is configured to use a global MITM flag,
1990 * it probably would not want to upgrade the link key based on the security level database */
1991 memcpy (evt_data.bd_addr, p_dev_rec->bd_addr, BD_ADDR_LEN);
1992 evt_data.upgrade = TRUE;
1993 if (btm_cb.api.p_sp_callback)
1994 (*btm_cb.api.p_sp_callback) (BTM_SP_UPGRADE_EVT, (tBTM_SP_EVT_DATA *)&evt_data);
1995
1996 BTM_TRACE_DEBUG1 ("evt_data.upgrade:0x%x", evt_data.upgrade);
1997 if (evt_data.upgrade)
1998 {
1999 /* if the application confirms the upgrade, set the upgrade bit */
2000 p_dev_rec->sm4 |= BTM_SM4_UPGRADE;
2001
2002 /* Clear the link key known to go through authentication/pairing again */
2003 p_dev_rec->sec_flags &= ~(BTM_SEC_LINK_KEY_KNOWN | BTM_SEC_LINK_KEY_AUTHED);
2004 p_dev_rec->sec_flags &= ~BTM_SEC_AUTHENTICATED;
2005 BTM_TRACE_DEBUG1 ("sec_flags:0x%x", p_dev_rec->sec_flags);
2006 }
2007 }
2008 }
2009
2010 /*******************************************************************************
2011 **
2012 ** Function btm_sec_l2cap_access_req
2013 **
2014 ** Description This function is called by the L2CAP to grant permission to
2015 ** establish L2CAP connection to or from the peer device.
2016 **
2017 ** Parameters: bd_addr - Address of the peer device
2018 ** psm - L2CAP PSM
2019 ** is_originator - TRUE if protocol above L2CAP originates
2020 ** connection
2021 ** p_callback - Pointer to callback function called if
2022 ** this function returns PENDING after required
2023 ** procedures are complete. MUST NOT BE NULL.
2024 **
2025 ** Returns tBTM_STATUS
2026 **
2027 *******************************************************************************/
2028 #define BTM_SEC_OUT_FLAGS (BTM_SEC_OUT_AUTHENTICATE | BTM_SEC_OUT_ENCRYPT | BTM_SEC_OUT_AUTHORIZE)
2029 #define BTM_SEC_IN_FLAGS (BTM_SEC_IN_AUTHENTICATE | BTM_SEC_IN_ENCRYPT | BTM_SEC_IN_AUTHORIZE)
2030
btm_sec_l2cap_access_req(BD_ADDR bd_addr,UINT16 psm,UINT16 handle,CONNECTION_TYPE conn_type,tBTM_SEC_CALLBACK * p_callback,void * p_ref_data)2031 tBTM_STATUS btm_sec_l2cap_access_req (BD_ADDR bd_addr, UINT16 psm, UINT16 handle,
2032 CONNECTION_TYPE conn_type,
2033 tBTM_SEC_CALLBACK *p_callback,
2034 void *p_ref_data)
2035 {
2036 tBTM_SEC_DEV_REC *p_dev_rec;
2037 tBTM_SEC_SERV_REC *p_serv_rec;
2038 UINT16 security_required;
2039 UINT16 old_security_required;
2040 BOOLEAN old_is_originator;
2041 tBTM_STATUS rc = BTM_SUCCESS;
2042 BOOLEAN chk_acp_auth_done = FALSE;
2043 BOOLEAN is_originator;
2044
2045 #if (L2CAP_UCD_INCLUDED == TRUE)
2046 if (conn_type & CONNECTION_TYPE_ORIG_MASK)
2047 is_originator = TRUE;
2048 else
2049 is_originator = FALSE;
2050
2051 BTM_TRACE_DEBUG2 ("btm_sec_l2cap_access_req conn_type:0x%x, 0x%x", conn_type, p_ref_data);
2052 #else
2053 is_originator = conn_type;
2054
2055 BTM_TRACE_DEBUG2 ("btm_sec_l2cap_access_req is_originator:%d, 0x%x", is_originator, p_ref_data);
2056 #endif
2057
2058 /* Find or get oldest record */
2059 p_dev_rec = btm_find_or_alloc_dev (bd_addr);
2060
2061 p_dev_rec->hci_handle = handle;
2062
2063 /* Find the service record for the PSM */
2064 p_serv_rec = btm_sec_find_first_serv (conn_type, psm);
2065
2066 /* If there is no application registered with this PSM do not allow connection */
2067 if (!p_serv_rec)
2068 {
2069 BTM_TRACE_WARNING1 ("btm_sec_l2cap_access_req() PSM:%d no application registerd", psm);
2070
2071 (*p_callback) (bd_addr, p_ref_data, BTM_MODE_UNSUPPORTED);
2072
2073 return(BTM_MODE_UNSUPPORTED);
2074 }
2075
2076 /* SDP connection we will always let through */
2077 if (BT_PSM_SDP == psm)
2078 {
2079 (*p_callback) (bd_addr, p_ref_data, BTM_SUCCESS_NO_SECURITY);
2080
2081 return(BTM_SUCCESS);
2082 }
2083 #if (L2CAP_UCD_INCLUDED == TRUE)
2084 if ( conn_type & CONNECTION_TYPE_CONNLESS_MASK )
2085 {
2086 security_required = p_serv_rec->ucd_security_flags;
2087
2088 rc = BTM_CMD_STARTED;
2089 if (is_originator)
2090 {
2091 if (((security_required & BTM_SEC_OUT_FLAGS) == 0) ||
2092 ((((security_required & BTM_SEC_OUT_FLAGS) == BTM_SEC_OUT_AUTHENTICATE) && (p_dev_rec->sec_flags & BTM_SEC_AUTHENTICATED))) ||
2093 ((((security_required & BTM_SEC_OUT_FLAGS) == (BTM_SEC_OUT_AUTHENTICATE | BTM_SEC_OUT_ENCRYPT)) && (p_dev_rec->sec_flags & BTM_SEC_ENCRYPTED))) ||
2094 ((((security_required & BTM_SEC_OUT_FLAGS) == BTM_SEC_OUT_FLAGS) && (p_dev_rec->sec_flags & BTM_SEC_AUTHORIZED))) )
2095 {
2096 rc = BTM_SUCCESS;
2097 }
2098 }
2099 else
2100 {
2101 if (((security_required & BTM_SEC_IN_FLAGS) == 0) ||
2102 ((((security_required & BTM_SEC_IN_FLAGS) == BTM_SEC_IN_AUTHENTICATE) && (p_dev_rec->sec_flags & BTM_SEC_AUTHENTICATED))) ||
2103 ((((security_required & BTM_SEC_IN_FLAGS) == (BTM_SEC_IN_AUTHENTICATE | BTM_SEC_IN_ENCRYPT)) && (p_dev_rec->sec_flags & BTM_SEC_ENCRYPTED))) ||
2104 ((((security_required & BTM_SEC_IN_FLAGS) == BTM_SEC_IN_FLAGS) && (p_dev_rec->sec_flags & BTM_SEC_AUTHORIZED))) )
2105 {
2106 rc = BTM_SUCCESS;
2107 }
2108 }
2109
2110 if (rc == BTM_SUCCESS)
2111 {
2112 if (p_callback)
2113 (*p_callback) (bd_addr, (void *)p_ref_data, BTM_SUCCESS);
2114
2115 return(BTM_SUCCESS);
2116 }
2117 }
2118 else
2119 #endif
2120 {
2121 security_required = p_serv_rec->security_flags;
2122 }
2123
2124 /* there are some devices (moto KRZR) which connects to several services at the same time */
2125 /* we will process one after another */
2126 if ( (p_dev_rec->p_callback) || (btm_cb.pairing_state != BTM_PAIR_STATE_IDLE) )
2127 {
2128 BTM_TRACE_EVENT4 ("btm_sec_l2cap_access_req() - busy - PSM:%d delayed state: %s mode:%d, sm4:0x%x",
2129 psm, btm_pair_state_descr(btm_cb.pairing_state), btm_cb.security_mode, p_dev_rec->sm4);
2130 BTM_TRACE_EVENT2 ("security_flags:x%x, sec_flags:x%x", security_required, p_dev_rec->sec_flags);
2131 rc = BTM_CMD_STARTED;
2132 if ((BTM_SEC_MODE_SP != btm_cb.security_mode)
2133 || ((BTM_SEC_MODE_SP == btm_cb.security_mode) && (BTM_SM4_KNOWN == p_dev_rec->sm4))
2134 || (BTM_SEC_IS_SM4(p_dev_rec->sm4) && (btm_sec_is_upgrade_possible(p_dev_rec, is_originator) == FALSE))
2135 )
2136 {
2137 /* legacy mode - local is legacy or local is lisbon/peer is legacy
2138 * or SM4 with no possibility of link key upgrade */
2139 if (is_originator)
2140 {
2141 if (((security_required & BTM_SEC_OUT_FLAGS) == 0) ||
2142 ((((security_required & BTM_SEC_OUT_FLAGS) == BTM_SEC_OUT_AUTHENTICATE) && (p_dev_rec->sec_flags & BTM_SEC_AUTHENTICATED))) ||
2143 ((((security_required & BTM_SEC_OUT_FLAGS) == (BTM_SEC_OUT_AUTHENTICATE | BTM_SEC_OUT_ENCRYPT)) && (p_dev_rec->sec_flags & BTM_SEC_ENCRYPTED))) ||
2144 ((((security_required & BTM_SEC_OUT_FLAGS) == BTM_SEC_OUT_FLAGS) && (p_dev_rec->sec_flags & BTM_SEC_AUTHORIZED))) )
2145 {
2146 rc = BTM_SUCCESS;
2147 }
2148 }
2149 else
2150 {
2151 if (((security_required & BTM_SEC_IN_FLAGS) == 0) ||
2152 ((((security_required & BTM_SEC_IN_FLAGS) == BTM_SEC_IN_AUTHENTICATE) && (p_dev_rec->sec_flags & BTM_SEC_AUTHENTICATED))) ||
2153 ((((security_required & BTM_SEC_IN_FLAGS) == (BTM_SEC_IN_AUTHENTICATE | BTM_SEC_IN_ENCRYPT)) && (p_dev_rec->sec_flags & BTM_SEC_ENCRYPTED))) ||
2154 ((((security_required & BTM_SEC_IN_FLAGS) == BTM_SEC_IN_FLAGS) && (p_dev_rec->sec_flags & BTM_SEC_AUTHORIZED))) )
2155 {
2156 rc = BTM_SUCCESS;
2157 }
2158 }
2159
2160 if (rc == BTM_SUCCESS)
2161 {
2162 if (p_callback)
2163 (*p_callback) (bd_addr, (void *)p_ref_data, BTM_SUCCESS);
2164
2165 return(BTM_SUCCESS);
2166 }
2167 }
2168
2169 btm_cb.sec_req_pending = TRUE;
2170 return(BTM_CMD_STARTED);
2171 }
2172
2173 /* Save pointer to service record */
2174 p_dev_rec->p_cur_service = p_serv_rec;
2175
2176
2177 /* mess /w security_required in btm_sec_l2cap_access_req for Lisbon */
2178 if (btm_cb.security_mode == BTM_SEC_MODE_SP)
2179 {
2180 if (is_originator)
2181 {
2182 if (BTM_SEC_IS_SM4(p_dev_rec->sm4))
2183 {
2184 /* SM4 to SM4 -> always authenticate & encrypt */
2185 security_required |= (BTM_SEC_OUT_AUTHENTICATE | BTM_SEC_OUT_ENCRYPT);
2186 }
2187 else
2188 {
2189 if ( !(BTM_SM4_KNOWN & p_dev_rec->sm4))
2190 {
2191 BTM_TRACE_DEBUG1 ("remote features unknown!!sec_flags:0x%x", p_dev_rec->sec_flags);
2192 /* the remote features are not known yet */
2193 p_dev_rec->sm4 |= BTM_SM4_REQ_PEND;
2194
2195 return(BTM_CMD_STARTED);
2196 }
2197 }
2198 }
2199 else
2200 {
2201 /* responder */
2202 if (BTM_SEC_IS_SM4(p_dev_rec->sm4))
2203 {
2204 /* SM4 to SM4: the acceptor needs to make sure the authentication is already done */
2205 chk_acp_auth_done = TRUE;
2206 /* SM4 to SM4 -> always authenticate & encrypt */
2207 security_required |= (BTM_SEC_IN_AUTHENTICATE | BTM_SEC_IN_ENCRYPT);
2208 }
2209 else
2210 {
2211 if ( !(BTM_SM4_KNOWN & p_dev_rec->sm4))
2212 {
2213 BTM_TRACE_DEBUG1 ("(rsp) remote features unknown!!sec_flags:0x%x", p_dev_rec->sec_flags);
2214 /* the remote features are not known yet */
2215 p_dev_rec->sm4 |= BTM_SM4_REQ_PEND;
2216
2217 return(BTM_CMD_STARTED);
2218 }
2219 }
2220 }
2221 }
2222
2223 BTM_TRACE_DEBUG4 ("btm_sec_l2cap_access_req() sm4:0x%x, sec_flags:0x%x, security_required:0x%x chk:%d",
2224 p_dev_rec->sm4, p_dev_rec->sec_flags, security_required, chk_acp_auth_done);
2225
2226 old_security_required = p_dev_rec->security_required;
2227 old_is_originator = p_dev_rec->is_originator;
2228 p_dev_rec->security_required = security_required;
2229 p_dev_rec->p_ref_data = p_ref_data;
2230 p_dev_rec->is_originator = is_originator;
2231
2232 #if (L2CAP_UCD_INCLUDED == TRUE)
2233 if ( conn_type & CONNECTION_TYPE_CONNLESS_MASK )
2234 p_dev_rec->is_ucd = TRUE;
2235 else
2236 p_dev_rec->is_ucd = FALSE;
2237 #endif
2238
2239 /* If there are multiple service records used through the same PSM */
2240 /* leave security decision for the multiplexor on the top */
2241 #if (L2CAP_UCD_INCLUDED == TRUE)
2242 if (((btm_sec_find_next_serv (p_serv_rec)) != NULL)
2243 &&(!( conn_type & CONNECTION_TYPE_CONNLESS_MASK ))) /* if not UCD */
2244 #else
2245 if ((btm_sec_find_next_serv (p_serv_rec)) != NULL)
2246 #endif
2247 {
2248 BTM_TRACE_DEBUG2 ("no next_serv sm4:0x%x, chk:%d", p_dev_rec->sm4, chk_acp_auth_done);
2249 if (!BTM_SEC_IS_SM4(p_dev_rec->sm4))
2250 {
2251 BTM_TRACE_EVENT1 ("Security Manager: l2cap_access_req PSM:%d postponed for multiplexer", psm);
2252 /* pre-Lisbon: restore the old settings */
2253 p_dev_rec->security_required = old_security_required;
2254 p_dev_rec->is_originator = old_is_originator;
2255
2256 (*p_callback) (bd_addr, p_ref_data, BTM_SUCCESS);
2257
2258 return(BTM_SUCCESS);
2259 }
2260 }
2261
2262 /* if the originator is using dynamic PSM in legacy mode, do not start any security process now.
2263 * The layer above L2CAP needs to carry out the security requirement after L2CAP connect response is received*/
2264 if (is_originator && (btm_cb.security_mode != BTM_SEC_MODE_SP || !BTM_SEC_IS_SM4(p_dev_rec->sm4)) && (psm >= 0x1001))
2265 {
2266 BTM_TRACE_EVENT1 ("dynamic PSM:0x%x in legacy mode - postponed for upper layer", psm);
2267 /* restore the old settings */
2268 p_dev_rec->security_required = old_security_required;
2269 p_dev_rec->is_originator = old_is_originator;
2270
2271 (*p_callback) (bd_addr, p_ref_data, BTM_SUCCESS);
2272
2273 return(BTM_SUCCESS);
2274 }
2275
2276 if (chk_acp_auth_done)
2277 {
2278 BTM_TRACE_DEBUG2 ("(SM4 to SM4) btm_sec_l2cap_access_req rspd. authenticated: x%x, enc: x%x",
2279 (p_dev_rec->sec_flags & BTM_SEC_AUTHENTICATED), (p_dev_rec->sec_flags & BTM_SEC_ENCRYPTED));
2280 /* SM4, but we do not know for sure which level of security we need.
2281 * as long as we have a link key, it's OK */
2282 if ((0 == (p_dev_rec->sec_flags & BTM_SEC_AUTHENTICATED))
2283 ||(0 == (p_dev_rec->sec_flags & BTM_SEC_ENCRYPTED)))
2284 {
2285 rc = BTM_DELAY_CHECK;
2286 /*
2287 2046 may report HCI_Encryption_Change and L2C Connection Request out of sequence
2288 because of data path issues. Delay this disconnect a little bit
2289 */
2290 BTM_TRACE_ERROR0 ("peer should have initiated security process by now (SM4 to SM4)");
2291 p_dev_rec->p_callback = p_callback;
2292 p_dev_rec->sec_state = BTM_SEC_STATE_DELAY_FOR_ENC;
2293 (*p_callback) (bd_addr, p_ref_data, rc);
2294
2295 return(BTM_SUCCESS);
2296 }
2297 }
2298
2299 p_dev_rec->p_callback = p_callback;
2300
2301 if (p_dev_rec->last_author_service_id == BTM_SEC_NO_LAST_SERVICE_ID
2302 || p_dev_rec->last_author_service_id != p_dev_rec->p_cur_service->service_id)
2303 {
2304 /* Although authentication and encryption are per connection
2305 ** authorization is per access request. For example when serial connection
2306 ** is up and authorized and client requests to read file (access to other
2307 ** scn), we need to request user's permission again.
2308 */
2309 p_dev_rec->sec_flags &= ~BTM_SEC_AUTHORIZED;
2310 }
2311
2312 if (BTM_SEC_IS_SM4(p_dev_rec->sm4))
2313 {
2314 /* If we already have a link key to the connected peer, is the link key secure enough ? */
2315 btm_sec_check_upgrade(p_dev_rec, is_originator);
2316 }
2317
2318 BTM_TRACE_EVENT6 ("Security Manager: l2cap_access_req PSM:%d Handle:%d State:%d Flags:0x%x Required:0x%x Service ID:%d",
2319 psm, handle, p_dev_rec->sec_state, p_dev_rec->sec_flags, p_dev_rec->security_required, p_dev_rec->p_cur_service->service_id);
2320
2321 if ((rc = btm_sec_execute_procedure (p_dev_rec)) != BTM_CMD_STARTED)
2322 {
2323 p_dev_rec->p_callback = NULL;
2324 (*p_callback) (bd_addr, p_dev_rec->p_ref_data, (UINT8)rc);
2325 }
2326
2327 return(rc);
2328 }
2329
2330 /*******************************************************************************
2331 **
2332 ** Function btm_sec_mx_access_request
2333 **
2334 ** Description This function is called by all Multiplexing Protocols during
2335 ** establishing connection to or from peer device to grant
2336 ** permission to establish application connection.
2337 **
2338 ** Parameters: bd_addr - Address of the peer device
2339 ** psm - L2CAP PSM
2340 ** is_originator - TRUE if protocol above L2CAP originates
2341 ** connection
2342 ** mx_proto_id - protocol ID of the multiplexer
2343 ** mx_chan_id - multiplexer channel to reach application
2344 ** p_callback - Pointer to callback function called if
2345 ** this function returns PENDING after required
2346 ** procedures are completed
2347 ** p_ref_data - Pointer to any reference data needed by the
2348 ** the callback function.
2349 **
2350 ** Returns BTM_CMD_STARTED
2351 **
2352 *******************************************************************************/
btm_sec_mx_access_request(BD_ADDR bd_addr,UINT16 psm,BOOLEAN is_originator,UINT32 mx_proto_id,UINT32 mx_chan_id,tBTM_SEC_CALLBACK * p_callback,void * p_ref_data)2353 tBTM_STATUS btm_sec_mx_access_request (BD_ADDR bd_addr, UINT16 psm, BOOLEAN is_originator,
2354 UINT32 mx_proto_id, UINT32 mx_chan_id,
2355 tBTM_SEC_CALLBACK *p_callback, void *p_ref_data)
2356
2357 {
2358 tBTM_SEC_DEV_REC *p_dev_rec;
2359 tBTM_SEC_SERV_REC *p_serv_rec;
2360 tBTM_STATUS rc;
2361 UINT16 security_required;
2362
2363 BTM_TRACE_DEBUG1 ("btm_sec_mx_access_request is_originator:%d", is_originator);
2364 /* Find or get oldest record */
2365 p_dev_rec = btm_find_or_alloc_dev (bd_addr);
2366
2367 /* Find the service record for the PSM */
2368 p_serv_rec = btm_sec_find_mx_serv (is_originator, psm, mx_proto_id, mx_chan_id);
2369
2370 /* If there is no application registered with this PSM do not allow connection */
2371 if (!p_serv_rec)
2372 {
2373 if (p_callback)
2374 (*p_callback) (bd_addr, p_ref_data, BTM_MODE_UNSUPPORTED);
2375
2376 BTM_TRACE_ERROR3 ("Security Manager: MX service not found PSM:%d Proto:%d SCN:%d",
2377 psm, mx_proto_id, mx_chan_id);
2378 return BTM_NO_RESOURCES;
2379 }
2380
2381 /* there are some devices (moto phone) which connects to several services at the same time */
2382 /* we will process one after another */
2383 if ( (p_dev_rec->p_callback) || (btm_cb.pairing_state != BTM_PAIR_STATE_IDLE) )
2384 {
2385 BTM_TRACE_EVENT4 ("btm_sec_mx_access_request service PSM:%d Proto:%d SCN:%d delayed state: %s",
2386 psm, mx_proto_id, mx_chan_id, btm_pair_state_descr(btm_cb.pairing_state));
2387
2388 rc = BTM_CMD_STARTED;
2389 security_required = p_serv_rec->security_flags;
2390 if ((BTM_SEC_MODE_SP != btm_cb.security_mode)
2391 || ((BTM_SEC_MODE_SP == btm_cb.security_mode) && (BTM_SM4_KNOWN == p_dev_rec->sm4))
2392 || (BTM_SEC_IS_SM4(p_dev_rec->sm4) && (btm_sec_is_upgrade_possible(p_dev_rec, is_originator) == FALSE))
2393 )
2394 {
2395 /* legacy mode - local is legacy or local is lisbon/peer is legacy
2396 * or SM4 with no possibility of link key upgrade */
2397 if (is_originator)
2398 {
2399 if (((security_required & BTM_SEC_OUT_FLAGS) == 0) ||
2400 ((((security_required & BTM_SEC_OUT_FLAGS) == BTM_SEC_OUT_AUTHENTICATE) && (p_dev_rec->sec_flags & BTM_SEC_AUTHENTICATED))) ||
2401 ((((security_required & BTM_SEC_OUT_FLAGS) == (BTM_SEC_OUT_AUTHENTICATE | BTM_SEC_OUT_ENCRYPT)) && (p_dev_rec->sec_flags & BTM_SEC_ENCRYPTED)))
2402 )
2403 {
2404 rc = BTM_SUCCESS;
2405 }
2406 }
2407 else
2408 {
2409 if (((security_required & BTM_SEC_IN_FLAGS) == 0) ||
2410 ((((security_required & BTM_SEC_IN_FLAGS) == BTM_SEC_IN_AUTHENTICATE) && (p_dev_rec->sec_flags & BTM_SEC_AUTHENTICATED))) ||
2411 ((((security_required & BTM_SEC_IN_FLAGS) == (BTM_SEC_IN_AUTHENTICATE | BTM_SEC_IN_ENCRYPT)) && (p_dev_rec->sec_flags & BTM_SEC_ENCRYPTED)))
2412 )
2413 {
2414 rc = BTM_SUCCESS;
2415 }
2416 }
2417 }
2418 if (rc == BTM_CMD_STARTED)
2419 {
2420 btm_sec_queue_mx_request (bd_addr, psm, is_originator, mx_proto_id, mx_chan_id, p_callback, p_ref_data);
2421 return rc;
2422 }
2423 }
2424
2425 p_dev_rec->p_cur_service = p_serv_rec;
2426 p_dev_rec->security_required = p_serv_rec->security_flags;
2427
2428 if (BTM_SEC_MODE_SP == btm_cb.security_mode)
2429 {
2430 if (BTM_SEC_IS_SM4(p_dev_rec->sm4))
2431 {
2432 /* If we already have a link key, check if that link key is good enough */
2433 btm_sec_check_upgrade(p_dev_rec, is_originator);
2434 }
2435 }
2436
2437 p_dev_rec->is_originator = is_originator;
2438 p_dev_rec->p_callback = p_callback;
2439 p_dev_rec->p_ref_data = p_ref_data;
2440
2441 /* Although authentication and encryption are per connection */
2442 /* authorization is per access request. For example when serial connection */
2443 /* is up and authorized and client requests to read file (access to other */
2444 /* scn, we need to request user's permission again. */
2445 p_dev_rec->sec_flags &= ~(BTM_SEC_AUTHORIZED);
2446
2447 BTM_TRACE_EVENT6 ("Security Manager: mx_access_req proto_id:%d chan_id:%d State:%d Flags:0x%x Required:0x%x Service ID:%d",
2448 mx_proto_id, mx_chan_id, p_dev_rec->sec_state, p_dev_rec->sec_flags, p_dev_rec->security_required, p_dev_rec->p_cur_service->service_id);
2449
2450 if ((rc = btm_sec_execute_procedure (p_dev_rec)) != BTM_CMD_STARTED)
2451 {
2452 if (p_callback)
2453 {
2454 p_dev_rec->p_callback = NULL;
2455
2456 (*p_callback) (bd_addr, p_ref_data, (UINT8)rc);
2457 }
2458 }
2459
2460 return rc;
2461 }
2462
2463 /*******************************************************************************
2464 **
2465 ** Function btm_sec_conn_req
2466 **
2467 ** Description This function is when the peer device is requesting
2468 ** connection
2469 **
2470 ** Returns void
2471 **
2472 *******************************************************************************/
btm_sec_conn_req(UINT8 * bda,UINT8 * dc)2473 void btm_sec_conn_req (UINT8 *bda, UINT8 *dc)
2474 {
2475 tBTM_SEC_DEV_REC *p_dev_rec = btm_find_dev (bda);
2476
2477 /* Some device may request a connection before we are done with the HCI_Reset sequence */
2478 if (btm_cb.devcb.state != BTM_DEV_STATE_READY)
2479 {
2480 BTM_TRACE_EVENT0 ("Security Manager: connect request when device not ready");
2481 btsnd_hcic_reject_conn (bda, HCI_ERR_HOST_REJECT_DEVICE);
2482 return;
2483 }
2484
2485 /* Security guys wants us not to allow connection from not paired devices */
2486
2487 /* Check if connection is allowed for only paired devices */
2488 if (btm_cb.connect_only_paired)
2489 {
2490 if (!p_dev_rec || !(p_dev_rec->sec_flags & BTM_SEC_LINK_KEY_AUTHED))
2491 {
2492 BTM_TRACE_EVENT0 ("Security Manager: connect request from non-paired device");
2493 btsnd_hcic_reject_conn (bda, HCI_ERR_HOST_REJECT_DEVICE);
2494 return;
2495 }
2496 }
2497
2498 #if BTM_ALLOW_CONN_IF_NONDISCOVER == FALSE
2499 /* If non-discoverable, only allow known devices to connect */
2500 if (btm_cb.btm_inq_vars.discoverable_mode == BTM_NON_DISCOVERABLE)
2501 {
2502 if (!p_dev_rec)
2503 {
2504 BTM_TRACE_EVENT0 ("Security Manager: connect request from not paired device");
2505 btsnd_hcic_reject_conn (bda, HCI_ERR_HOST_REJECT_DEVICE);
2506 return;
2507 }
2508 }
2509 #endif
2510
2511 /* Host can be registered to verify comming BDA or DC */
2512 if (btm_cb.p_conn_filter_cb)
2513 {
2514 if (!(* btm_cb.p_conn_filter_cb) (bda, dc))
2515 {
2516 BTM_TRACE_EVENT0 ("Security Manager: connect request did not pass filter");
2517
2518 /* incomming call did not pass connection filters. Reject */
2519 btsnd_hcic_reject_conn (bda, HCI_ERR_HOST_REJECT_DEVICE);
2520 return;
2521 }
2522 }
2523
2524 if ((btm_cb.pairing_state != BTM_PAIR_STATE_IDLE)
2525 &&(btm_cb.pairing_flags & BTM_PAIR_FLAGS_WE_STARTED_DD)
2526 &&(!memcmp (btm_cb.pairing_bda, bda, BD_ADDR_LEN)))
2527 {
2528 BTM_TRACE_EVENT0 ("Security Manager: reject connect request from bonding device");
2529
2530 /* incoming connection from bonding device is rejected */
2531 btm_cb.pairing_flags |= BTM_PAIR_FLAGS_REJECTED_CONNECT;
2532 btsnd_hcic_reject_conn (bda, HCI_ERR_HOST_REJECT_DEVICE);
2533 return;
2534 }
2535
2536 /* Host is not interested or approved connection. Save BDA and DC and */
2537 /* pass request to L2CAP */
2538 memcpy (btm_cb.connecting_bda, bda, BD_ADDR_LEN);
2539 memcpy (btm_cb.connecting_dc, dc, DEV_CLASS_LEN);
2540
2541 if (l2c_link_hci_conn_req (bda))
2542 {
2543 if (!p_dev_rec)
2544 {
2545 /* accept the connection -> allocate a device record */
2546 p_dev_rec = btm_sec_alloc_dev (bda);
2547 }
2548 if (p_dev_rec)
2549 {
2550 p_dev_rec->sm4 |= BTM_SM4_CONN_PEND;
2551 }
2552 }
2553 }
2554
2555 /*******************************************************************************
2556 **
2557 ** Function btm_sec_bond_cancel_complete
2558 **
2559 ** Description This function is called to report bond cancel complete
2560 ** event.
2561 **
2562 ** Returns void
2563 **
2564 *******************************************************************************/
btm_sec_bond_cancel_complete(void)2565 static void btm_sec_bond_cancel_complete (void)
2566 {
2567 tBTM_SEC_DEV_REC *p_dev_rec;
2568
2569 if ((btm_cb.pairing_flags & BTM_PAIR_FLAGS_DISC_WHEN_DONE) ||
2570 (BTM_PAIR_STATE_WAIT_LOCAL_PIN == btm_cb.pairing_state &&
2571 BTM_PAIR_FLAGS_WE_STARTED_DD & btm_cb.pairing_flags) ||
2572 (btm_cb.pairing_state == BTM_PAIR_STATE_GET_REM_NAME &&
2573 BTM_PAIR_FLAGS_WE_CANCEL_DD & btm_cb.pairing_flags))
2574 {
2575 /* for dedicated bonding in legacy mode, authentication happens at "link level"
2576 * btm_sec_connected is called with failed status.
2577 * In theory, the code that handles is_pairing_device/TRUE should clean out security related code.
2578 * However, this function may clean out the security related flags and btm_sec_connected would not know
2579 * this function also needs to do proper clean up.
2580 */
2581 if ((p_dev_rec = btm_find_dev (btm_cb.pairing_bda)) != NULL)
2582 p_dev_rec->security_required = BTM_SEC_NONE;
2583 btm_sec_change_pairing_state (BTM_PAIR_STATE_IDLE);
2584
2585 /* Notify application that the cancel succeeded */
2586 if (btm_cb.api.p_bond_cancel_cmpl_callback)
2587 btm_cb.api.p_bond_cancel_cmpl_callback(BTM_SUCCESS);
2588 }
2589 }
2590
2591 /*******************************************************************************
2592 **
2593 ** Function btm_create_conn_cancel_complete
2594 **
2595 ** Description This function is called when the command complete message
2596 ** is received from the HCI for the create connection cancel
2597 ** command.
2598 **
2599 ** Returns void
2600 **
2601 *******************************************************************************/
btm_create_conn_cancel_complete(UINT8 * p)2602 void btm_create_conn_cancel_complete (UINT8 *p)
2603 {
2604 UINT8 status;
2605
2606 STREAM_TO_UINT8 (status, p);
2607 BTM_TRACE_EVENT2 ("btm_create_conn_cancel_complete(): in State: %s status:%d",
2608 btm_pair_state_descr(btm_cb.pairing_state), status);
2609
2610 /* if the create conn cancel cmd was issued by the bond cancel,
2611 ** the application needs to be notified that bond cancel succeeded
2612 */
2613 switch (status)
2614 {
2615 case HCI_SUCCESS:
2616 btm_sec_bond_cancel_complete();
2617 break;
2618 case HCI_ERR_CONNECTION_EXISTS:
2619 case HCI_ERR_NO_CONNECTION:
2620 default:
2621 /* Notify application of the error */
2622 if (btm_cb.api.p_bond_cancel_cmpl_callback)
2623 btm_cb.api.p_bond_cancel_cmpl_callback(BTM_ERR_PROCESSING);
2624 break;
2625 }
2626 }
2627
2628 /*******************************************************************************
2629 **
2630 ** Function btm_sec_check_pending_reqs
2631 **
2632 ** Description This function is called at the end of the security procedure
2633 ** to let L2CAP and RFCOMM know to re-submit any pending requests
2634 **
2635 ** Returns void
2636 **
2637 *******************************************************************************/
btm_sec_check_pending_reqs(void)2638 void btm_sec_check_pending_reqs (void)
2639 {
2640 tBTM_SEC_QUEUE_ENTRY *p_e;
2641 BUFFER_Q bq;
2642
2643 if (btm_cb.pairing_state == BTM_PAIR_STATE_IDLE)
2644 {
2645 /* First, resubmit L2CAP requests */
2646 if (btm_cb.sec_req_pending)
2647 {
2648 btm_cb.sec_req_pending = FALSE;
2649 l2cu_resubmit_pending_sec_req (NULL);
2650 }
2651
2652 /* Now, re-submit anything in the mux queue */
2653 bq = btm_cb.sec_pending_q;
2654
2655 GKI_init_q (&btm_cb.sec_pending_q);
2656
2657 while ((p_e = (tBTM_SEC_QUEUE_ENTRY *)GKI_dequeue (&bq)) != NULL)
2658 {
2659 /* Check that the ACL is still up before starting security procedures */
2660 if (btm_bda_to_acl(p_e->bd_addr) != NULL)
2661 {
2662 BTM_TRACE_EVENT4 ("btm_sec_check_pending_reqs() submitting PSM: 0x%04x Is_Orig: %u mx_proto_id: %u mx_chan_id: %u",
2663 p_e->psm, p_e->is_orig, p_e->mx_proto_id, p_e->mx_chan_id);
2664
2665 btm_sec_mx_access_request (p_e->bd_addr, p_e->psm, p_e->is_orig,
2666 p_e->mx_proto_id, p_e->mx_chan_id,
2667 p_e->p_callback, p_e->p_ref_data);
2668 }
2669
2670 GKI_freebuf (p_e);
2671 }
2672 }
2673 }
2674
2675 /*******************************************************************************
2676 **
2677 ** Function btm_sec_init
2678 **
2679 ** Description This function is on the SEC startup
2680 **
2681 ** Returns void
2682 **
2683 *******************************************************************************/
btm_sec_init(UINT8 sec_mode)2684 void btm_sec_init (UINT8 sec_mode)
2685 {
2686 #if 0 /* cleared in btm_init; put back in if calling from anywhere else! */
2687 int i;
2688
2689 memset (btm_cb.sec_serv_rec, 0, sizeof (btm_cb.sec_serv_rec));
2690 memset (btm_cb.sec_dev_rec, 0, sizeof (btm_cb.sec_dev_rec));
2691 memset (&btm_cb.pairing_tle, 0, sizeof(TIMER_LIST_ENT));
2692
2693 #endif
2694 btm_cb.security_mode = sec_mode;
2695 memset (btm_cb.pairing_bda, 0xff, BD_ADDR_LEN);
2696 btm_cb.max_collision_delay = BTM_SEC_MAX_COLLISION_DELAY;
2697 }
2698
2699 /*******************************************************************************
2700 **
2701 ** Function btm_sec_device_down
2702 **
2703 ** Description This function should be called when device is disabled or
2704 ** turned off
2705 **
2706 ** Returns void
2707 **
2708 *******************************************************************************/
btm_sec_device_down(void)2709 void btm_sec_device_down (void)
2710 {
2711 BTM_TRACE_EVENT1 ("btm_sec_device_down() State: %s", btm_pair_state_descr(btm_cb.pairing_state));
2712
2713 btm_sec_change_pairing_state (BTM_PAIR_STATE_IDLE);
2714 }
2715
2716 /*******************************************************************************
2717 **
2718 ** Function btm_sec_dev_reset
2719 **
2720 ** Description This function should be called after device reset
2721 **
2722 ** Returns void
2723 **
2724 *******************************************************************************/
btm_sec_dev_reset(void)2725 void btm_sec_dev_reset (void)
2726 {
2727 #if (BTM_PRE_LISBON_INCLUDED == TRUE)
2728 if (btm_cb.security_mode == BTM_SEC_MODE_LINK)
2729 {
2730 btsnd_hcic_write_auth_enable (TRUE);
2731 btsnd_hcic_write_encr_mode (HCI_ENCRYPT_MODE_POINT_TO_POINT);
2732 }
2733 #endif
2734 #if (BTM_PRE_LISBON_INCLUDED == TRUE)
2735 else
2736 #endif
2737 /* btm_sec_dev_reset() is only called from btm_decode_ext_features_page(...)
2738 * right now. */
2739 if (HCI_SIMPLE_PAIRING_SUPPORTED(btm_cb.devcb.local_lmp_features[HCI_EXT_FEATURES_PAGE_0]))
2740 {
2741 #if BLE_INCLUDED == TRUE
2742 btsnd_hcic_set_event_mask(LOCAL_BR_EDR_CONTROLLER_ID,
2743 (UINT8 *)HCI_DUMO_EVENT_MASK_EXT);
2744 #else
2745 btsnd_hcic_set_event_mask(LOCAL_BR_EDR_CONTROLLER_ID,
2746 (UINT8 *)HCI_LISBON_EVENT_MASK_EXT);
2747 #endif
2748 /* set the default IO capabilities */
2749 btm_cb.devcb.loc_io_caps = BTM_LOCAL_IO_CAPS;
2750 /* add mx service to use no security */
2751 #if (RFCOMM_INCLUDED == TRUE)
2752 BTM_SetSecurityLevel(FALSE, "RFC_MUX", BTM_SEC_SERVICE_RFC_MUX,
2753 BTM_SEC_NONE, BT_PSM_RFCOMM, BTM_SEC_PROTO_RFCOMM, 0);
2754 #endif
2755 }
2756 else
2757 {
2758 btm_cb.security_mode = BTM_SEC_MODE_SERVICE;
2759 }
2760
2761 BTM_TRACE_DEBUG1 ("btm_sec_dev_reset sec mode: %d", btm_cb.security_mode);
2762 }
2763
2764 /*******************************************************************************
2765 **
2766 ** Function btm_sec_abort_access_req
2767 **
2768 ** Description This function is called by the L2CAP or RFCOMM to abort
2769 ** the pending operation.
2770 **
2771 ** Parameters: bd_addr - Address of the peer device
2772 **
2773 ** Returns void
2774 **
2775 *******************************************************************************/
btm_sec_abort_access_req(BD_ADDR bd_addr)2776 void btm_sec_abort_access_req (BD_ADDR bd_addr)
2777 {
2778 tBTM_SEC_DEV_REC *p_dev_rec = btm_find_dev (bd_addr);
2779
2780 if (!p_dev_rec)
2781 return;
2782
2783 if (btm_cb.api.p_abort_callback)
2784 (*btm_cb.api.p_abort_callback)(bd_addr, p_dev_rec->dev_class, p_dev_rec->sec_bd_name);
2785
2786 if ((p_dev_rec->sec_state != BTM_SEC_STATE_AUTHORIZING)
2787 && (p_dev_rec->sec_state != BTM_SEC_STATE_AUTHENTICATING))
2788 return;
2789
2790 p_dev_rec->sec_state = BTM_SEC_STATE_IDLE;
2791 p_dev_rec->p_callback = NULL;
2792 }
2793
2794 /*******************************************************************************
2795 **
2796 ** Function btm_sec_dd_create_conn
2797 **
2798 ** Description This function is called to create the ACL connection for
2799 ** the dedicated boding process
2800 **
2801 ** Returns void
2802 **
2803 *******************************************************************************/
btm_sec_dd_create_conn(tBTM_SEC_DEV_REC * p_dev_rec)2804 static tBTM_STATUS btm_sec_dd_create_conn (tBTM_SEC_DEV_REC *p_dev_rec)
2805 {
2806 tL2C_LCB *p_lcb;
2807
2808 /* Make sure an L2cap link control block is available */
2809 if ((p_lcb = l2cu_allocate_lcb (p_dev_rec->bd_addr, TRUE)) == NULL)
2810 {
2811 BTM_TRACE_WARNING6 ("Security Manager: failed allocate LCB [%02x%02x%02x%02x%02x%02x]",
2812 p_dev_rec->bd_addr[0], p_dev_rec->bd_addr[1], p_dev_rec->bd_addr[2],
2813 p_dev_rec->bd_addr[3], p_dev_rec->bd_addr[4], p_dev_rec->bd_addr[5]);
2814
2815 return(BTM_NO_RESOURCES);
2816 }
2817
2818 /* set up the control block to indicated dedicated bonding */
2819 btm_cb.pairing_flags |= BTM_PAIR_FLAGS_DISC_WHEN_DONE;
2820
2821 if (l2cu_create_conn(p_lcb) == FALSE)
2822 {
2823 BTM_TRACE_WARNING6 ("Security Manager: failed create [%02x%02x%02x%02x%02x%02x]",
2824 p_dev_rec->bd_addr[0], p_dev_rec->bd_addr[1], p_dev_rec->bd_addr[2],
2825 p_dev_rec->bd_addr[3], p_dev_rec->bd_addr[4], p_dev_rec->bd_addr[5]);
2826
2827 l2cu_release_lcb(p_lcb);
2828 return(BTM_NO_RESOURCES);
2829 }
2830
2831 #if (defined(BTM_BUSY_LEVEL_CHANGE_INCLUDED) && BTM_BUSY_LEVEL_CHANGE_INCLUDED == TRUE)
2832 btm_acl_update_busy_level (BTM_BLI_PAGE_EVT);
2833 #endif
2834
2835 BTM_TRACE_DEBUG6 ("Security Manager: btm_sec_dd_create_conn [%02x%02x%02x%02x%02x%02x]",
2836 p_dev_rec->bd_addr[0], p_dev_rec->bd_addr[1], p_dev_rec->bd_addr[2],
2837 p_dev_rec->bd_addr[3], p_dev_rec->bd_addr[4], p_dev_rec->bd_addr[5]);
2838
2839 btm_sec_change_pairing_state (BTM_PAIR_STATE_WAIT_PIN_REQ);
2840
2841 return(BTM_CMD_STARTED);
2842 }
2843
2844 /*******************************************************************************
2845 **
2846 ** Function btm_sec_rmt_name_request_complete
2847 **
2848 ** Description This function is called when remote name was obtained from
2849 ** the peer device
2850 **
2851 ** Returns void
2852 **
2853 *******************************************************************************/
btm_sec_rmt_name_request_complete(UINT8 * p_bd_addr,UINT8 * p_bd_name,UINT8 status)2854 void btm_sec_rmt_name_request_complete (UINT8 *p_bd_addr, UINT8 *p_bd_name, UINT8 status)
2855 {
2856 tBTM_SEC_DEV_REC *p_dev_rec;
2857 int i;
2858 DEV_CLASS dev_class;
2859 UINT8 old_sec_state;
2860
2861 BTM_TRACE_EVENT0 ("btm_sec_rmt_name_request_complete");
2862 if (((p_bd_addr == NULL) && !BTM_ACL_IS_CONNECTED(btm_cb.connecting_bda))
2863 || ((p_bd_addr != NULL) && !BTM_ACL_IS_CONNECTED(p_bd_addr)))
2864 {
2865 btm_acl_resubmit_page();
2866 }
2867
2868 /* If remote name request failed, p_bd_addr is null and we need to search */
2869 /* based on state assuming that we are doing 1 at a time */
2870 if (p_bd_addr)
2871 p_dev_rec = btm_find_dev (p_bd_addr);
2872 else
2873 {
2874 p_dev_rec = &btm_cb.sec_dev_rec[0];
2875
2876 for (i = 0; i < BTM_SEC_MAX_DEVICE_RECORDS; i++, p_dev_rec++)
2877 {
2878 if ((p_dev_rec->sec_flags & BTM_SEC_IN_USE)
2879 && (p_dev_rec->sec_state == BTM_SEC_STATE_GETTING_NAME))
2880 {
2881 p_bd_addr = p_dev_rec->bd_addr;
2882 break;
2883 }
2884 }
2885
2886 if (i == BTM_SEC_MAX_DEVICE_RECORDS)
2887 p_dev_rec = NULL;
2888 }
2889
2890
2891 /* Commenting out trace due to obf/compilation problems.
2892 */
2893 #if (BT_USE_TRACES == TRUE)
2894 if (!p_bd_name)
2895 p_bd_name = (UINT8 *)"";
2896
2897 if (p_dev_rec)
2898 {
2899 BTM_TRACE_EVENT5 ("Security Manager: rmt_name_complete PairState: %s RemName: %s status: %d State:%d p_dev_rec: 0x%08x ",
2900 btm_pair_state_descr (btm_cb.pairing_state), p_bd_name,
2901 status, p_dev_rec->sec_state, p_dev_rec);
2902 }
2903 else
2904 {
2905 BTM_TRACE_EVENT3 ("Security Manager: rmt_name_complete PairState: %s RemName: %s status: %d",
2906 btm_pair_state_descr (btm_cb.pairing_state), p_bd_name,
2907 status);
2908 }
2909 #endif
2910
2911 if (p_dev_rec)
2912 {
2913 old_sec_state = p_dev_rec->sec_state;
2914 if (status == HCI_SUCCESS)
2915 {
2916 BCM_STRNCPY_S ((char *)p_dev_rec->sec_bd_name, sizeof (p_dev_rec->sec_bd_name), (char *)p_bd_name, BTM_MAX_REM_BD_NAME_LEN);
2917 p_dev_rec->sec_flags |= BTM_SEC_NAME_KNOWN;
2918 BTM_TRACE_EVENT1 ("setting BTM_SEC_NAME_KNOWN sec_flags:0x%x", p_dev_rec->sec_flags);
2919 }
2920 else
2921 {
2922 /* Notify all clients waiting for name to be resolved even if it failed so clients can continue */
2923 p_dev_rec->sec_bd_name[0] = 0;
2924 }
2925
2926 if (p_dev_rec->sec_state == BTM_SEC_STATE_GETTING_NAME)
2927 p_dev_rec->sec_state = BTM_SEC_STATE_IDLE;
2928
2929 /* Notify all clients waiting for name to be resolved */
2930 for (i = 0;i < BTM_SEC_MAX_RMT_NAME_CALLBACKS; i++)
2931 {
2932 if (btm_cb.p_rmt_name_callback[i])
2933 (*btm_cb.p_rmt_name_callback[i])(p_bd_addr, p_dev_rec->dev_class,
2934 p_dev_rec->sec_bd_name);
2935 }
2936 }
2937 else
2938 {
2939 dev_class[0] = 0;
2940 dev_class[1] = 0;
2941 dev_class[2] = 0;
2942
2943 /* Notify all clients waiting for name to be resolved even if not found so clients can continue */
2944 for (i = 0;i < BTM_SEC_MAX_RMT_NAME_CALLBACKS; i++)
2945 {
2946 if (btm_cb.p_rmt_name_callback[i])
2947 (*btm_cb.p_rmt_name_callback[i])(p_bd_addr, dev_class, (UINT8 *)"");
2948 }
2949
2950 return;
2951 }
2952
2953 /* If we were delaying asking UI for a PIN because name was not resolved, ask now */
2954 if ( (btm_cb.pairing_state == BTM_PAIR_STATE_WAIT_LOCAL_PIN) && p_bd_addr
2955 && (memcmp (btm_cb.pairing_bda, p_bd_addr, BD_ADDR_LEN) == 0) )
2956 {
2957 BTM_TRACE_EVENT2 ("btm_sec_rmt_name_request_complete() delayed pin now being requested flags:0x%x, (p_pin_callback=0x%p)", btm_cb.pairing_flags, btm_cb.api.p_pin_callback);
2958
2959 if (((btm_cb.pairing_flags & BTM_PAIR_FLAGS_WE_STARTED_DD) == 0) &&
2960 ((btm_cb.pairing_flags & BTM_PAIR_FLAGS_PIN_REQD) == 0) &&
2961 btm_cb.api.p_pin_callback)
2962 {
2963 BTM_TRACE_EVENT0 ("btm_sec_rmt_name_request_complete() calling pin_callback");
2964 btm_cb.pairing_flags |= BTM_PAIR_FLAGS_PIN_REQD;
2965 (*btm_cb.api.p_pin_callback) (p_dev_rec->bd_addr, p_dev_rec->dev_class, p_bd_name);
2966 }
2967
2968 /* Set the same state again to force the timer to be restarted */
2969 btm_sec_change_pairing_state (BTM_PAIR_STATE_WAIT_LOCAL_PIN);
2970 return;
2971 }
2972
2973 /* Check if we were delaying bonding because name was not resolved */
2974 if ( btm_cb.pairing_state == BTM_PAIR_STATE_GET_REM_NAME)
2975 {
2976 if (p_bd_addr && memcmp (btm_cb.pairing_bda, p_bd_addr, BD_ADDR_LEN) == 0)
2977 {
2978 BTM_TRACE_EVENT2 ("btm_sec_rmt_name_request_complete() continue bonding sm4: 0x%04x, status:0x%x", p_dev_rec->sm4, status);
2979 if(btm_cb.pairing_flags & BTM_PAIR_FLAGS_WE_CANCEL_DD)
2980 {
2981 btm_sec_bond_cancel_complete();
2982 return;
2983 }
2984
2985 if (status != HCI_SUCCESS)
2986 {
2987 btm_sec_change_pairing_state (BTM_PAIR_STATE_IDLE);
2988
2989 (*btm_cb.api.p_auth_complete_callback) (p_dev_rec->bd_addr, p_dev_rec->dev_class,
2990 p_dev_rec->sec_bd_name, status);
2991 return;
2992 }
2993
2994 /* if peer is very old legacy devices, HCI_RMT_HOST_SUP_FEAT_NOTIFY_EVT is not reported */
2995 if (BTM_SEC_IS_SM4_UNKNOWN(p_dev_rec->sm4))
2996 {
2997 /* set the KNOWN flag only if BTM_PAIR_FLAGS_REJECTED_CONNECT is not set.
2998 * If it is set, there may be a race condition */
2999 BTM_TRACE_EVENT1 ("btm_sec_rmt_name_request_complete IS_SM4_UNKNOWN Flags:0x%04x", btm_cb.pairing_flags);
3000 if ((btm_cb.pairing_flags & BTM_PAIR_FLAGS_REJECTED_CONNECT) == 0)
3001 {
3002 p_dev_rec->sm4 |= BTM_SM4_KNOWN;
3003 }
3004 }
3005
3006 /* BT 2.1 or carkit, bring up the connection to force the peer to request PIN.
3007 ** Else prefetch (btm_sec_check_prefetch_pin will do the prefetching if needed)
3008 */
3009 if ((p_dev_rec->sm4 != BTM_SM4_KNOWN) || !btm_sec_check_prefetch_pin(p_dev_rec))
3010 {
3011 /* if we rejected incoming connection request, we have to wait HCI_Connection_Complete event */
3012 /* before originating */
3013 if (btm_cb.pairing_flags & BTM_PAIR_FLAGS_REJECTED_CONNECT)
3014 {
3015 BTM_TRACE_WARNING0 ("btm_sec_rmt_name_request_complete: waiting HCI_Connection_Complete after rejecting connection");
3016 }
3017 /* Both we and the peer are 2.1 - continue to create connection */
3018 else if (btm_sec_dd_create_conn(p_dev_rec) != BTM_CMD_STARTED)
3019 {
3020 BTM_TRACE_WARNING0 ("btm_sec_rmt_name_request_complete: failed to start connection");
3021
3022 btm_sec_change_pairing_state (BTM_PAIR_STATE_IDLE);
3023
3024 (*btm_cb.api.p_auth_complete_callback) (p_dev_rec->bd_addr, p_dev_rec->dev_class,
3025 p_dev_rec->sec_bd_name, HCI_ERR_MEMORY_FULL);
3026 }
3027 }
3028 return;
3029 }
3030 else
3031 {
3032 BTM_TRACE_WARNING0 ("btm_sec_rmt_name_request_complete: wrong BDA, retry with pairing BDA");
3033
3034 BTM_ReadRemoteDeviceName (btm_cb.pairing_bda, NULL);
3035 return;
3036 }
3037 }
3038
3039 /* check if we were delaying link_key_callback because name was not resolved */
3040 if (p_dev_rec->link_key_not_sent)
3041 {
3042 /* If HCI connection complete has not arrived, wait for it */
3043 if (p_dev_rec->hci_handle == BTM_SEC_INVALID_HANDLE)
3044 return;
3045
3046 p_dev_rec->link_key_not_sent = FALSE;
3047 btm_send_link_key_notif(p_dev_rec);
3048
3049 /* If its not us who perform authentication, we should tell stackserver */
3050 /* that some authentication has been completed */
3051 /* This is required when different entities receive link notification and auth complete */
3052 if (!(p_dev_rec->security_required & BTM_SEC_OUT_AUTHENTICATE))
3053 {
3054 if (btm_cb.api.p_auth_complete_callback)
3055 (*btm_cb.api.p_auth_complete_callback) (p_dev_rec->bd_addr,
3056 p_dev_rec->dev_class,
3057 p_dev_rec->sec_bd_name, HCI_SUCCESS);
3058
3059 }
3060 }
3061
3062 /* If this is a bonding procedure can disconnect the link now */
3063 if ((btm_cb.pairing_flags & BTM_PAIR_FLAGS_WE_STARTED_DD)
3064 && (p_dev_rec->sec_flags & BTM_SEC_AUTHENTICATED))
3065 {
3066 BTM_TRACE_WARNING0 ("btm_sec_rmt_name_request_complete (none/ce)");
3067 p_dev_rec->security_required &= ~(BTM_SEC_OUT_AUTHENTICATE);
3068 l2cu_start_post_bond_timer(p_dev_rec->hci_handle);
3069 return;
3070 }
3071
3072 if (old_sec_state != BTM_SEC_STATE_GETTING_NAME)
3073 return;
3074
3075 /* If get name failed, notify the waiting layer */
3076 if (status != HCI_SUCCESS)
3077 {
3078 btm_sec_dev_rec_cback_event (p_dev_rec, BTM_ERR_PROCESSING);
3079 return;
3080 }
3081
3082 if (p_dev_rec->sm4 & BTM_SM4_REQ_PEND)
3083 {
3084 BTM_TRACE_EVENT0 ("waiting for remote features!!");
3085 return;
3086 }
3087
3088 /* Remote Name succeeded, execute the next security procedure, if any */
3089 status = (UINT8)btm_sec_execute_procedure (p_dev_rec);
3090
3091 /* If result is pending reply from the user or from the device is pending */
3092 if (status == BTM_CMD_STARTED)
3093 return;
3094
3095 /* There is no next procedure or start of procedure failed, notify the waiting layer */
3096 btm_sec_dev_rec_cback_event (p_dev_rec, status);
3097 }
3098
3099 /*******************************************************************************
3100 **
3101 ** Function btm_sec_rmt_host_support_feat_evt
3102 **
3103 ** Description This function is called when the
3104 ** HCI_RMT_HOST_SUP_FEAT_NOTIFY_EVT is received
3105 **
3106 ** Returns void
3107 **
3108 *******************************************************************************/
btm_sec_rmt_host_support_feat_evt(UINT8 * p)3109 void btm_sec_rmt_host_support_feat_evt (UINT8 *p)
3110 {
3111 tBTM_SEC_DEV_REC *p_dev_rec;
3112 BD_ADDR bd_addr; /* peer address */
3113 BD_FEATURES features;
3114
3115 STREAM_TO_BDADDR (bd_addr, p);
3116 p_dev_rec = btm_find_or_alloc_dev (bd_addr);
3117
3118 BTM_TRACE_EVENT2 ("btm_sec_rmt_host_support_feat_evt sm4: 0x%x p[0]: 0x%x", p_dev_rec->sm4, p[0]);
3119
3120 if (BTM_SEC_IS_SM4_UNKNOWN(p_dev_rec->sm4))
3121 {
3122 p_dev_rec->sm4 = BTM_SM4_KNOWN;
3123 STREAM_TO_ARRAY(features, p, HCI_FEATURE_BYTES_PER_PAGE);
3124 if (HCI_SSP_HOST_SUPPORTED(features))
3125 {
3126 p_dev_rec->sm4 = BTM_SM4_TRUE;
3127 }
3128 BTM_TRACE_EVENT2 ("btm_sec_rmt_host_support_feat_evt sm4: 0x%x features[0]: 0x%x", p_dev_rec->sm4, features[0]);
3129 }
3130 }
3131
3132 /*******************************************************************************
3133 **
3134 ** Function btm_io_capabilities_req
3135 **
3136 ** Description This function is called when LM request for the IO
3137 ** capability of the local device and
3138 ** if the OOB data is present for the device in the event
3139 **
3140 ** Returns void
3141 **
3142 *******************************************************************************/
btm_io_capabilities_req(UINT8 * p)3143 void btm_io_capabilities_req (UINT8 *p)
3144 {
3145 tBTM_SP_IO_REQ evt_data;
3146 UINT8 err_code = 0;
3147 tBTM_SEC_DEV_REC *p_dev_rec;
3148 BOOLEAN is_orig = TRUE;
3149 UINT8 callback_rc = BTM_SUCCESS;
3150
3151 STREAM_TO_BDADDR (evt_data.bd_addr, p);
3152
3153 /* setup the default response according to compile options */
3154 /* assume that the local IO capability does not change
3155 * loc_io_caps is initialized with the default value */
3156 evt_data.io_cap = btm_cb.devcb.loc_io_caps;
3157 evt_data.oob_data = BTM_OOB_NONE;
3158 evt_data.auth_req = BTM_DEFAULT_AUTH_REQ;
3159
3160 BTM_TRACE_EVENT1 ("btm_io_capabilities_req() State: %s", btm_pair_state_descr(btm_cb.pairing_state));
3161
3162 p_dev_rec = btm_find_or_alloc_dev (evt_data.bd_addr);
3163 p_dev_rec->sm4 |= BTM_SM4_TRUE;
3164
3165 BTM_TRACE_EVENT3 ("btm_io_capabilities_req() State: %s Flags: 0x%04x p_cur_service: 0x%08x",
3166 btm_pair_state_descr(btm_cb.pairing_state), btm_cb.pairing_flags, p_dev_rec->p_cur_service);
3167
3168 if (btm_cb.pairing_state != BTM_PAIR_STATE_IDLE)
3169 {
3170 if (btm_cb.pairing_state == BTM_PAIR_STATE_INCOMING_SSP)
3171 {
3172 /* received IO capability response already-> not the originator of SSP */
3173 is_orig = FALSE;
3174
3175 if (btm_cb.pairing_flags & BTM_PAIR_FLAGS_PEER_STARTED_DD)
3176 evt_data.auth_req = BTM_DEFAULT_DD_AUTH_REQ;
3177 }
3178 /* security is already in progress */
3179 else if (btm_cb.pairing_state == BTM_PAIR_STATE_WAIT_PIN_REQ)
3180 {
3181 /* coverity[uninit_use_in_call]
3182 Event uninit_use_in_call: Using uninitialized element of array "evt_data.bd_addr" in call to function "memcmp"
3183 False-positive: evt_data.bd_addr is set at the beginning with: STREAM_TO_BDADDR (evt_data.bd_addr, p);
3184 */
3185 if (memcmp (evt_data.bd_addr, btm_cb.pairing_bda, BD_ADDR_LEN))
3186 {
3187 /* and it's not the device in bonding -> reject it */
3188 err_code = HCI_ERR_HOST_BUSY_PAIRING;
3189 }
3190 else
3191 {
3192 /* local device initiated dedicated bonding */
3193 evt_data.auth_req = BTM_DEFAULT_DD_AUTH_REQ;
3194 }
3195 }
3196 else
3197 {
3198 err_code = HCI_ERR_HOST_BUSY_PAIRING;
3199 }
3200 }
3201
3202 /* paring is not allowed */
3203 if (btm_cb.pairing_disabled)
3204 err_code = HCI_ERR_PAIRING_NOT_ALLOWED;
3205
3206 if (err_code != 0)
3207 {
3208 /* coverity[uninit_use_in_call]
3209 Event uninit_use_in_call: Using uninitialized element of array "evt_data.bd_addr" in call to function "memcmp"
3210 False-positive: evt_data.bd_addr is set at the beginning with: STREAM_TO_BDADDR (evt_data.bd_addr, p);
3211 */
3212 btsnd_hcic_io_cap_req_neg_reply(evt_data.bd_addr, err_code);
3213 return;
3214 }
3215
3216 evt_data.is_orig = is_orig;
3217
3218 if (is_orig)
3219 {
3220 /* local device initiated the pairing non-bonding -> use p_cur_service */
3221 if (!(btm_cb.pairing_flags & BTM_PAIR_FLAGS_WE_STARTED_DD) &&
3222 p_dev_rec->p_cur_service &&
3223 (p_dev_rec->p_cur_service->security_flags & BTM_SEC_OUT_AUTHENTICATE))
3224 {
3225 evt_data.auth_req = (p_dev_rec->p_cur_service->security_flags & BTM_SEC_OUT_MITM) ? BTM_AUTH_SP_YES : BTM_AUTH_SP_NO;
3226 }
3227 }
3228
3229 /* Notify L2CAP to increase timeout */
3230 l2c_pin_code_request (evt_data.bd_addr);
3231
3232 memcpy (btm_cb.pairing_bda, evt_data.bd_addr, BD_ADDR_LEN);
3233
3234 /* coverity[uninit_use_in_call]
3235 Event uninit_use_in_call: Using uninitialized element of array "evt_data.bd_addr" in call to function "memcmp"
3236 False-positive: False-positive: evt_data.bd_addr is set at the beginning with: STREAM_TO_BDADDR (evt_data.bd_addr, p);
3237 */
3238 if (!memcmp (evt_data.bd_addr, btm_cb.connecting_bda, BD_ADDR_LEN))
3239 memcpy (p_dev_rec->dev_class, btm_cb.connecting_dc, DEV_CLASS_LEN);
3240
3241 btm_sec_change_pairing_state (BTM_PAIR_STATE_WAIT_LOCAL_IOCAPS);
3242
3243 callback_rc = BTM_SUCCESS;
3244 if (p_dev_rec->sm4 & BTM_SM4_UPGRADE)
3245 {
3246 p_dev_rec->sm4 &= ~BTM_SM4_UPGRADE;
3247
3248 /* link key upgrade: always use SPGB_YES - assuming we want to save the link key */
3249 evt_data.auth_req = BTM_AUTH_SPGB_YES;
3250 }
3251 else if (btm_cb.api.p_sp_callback)
3252 {
3253 /* the callback function implementation may change the IO capability... */
3254 callback_rc = (*btm_cb.api.p_sp_callback) (BTM_SP_IO_REQ_EVT, (tBTM_SP_EVT_DATA *)&evt_data);
3255 }
3256
3257 #if BTM_OOB_INCLUDED == TRUE
3258 if ((callback_rc == BTM_SUCCESS) || (BTM_OOB_UNKNOWN != evt_data.oob_data))
3259 #else
3260 if (callback_rc == BTM_SUCCESS)
3261 #endif
3262 {
3263 if ((btm_cb.pairing_flags & BTM_PAIR_FLAGS_WE_STARTED_DD))
3264 {
3265 evt_data.auth_req = (BTM_AUTH_DD_BOND | (evt_data.auth_req & BTM_AUTH_YN_BIT));
3266 }
3267
3268 /* if the user does not indicate "reply later" by setting the oob_data to unknown
3269 * send the response right now. Save the current IO capability in the control block */
3270 btm_cb.devcb.loc_auth_req = evt_data.auth_req;
3271 btm_cb.devcb.loc_io_caps = evt_data.io_cap;
3272
3273 BTM_TRACE_EVENT4 ("btm_io_capabilities_req: State: %s IO_CAP:%d oob_data:%d auth_req:%d",
3274 btm_pair_state_descr(btm_cb.pairing_state), evt_data.io_cap,
3275 evt_data.oob_data, evt_data.auth_req);
3276
3277 btsnd_hcic_io_cap_req_reply(evt_data.bd_addr, evt_data.io_cap,
3278 evt_data.oob_data, evt_data.auth_req);
3279 }
3280 }
3281
3282 /*******************************************************************************
3283 **
3284 ** Function btm_io_capabilities_rsp
3285 **
3286 ** Description This function is called when the IO capability of the
3287 ** specified device is received
3288 **
3289 ** Returns void
3290 **
3291 *******************************************************************************/
btm_io_capabilities_rsp(UINT8 * p)3292 void btm_io_capabilities_rsp (UINT8 *p)
3293 {
3294 tBTM_SEC_DEV_REC *p_dev_rec;
3295 tBTM_SP_IO_RSP evt_data;
3296
3297 STREAM_TO_BDADDR (evt_data.bd_addr, p);
3298 STREAM_TO_UINT8 (evt_data.io_cap, p);
3299 STREAM_TO_UINT8 (evt_data.oob_data, p);
3300 STREAM_TO_UINT8 (evt_data.auth_req, p);
3301
3302 /* Allocate a new device record or reuse the oldest one */
3303 p_dev_rec = btm_find_or_alloc_dev (evt_data.bd_addr);
3304
3305 /* If no security is in progress, this indicates incoming security */
3306 if (btm_cb.pairing_state == BTM_PAIR_STATE_IDLE)
3307 {
3308 memcpy (btm_cb.pairing_bda, evt_data.bd_addr, BD_ADDR_LEN);
3309
3310 btm_sec_change_pairing_state (BTM_PAIR_STATE_INCOMING_SSP);
3311
3312 /* Make sure we reset the trusted mask to help against attacks */
3313 BTM_SEC_CLR_TRUSTED_DEVICE(p_dev_rec->trusted_mask);
3314
3315 /* work around for FW bug */
3316 btm_inq_stop_on_ssp();
3317 }
3318
3319 /* Notify L2CAP to increase timeout */
3320 l2c_pin_code_request (evt_data.bd_addr);
3321
3322 /* We must have a device record here.
3323 * Use the connecting device's CoD for the connection */
3324 /* coverity[uninit_use_in_call]
3325 Event uninit_use_in_call: Using uninitialized element of array "evt_data.bd_addr" in call to function "memcmp"
3326 FALSE-POSITIVE error from Coverity test-tool. evt_data.bd_addr is set at the beginning with: STREAM_TO_BDADDR (evt_data.bd_addr, p);
3327 */
3328 if (!memcmp (evt_data.bd_addr, btm_cb.connecting_bda, BD_ADDR_LEN))
3329 memcpy (p_dev_rec->dev_class, btm_cb.connecting_dc, DEV_CLASS_LEN);
3330
3331 /* peer sets dedicated bonding bit and we did not initiate dedicated bonding */
3332 if (btm_cb.pairing_state == BTM_PAIR_STATE_INCOMING_SSP /* peer initiated bonding */
3333 && (evt_data.auth_req & BTM_AUTH_DD_BOND) ) /* and dedicated bonding bit is set */
3334 {
3335 btm_cb.pairing_flags |= BTM_PAIR_FLAGS_PEER_STARTED_DD;
3336 }
3337
3338 /* save the IO capability in the device record */
3339 p_dev_rec->rmt_io_caps = evt_data.io_cap;
3340 p_dev_rec->rmt_auth_req = evt_data.auth_req;
3341
3342 if (btm_cb.api.p_sp_callback)
3343 (*btm_cb.api.p_sp_callback) (BTM_SP_IO_RSP_EVT, (tBTM_SP_EVT_DATA *)&evt_data);
3344 }
3345
3346 /*******************************************************************************
3347 **
3348 ** Function btm_proc_sp_req_evt
3349 **
3350 ** Description This function is called to process/report
3351 ** HCI_USER_CONFIRMATION_REQUEST_EVT
3352 ** or HCI_USER_PASSKEY_REQUEST_EVT
3353 ** or HCI_USER_PASSKEY_NOTIFY_EVT
3354 **
3355 ** Returns void
3356 **
3357 *******************************************************************************/
btm_proc_sp_req_evt(tBTM_SP_EVT event,UINT8 * p)3358 void btm_proc_sp_req_evt (tBTM_SP_EVT event, UINT8 *p)
3359 {
3360 tBTM_STATUS status = BTM_ERR_PROCESSING;
3361 tBTM_SP_EVT_DATA evt_data;
3362 UINT8 *p_bda = evt_data.cfm_req.bd_addr;
3363 tBTM_SEC_DEV_REC *p_dev_rec;
3364
3365 /* All events start with bd_addr */
3366 STREAM_TO_BDADDR (p_bda, p);
3367
3368 BTM_TRACE_EVENT4 ("btm_proc_sp_req_evt() BDA: %08x%04x event: 0x%x, State: %s",
3369 (p_bda[0]<<24) + (p_bda[1]<<16) + (p_bda[2]<<8) + p_bda[3], (p_bda[4] << 8) + p_bda[5],
3370 event, btm_pair_state_descr(btm_cb.pairing_state));
3371
3372 if ( ((p_dev_rec = btm_find_dev (p_bda)) != NULL)
3373 && (btm_cb.pairing_state != BTM_PAIR_STATE_IDLE)
3374 && (memcmp (btm_cb.pairing_bda, p_bda, BD_ADDR_LEN) == 0) )
3375 {
3376 memcpy (evt_data.cfm_req.bd_addr, p_dev_rec->bd_addr, BD_ADDR_LEN);
3377 memcpy (evt_data.cfm_req.dev_class, p_dev_rec->dev_class, DEV_CLASS_LEN);
3378
3379 BCM_STRNCPY_S ((char *)evt_data.cfm_req.bd_name, sizeof(evt_data.cfm_req.bd_name), (char *)p_dev_rec->sec_bd_name, BTM_MAX_REM_BD_NAME_LEN);
3380
3381 switch (event)
3382 {
3383 case BTM_SP_CFM_REQ_EVT:
3384 /* Numeric confirmation. Need user to conf the passkey */
3385 btm_sec_change_pairing_state (BTM_PAIR_STATE_WAIT_NUMERIC_CONFIRM);
3386
3387 /* The device record must be allocated in the "IO cap exchange" step */
3388 STREAM_TO_UINT32 (evt_data.cfm_req.num_val, p);
3389
3390 evt_data.cfm_req.just_works = TRUE;
3391
3392 /* process user confirm req in association with the auth_req param */
3393 #if (BTM_LOCAL_IO_CAPS == BTM_IO_CAP_IO)
3394 if ( (p_dev_rec->rmt_io_caps == BTM_IO_CAP_IO)
3395 && (btm_cb.devcb.loc_io_caps == BTM_IO_CAP_IO)
3396 && ((p_dev_rec->rmt_auth_req & BTM_AUTH_SP_YES) || (btm_cb.devcb.loc_auth_req & BTM_AUTH_SP_YES)) )
3397 {
3398 /* Both devices are DisplayYesNo and one or both devices want to authenticate
3399 -> use authenticated link key */
3400 evt_data.cfm_req.just_works = FALSE;
3401 }
3402 #endif
3403 BTM_TRACE_DEBUG5 ("btm_proc_sp_req_evt() just_works:%d, io loc:%d, rmt:%d, auth loc:%d, rmt:%d",
3404 evt_data.cfm_req.just_works, btm_cb.devcb.loc_io_caps, p_dev_rec->rmt_io_caps,
3405 btm_cb.devcb.loc_auth_req, p_dev_rec->rmt_auth_req);
3406
3407 evt_data.cfm_req.loc_auth_req = btm_cb.devcb.loc_auth_req;
3408 evt_data.cfm_req.rmt_auth_req = p_dev_rec->rmt_auth_req;
3409 evt_data.cfm_req.loc_io_caps = btm_cb.devcb.loc_io_caps;
3410 evt_data.cfm_req.rmt_io_caps = p_dev_rec->rmt_io_caps;
3411 break;
3412
3413 case BTM_SP_KEY_NOTIF_EVT:
3414 /* Passkey notification (other side is a keyboard) */
3415 STREAM_TO_UINT32 (evt_data.key_notif.passkey, p);
3416
3417 BTM_TRACE_DEBUG1 ("BTM_SP_KEY_NOTIF_EVT: passkey: %u", evt_data.key_notif.passkey);
3418
3419 btm_sec_change_pairing_state (BTM_PAIR_STATE_WAIT_AUTH_COMPLETE);
3420 break;
3421
3422 #if (BTM_LOCAL_IO_CAPS != BTM_IO_CAP_NONE)
3423 case BTM_SP_KEY_REQ_EVT:
3424 /* HCI_USER_PASSKEY_REQUEST_EVT */
3425 btm_sec_change_pairing_state (BTM_PAIR_STATE_KEY_ENTRY);
3426 break;
3427 #endif
3428 }
3429
3430 if (btm_cb.api.p_sp_callback)
3431 {
3432 status = (*btm_cb.api.p_sp_callback) (event, (tBTM_SP_EVT_DATA *)&evt_data);
3433 if (status != BTM_NOT_AUTHORIZED)
3434 {
3435 return;
3436 }
3437 /* else BTM_NOT_AUTHORIZED means when the app wants to reject the req right now */
3438 }
3439 else if ( (event == BTM_SP_CFM_REQ_EVT) && (evt_data.cfm_req.just_works == TRUE) )
3440 {
3441 /* automatically reply with just works if no sp_cback */
3442 status = BTM_SUCCESS;
3443 }
3444
3445 if (event == BTM_SP_CFM_REQ_EVT)
3446 {
3447 BTM_TRACE_DEBUG1 ("calling BTM_ConfirmReqReply with status: %d", status);
3448 BTM_ConfirmReqReply (status, p_bda);
3449 }
3450 #if (BTM_LOCAL_IO_CAPS != BTM_IO_CAP_NONE)
3451 else if (event == BTM_SP_KEY_REQ_EVT)
3452 {
3453 BTM_PasskeyReqReply(status, p_bda, 0);
3454 }
3455 #endif
3456 return;
3457 }
3458
3459 /* Something bad. we can only fail this connection */
3460 btm_cb.acl_disc_reason = HCI_ERR_HOST_REJECT_SECURITY;
3461
3462 if (BTM_SP_CFM_REQ_EVT == event)
3463 {
3464 btsnd_hcic_user_conf_reply (p_bda, FALSE);
3465 }
3466 else if (BTM_SP_KEY_NOTIF_EVT == event)
3467 {
3468 /* do nothing -> it very unlikely to happen.
3469 This event is most likely to be received by a HID host when it first connects to a HID device.
3470 Usually the Host initiated the connection in this case.
3471 On Mobile platforms, if there's a security process happening,
3472 the host probably can not initiate another connection.
3473 BTW (PC) is another story. */
3474 if (NULL != (p_dev_rec = btm_find_dev (p_bda)) )
3475 {
3476 btm_sec_disconnect (p_dev_rec->hci_handle, HCI_ERR_AUTH_FAILURE);
3477 }
3478 }
3479 #if (BTM_LOCAL_IO_CAPS != BTM_IO_CAP_NONE)
3480 else
3481 {
3482 btsnd_hcic_user_passkey_neg_reply(p_bda);
3483 }
3484 #endif
3485 }
3486
3487 /*******************************************************************************
3488 **
3489 ** Function btm_keypress_notif_evt
3490 **
3491 ** Description This function is called when a key press notification is
3492 ** received
3493 **
3494 ** Returns void
3495 **
3496 *******************************************************************************/
btm_keypress_notif_evt(UINT8 * p)3497 void btm_keypress_notif_evt (UINT8 *p)
3498 {
3499 tBTM_SP_KEYPRESS evt_data;
3500 UINT8 *p_bda;
3501
3502 /* parse & report BTM_SP_KEYPRESS_EVT */
3503 if (btm_cb.api.p_sp_callback)
3504 {
3505 p_bda = evt_data.bd_addr;
3506
3507 STREAM_TO_BDADDR (p_bda, p);
3508 evt_data.notif_type = *p;
3509
3510 (*btm_cb.api.p_sp_callback) (BTM_SP_KEYPRESS_EVT, (tBTM_SP_EVT_DATA *)&evt_data);
3511 }
3512 }
3513
3514 /*******************************************************************************
3515 **
3516 ** Function btm_simple_pair_complete
3517 **
3518 ** Description This function is called when simple pairing process is
3519 ** complete
3520 **
3521 ** Returns void
3522 **
3523 *******************************************************************************/
btm_simple_pair_complete(UINT8 * p)3524 void btm_simple_pair_complete (UINT8 *p)
3525 {
3526 tBTM_SP_COMPLT evt_data;
3527 tBTM_SEC_DEV_REC *p_dev_rec;
3528 UINT8 status;
3529 BOOLEAN disc = FALSE;
3530
3531 status = *p++;
3532 STREAM_TO_BDADDR (evt_data.bd_addr, p);
3533
3534 if ((p_dev_rec = btm_find_dev (evt_data.bd_addr)) == NULL)
3535 {
3536 BTM_TRACE_ERROR2 ("btm_simple_pair_complete() with unknown BDA: %08x%04x",
3537 (evt_data.bd_addr[0]<<24) + (evt_data.bd_addr[1]<<16) + (evt_data.bd_addr[2]<<8) + evt_data.bd_addr[3],
3538 (evt_data.bd_addr[4] << 8) + evt_data.bd_addr[5]);
3539 return;
3540 }
3541
3542 BTM_TRACE_EVENT3 ("btm_simple_pair_complete() Pair State: %s Status:%d sec_state: %u",
3543 btm_pair_state_descr(btm_cb.pairing_state), status, p_dev_rec->sec_state);
3544
3545 evt_data.status = BTM_ERR_PROCESSING;
3546 if (status == HCI_SUCCESS)
3547 {
3548 evt_data.status = BTM_SUCCESS;
3549 p_dev_rec->sec_flags |= BTM_SEC_AUTHENTICATED;
3550 }
3551 else
3552 {
3553 if (status == HCI_ERR_PAIRING_NOT_ALLOWED)
3554 {
3555 /* The test spec wants the peer device to get this failure code. */
3556 btm_sec_change_pairing_state (BTM_PAIR_STATE_WAIT_DISCONNECT);
3557
3558 /* Change the timer to 1 second */
3559 btu_start_timer (&btm_cb.pairing_tle, BTU_TTYPE_USER_FUNC, BT_1SEC_TIMEOUT);
3560 }
3561 else if (memcmp (btm_cb.pairing_bda, evt_data.bd_addr, BD_ADDR_LEN) == 0)
3562 {
3563 /* stop the timer */
3564 btu_stop_timer (&btm_cb.pairing_tle);
3565
3566 if (p_dev_rec->sec_state != BTM_SEC_STATE_AUTHENTICATING)
3567 {
3568 /* the initiating side: will receive auth complete event. disconnect ACL at that time */
3569 disc = TRUE;
3570 }
3571 }
3572 else
3573 disc = TRUE;
3574 }
3575
3576 /* Let the pairing state stay active, p_auth_complete_callback will report the failure */
3577 memcpy (evt_data.bd_addr, p_dev_rec->bd_addr, BD_ADDR_LEN);
3578 memcpy (evt_data.dev_class, p_dev_rec->dev_class, DEV_CLASS_LEN);
3579
3580 if (btm_cb.api.p_sp_callback)
3581 (*btm_cb.api.p_sp_callback) (BTM_SP_COMPLT_EVT, (tBTM_SP_EVT_DATA *)&evt_data);
3582
3583 if (disc)
3584 {
3585 /* simple pairing failed */
3586 btm_sec_send_hci_disconnect (p_dev_rec, HCI_ERR_AUTH_FAILURE);
3587 }
3588 }
3589
3590 #if BTM_OOB_INCLUDED == TRUE
3591 /*******************************************************************************
3592 **
3593 ** Function btm_rem_oob_req
3594 **
3595 ** Description This function is called to process/report
3596 ** HCI_REMOTE_OOB_DATA_REQUEST_EVT
3597 **
3598 ** Returns void
3599 **
3600 *******************************************************************************/
btm_rem_oob_req(UINT8 * p)3601 void btm_rem_oob_req (UINT8 *p)
3602 {
3603 UINT8 *p_bda;
3604 tBTM_SP_RMT_OOB evt_data;
3605 tBTM_SEC_DEV_REC *p_dev_rec;
3606 BT_OCTET16 c;
3607 BT_OCTET16 r;
3608
3609 p_bda = evt_data.bd_addr;
3610
3611 STREAM_TO_BDADDR (p_bda, p);
3612
3613 BTM_TRACE_EVENT6 ("btm_rem_oob_req() BDA: %02x:%02x:%02x:%02x:%02x:%02x",
3614 p_bda[0], p_bda[1], p_bda[2], p_bda[3], p_bda[4], p_bda[5]);
3615
3616 if ( (NULL != (p_dev_rec = btm_find_dev (p_bda))) &&
3617 btm_cb.api.p_sp_callback)
3618 {
3619 memcpy (evt_data.bd_addr, p_dev_rec->bd_addr, BD_ADDR_LEN);
3620 memcpy (evt_data.dev_class, p_dev_rec->dev_class, DEV_CLASS_LEN);
3621 BCM_STRNCPY_S((char *)evt_data.bd_name, sizeof(evt_data.bd_name), (char *)p_dev_rec->sec_bd_name, BTM_MAX_REM_BD_NAME_LEN+1);
3622 evt_data.bd_name[BTM_MAX_REM_BD_NAME_LEN] = 0;
3623
3624 btm_sec_change_pairing_state(BTM_PAIR_STATE_WAIT_LOCAL_OOB_RSP);
3625 if ((*btm_cb.api.p_sp_callback) (BTM_SP_RMT_OOB_EVT, (tBTM_SP_EVT_DATA *)&evt_data) == BTM_NOT_AUTHORIZED)
3626 {
3627 BTM_RemoteOobDataReply(TRUE, p_bda, c, r);
3628 }
3629 return;
3630 }
3631
3632 /* something bad. we can only fail this connection */
3633 btm_cb.acl_disc_reason = HCI_ERR_HOST_REJECT_SECURITY;
3634 btsnd_hcic_rem_oob_neg_reply (p_bda);
3635 }
3636
3637 /*******************************************************************************
3638 **
3639 ** Function btm_read_local_oob_complete
3640 **
3641 ** Description This function is called when read local oob data is
3642 ** completed by the LM
3643 **
3644 ** Returns void
3645 **
3646 *******************************************************************************/
btm_read_local_oob_complete(UINT8 * p)3647 void btm_read_local_oob_complete (UINT8 *p)
3648 {
3649 tBTM_SP_LOC_OOB evt_data;
3650 UINT8 status = *p++;
3651
3652 BTM_TRACE_EVENT1 ("btm_read_local_oob_complete:%d", status);
3653 if (status == HCI_SUCCESS)
3654 {
3655 evt_data.status = BTM_SUCCESS;
3656 STREAM_TO_ARRAY16(evt_data.c, p);
3657 STREAM_TO_ARRAY16(evt_data.r, p);
3658 }
3659 else
3660 evt_data.status = BTM_ERR_PROCESSING;
3661
3662 if (btm_cb.api.p_sp_callback)
3663 (*btm_cb.api.p_sp_callback) (BTM_SP_LOC_OOB_EVT, (tBTM_SP_EVT_DATA *)&evt_data);
3664 }
3665 #endif /* BTM_OOB_INCLUDED */
3666
3667 /*******************************************************************************
3668 **
3669 ** Function btm_sec_auth_collision
3670 **
3671 ** Description This function is called when authentication or encryption
3672 ** needs to be retried at a later time.
3673 **
3674 ** Returns void
3675 **
3676 *******************************************************************************/
btm_sec_auth_collision(UINT16 handle)3677 static void btm_sec_auth_collision (UINT16 handle)
3678 {
3679 tBTM_SEC_DEV_REC *p_dev_rec;
3680
3681 if (!btm_cb.collision_start_time)
3682 btm_cb.collision_start_time = GKI_get_tick_count ();
3683
3684 if ((GKI_get_tick_count () - btm_cb.collision_start_time) < btm_cb.max_collision_delay)
3685 {
3686 if (handle == BTM_SEC_INVALID_HANDLE)
3687 {
3688 if ((p_dev_rec = btm_sec_find_dev_by_sec_state (BTM_SEC_STATE_AUTHENTICATING)) == NULL)
3689 p_dev_rec = btm_sec_find_dev_by_sec_state (BTM_SEC_STATE_ENCRYPTING);
3690 }
3691 else
3692 p_dev_rec = btm_find_dev_by_handle (handle);
3693
3694 if (p_dev_rec != NULL)
3695 {
3696 BTM_TRACE_DEBUG1 ("btm_sec_auth_collision: state %d (retrying in a moment...)", p_dev_rec->sec_state);
3697 /* We will restart authentication after timeout */
3698 if (p_dev_rec->sec_state == BTM_SEC_STATE_AUTHENTICATING || p_dev_rec->sec_state == BTM_SEC_STATE_ENCRYPTING)
3699 p_dev_rec->sec_state = 0;
3700
3701 btm_cb.p_collided_dev_rec = p_dev_rec;
3702 btm_cb.sec_collision_tle.param = (UINT32) btm_sec_collision_timeout;
3703 btu_start_timer (&btm_cb.sec_collision_tle, BTU_TTYPE_USER_FUNC, BT_1SEC_TIMEOUT);
3704 }
3705 }
3706 }
3707
3708 /*******************************************************************************
3709 **
3710 ** Function btm_sec_auth_complete
3711 **
3712 ** Description This function is when authentication of the connection is
3713 ** completed by the LM
3714 **
3715 ** Returns void
3716 **
3717 *******************************************************************************/
btm_sec_auth_complete(UINT16 handle,UINT8 status)3718 void btm_sec_auth_complete (UINT16 handle, UINT8 status)
3719 {
3720 UINT8 old_sm4;
3721 tBTM_PAIRING_STATE old_state = btm_cb.pairing_state;
3722 tBTM_SEC_DEV_REC *p_dev_rec = btm_find_dev_by_handle (handle);
3723 BOOLEAN are_bonding = FALSE;
3724
3725 /* Commenting out trace due to obf/compilation problems.
3726 */
3727 #if (BT_USE_TRACES == TRUE)
3728 if (p_dev_rec)
3729 {
3730 BTM_TRACE_EVENT6 ("Security Manager: auth_complete PairState: %s handle:%u status:%d dev->sec_state: %u Bda:%08x, RName:%s",
3731 btm_pair_state_descr (btm_cb.pairing_state),
3732 handle, status,
3733 p_dev_rec->sec_state,
3734 (p_dev_rec->bd_addr[2]<<24)+(p_dev_rec->bd_addr[3]<<16)+(p_dev_rec->bd_addr[4]<<8)+p_dev_rec->bd_addr[5],
3735 p_dev_rec->sec_bd_name);
3736 }
3737 else
3738 {
3739 BTM_TRACE_EVENT3 ("Security Manager: auth_complete PairState: %s handle:%u status:%d",
3740 btm_pair_state_descr (btm_cb.pairing_state),
3741 handle, status);
3742 }
3743 #endif
3744
3745 /* For transaction collision we need to wait and repeat. There is no need */
3746 /* for random timeout because only slave should receive the result */
3747 if ((status == HCI_ERR_LMP_ERR_TRANS_COLLISION) || (status == HCI_ERR_DIFF_TRANSACTION_COLLISION))
3748 {
3749 btm_sec_auth_collision(handle);
3750 return;
3751 }
3752 btm_cb.collision_start_time = 0;
3753
3754 btm_restore_mode();
3755
3756 /* Check if connection was made just to do bonding. If we authenticate
3757 the connection that is up, this is the last event received.
3758 */
3759 if (p_dev_rec
3760 && (btm_cb.pairing_flags & BTM_PAIR_FLAGS_WE_STARTED_DD)
3761 && !(btm_cb.pairing_flags & BTM_PAIR_FLAGS_DISC_WHEN_DONE))
3762 {
3763 p_dev_rec->security_required &= ~BTM_SEC_OUT_AUTHENTICATE;
3764
3765 l2cu_start_post_bond_timer (p_dev_rec->hci_handle);
3766 }
3767
3768 if (!p_dev_rec)
3769 return;
3770
3771 /* keep the old sm4 flag and clear the retry bit in control block */
3772 old_sm4 = p_dev_rec->sm4;
3773 p_dev_rec->sm4 &= ~BTM_SM4_RETRY;
3774
3775 if ( (btm_cb.pairing_state != BTM_PAIR_STATE_IDLE)
3776 && (btm_cb.pairing_flags & BTM_PAIR_FLAGS_WE_STARTED_DD)
3777 && (memcmp (p_dev_rec->bd_addr, btm_cb.pairing_bda, BD_ADDR_LEN) == 0) )
3778 are_bonding = TRUE;
3779
3780 btm_sec_change_pairing_state (BTM_PAIR_STATE_IDLE);
3781
3782 if (p_dev_rec->sec_state != BTM_SEC_STATE_AUTHENTICATING)
3783 {
3784 if ( (btm_cb.api.p_auth_complete_callback && status != HCI_SUCCESS)
3785 && (old_state != BTM_PAIR_STATE_IDLE) )
3786 {
3787 (*btm_cb.api.p_auth_complete_callback) (p_dev_rec->bd_addr,
3788 p_dev_rec->dev_class,
3789 p_dev_rec->sec_bd_name, status);
3790 }
3791 return;
3792 }
3793
3794 /* There can be a race condition, when we are starting authentication and
3795 ** the peer device is doing encryption.
3796 ** If first we receive encryption change up, then initiated authentication
3797 ** can not be performed. According to the spec we can not do authentication
3798 ** on the encrypted link, so device is correct.
3799 */
3800 if ((status == HCI_ERR_COMMAND_DISALLOWED)
3801 && ((p_dev_rec->sec_flags & (BTM_SEC_AUTHENTICATED | BTM_SEC_ENCRYPTED)) ==
3802 (BTM_SEC_AUTHENTICATED | BTM_SEC_ENCRYPTED)))
3803 {
3804 status = HCI_SUCCESS;
3805 }
3806 /* Currently we do not notify user if it is a keyboard which connects */
3807 /* User probably Disabled the keyboard while it was asleap. Let her try */
3808 if (btm_cb.api.p_auth_complete_callback)
3809 {
3810 /* report the suthentication status */
3811 if (old_state != BTM_PAIR_STATE_IDLE)
3812 (*btm_cb.api.p_auth_complete_callback) (p_dev_rec->bd_addr,
3813 p_dev_rec->dev_class,
3814 p_dev_rec->sec_bd_name, status);
3815 }
3816
3817 p_dev_rec->sec_state = BTM_SEC_STATE_IDLE;
3818
3819 /* If this is a bonding procedure can disconnect the link now */
3820 if (are_bonding)
3821 {
3822 p_dev_rec->security_required &= ~BTM_SEC_OUT_AUTHENTICATE;
3823
3824 if (status != HCI_SUCCESS)
3825 btm_sec_send_hci_disconnect (p_dev_rec, HCI_ERR_PEER_USER);
3826 else
3827 l2cu_start_post_bond_timer (p_dev_rec->hci_handle);
3828
3829 return;
3830 }
3831
3832 /* If authentication failed, notify the waiting layer */
3833 if (status != HCI_SUCCESS)
3834 {
3835 if ((old_sm4 & BTM_SM4_RETRY) == 0)
3836 {
3837 /* allow retry only once */
3838 if (status == HCI_ERR_LMP_ERR_TRANS_COLLISION)
3839 {
3840 /* not retried yet. set the retry bit */
3841 p_dev_rec->sm4 |= BTM_SM4_RETRY;
3842 BTM_TRACE_DEBUG2 ("Collision retry sm4:x%x sec_flags:0x%x", p_dev_rec->sm4, p_dev_rec->sec_flags);
3843 }
3844 /* this retry for missing key is for Lisbon or later only.
3845 * Legacy device do not need this. the controller will drive the retry automatically */
3846 else if (HCI_ERR_KEY_MISSING == status && BTM_SEC_IS_SM4(p_dev_rec->sm4))
3847 {
3848 /* not retried yet. set the retry bit */
3849 p_dev_rec->sm4 |= BTM_SM4_RETRY;
3850 p_dev_rec->sec_flags &= ~BTM_SEC_LINK_KEY_KNOWN;
3851 BTM_TRACE_DEBUG2 ("Retry for missing key sm4:x%x sec_flags:0x%x", p_dev_rec->sm4, p_dev_rec->sec_flags);
3852
3853 /* With BRCM controller, we do not need to delete the stored link key in controller.
3854 If the stack may sit on top of other controller, we may need this
3855 BTM_DeleteStoredLinkKey (bd_addr, NULL); */
3856 }
3857
3858 if (p_dev_rec->sm4 & BTM_SM4_RETRY)
3859 {
3860 btm_sec_execute_procedure (p_dev_rec);
3861 return;
3862 }
3863 }
3864
3865 btm_sec_dev_rec_cback_event (p_dev_rec, BTM_ERR_PROCESSING);
3866
3867 if (btm_cb.pairing_flags & BTM_PAIR_FLAGS_DISC_WHEN_DONE)
3868 {
3869 btm_sec_send_hci_disconnect (p_dev_rec, HCI_ERR_AUTH_FAILURE);
3870 }
3871 return;
3872 }
3873
3874 p_dev_rec->sec_flags |= BTM_SEC_AUTHENTICATED;
3875
3876 /* Authentication succeeded, execute the next security procedure, if any */
3877 status = btm_sec_execute_procedure (p_dev_rec);
3878
3879 /* If there is no next procedure, or procedure failed to start, notify the caller */
3880 if (status != BTM_CMD_STARTED)
3881 btm_sec_dev_rec_cback_event (p_dev_rec, status);
3882 }
3883
3884 /*******************************************************************************
3885 **
3886 ** Function btm_sec_mkey_comp_event
3887 **
3888 ** Description This function is when encryption of the connection is
3889 ** completed by the LM
3890 **
3891 ** Returns void
3892 **
3893 *******************************************************************************/
btm_sec_mkey_comp_event(UINT16 handle,UINT8 status,UINT8 key_flg)3894 void btm_sec_mkey_comp_event (UINT16 handle, UINT8 status, UINT8 key_flg)
3895 {
3896 tBTM_SEC_DEV_REC *p_dev_rec = btm_find_dev_by_handle (handle);
3897 UINT8 bd_addr[BD_ADDR_LEN] = { 0xff, 0xff, 0xff, 0xff, 0xff, 0xff} ;
3898
3899 BTM_TRACE_EVENT2 ("Security Manager: mkey comp status:%d State:%d",
3900 status, (p_dev_rec) ? p_dev_rec->sec_state : 0);
3901
3902 /* If encryption setup failed, notify the waiting layer */
3903 /* There is no next procedure or start of procedure failed, notify the waiting layer */
3904 if (btm_cb.mkey_cback)
3905 {
3906 if (!p_dev_rec)
3907 (btm_cb.mkey_cback)(bd_addr, status, key_flg );
3908 else
3909 (btm_cb.mkey_cback)(p_dev_rec->bd_addr, status, key_flg );
3910 }
3911 }
3912
3913 /*******************************************************************************
3914 **
3915 ** Function btm_sec_encrypt_change
3916 **
3917 ** Description This function is when encryption of the connection is
3918 ** completed by the LM
3919 **
3920 ** Returns void
3921 **
3922 *******************************************************************************/
btm_sec_encrypt_change(UINT16 handle,UINT8 status,UINT8 encr_enable)3923 void btm_sec_encrypt_change (UINT16 handle, UINT8 status, UINT8 encr_enable)
3924 {
3925 tBTM_SEC_DEV_REC *p_dev_rec = btm_find_dev_by_handle (handle);
3926 #if BLE_INCLUDED == TRUE && SMP_INCLUDED == TRUE
3927 tACL_CONN *p_acl;
3928 #endif
3929 BTM_TRACE_EVENT3 ("Security Manager: encrypt_change status:%d State:%d, encr_enable = %d",
3930 status, (p_dev_rec) ? p_dev_rec->sec_state : 0, encr_enable);
3931 BTM_TRACE_DEBUG1 ("before update p_dev_rec->sec_flags=0x%x", (p_dev_rec) ? p_dev_rec->sec_flags : 0 );
3932
3933 /* For transaction collision we need to wait and repeat. There is no need */
3934 /* for random timeout because only slave should receive the result */
3935 if ((status == HCI_ERR_LMP_ERR_TRANS_COLLISION) || (status == HCI_ERR_DIFF_TRANSACTION_COLLISION))
3936 {
3937 btm_sec_auth_collision(handle);
3938 return;
3939 }
3940 btm_cb.collision_start_time = 0;
3941
3942 if (!p_dev_rec)
3943 return;
3944
3945 if ((status == HCI_SUCCESS) && encr_enable)
3946 p_dev_rec->sec_flags |= (BTM_SEC_AUTHENTICATED | BTM_SEC_ENCRYPTED);
3947
3948 /* It is possible that we decrypted the link to perform role switch */
3949 /* mark link not to be encrypted, so that when we execute security next time it will kick in again */
3950 if ((status == HCI_SUCCESS) && !encr_enable)
3951 p_dev_rec->sec_flags &= ~BTM_SEC_ENCRYPTED;
3952
3953 BTM_TRACE_DEBUG1 ("after update p_dev_rec->sec_flags=0x%x", p_dev_rec->sec_flags );
3954
3955 #if BLE_INCLUDED == TRUE && SMP_INCLUDED == TRUE
3956 p_acl = btm_bda_to_acl(p_dev_rec->bd_addr);
3957
3958 if (p_acl && p_acl->is_le_link)
3959 {
3960 btm_ble_link_encrypted(p_dev_rec->bd_addr, encr_enable);
3961 return;
3962 }
3963 else
3964 /* BR/EDR connection, update the encryption key size to be 16 as always */
3965 p_dev_rec->enc_key_size = 16;
3966 #endif
3967
3968 /* If this encryption was started by peer do not need to do anything */
3969 if (p_dev_rec->sec_state != BTM_SEC_STATE_ENCRYPTING)
3970 {
3971 if (BTM_SEC_STATE_DELAY_FOR_ENC == p_dev_rec->sec_state)
3972 {
3973 p_dev_rec->sec_state = BTM_SEC_STATE_IDLE;
3974 p_dev_rec->p_callback = NULL;
3975 l2cu_resubmit_pending_sec_req (p_dev_rec->bd_addr);
3976 }
3977 return;
3978 }
3979
3980 p_dev_rec->sec_state = BTM_SEC_STATE_IDLE;
3981
3982 /* If encryption setup failed, notify the waiting layer */
3983 if (status != HCI_SUCCESS)
3984 {
3985 btm_sec_dev_rec_cback_event (p_dev_rec, BTM_ERR_PROCESSING);
3986 return;
3987 }
3988
3989 /* Encryption setup succeeded, execute the next security procedure, if any */
3990 status = (UINT8)btm_sec_execute_procedure (p_dev_rec);
3991
3992 /* If there is no next procedure, or procedure failed to start, notify the caller */
3993 if (status != BTM_CMD_STARTED)
3994 btm_sec_dev_rec_cback_event (p_dev_rec, status);
3995 }
3996
3997 /*******************************************************************************
3998 **
3999 ** Function btm_sec_create_conn
4000 **
4001 ** Description This function records current role and forwards request to
4002 ** HCI
4003 **
4004 ** Returns void
4005 **
4006 *******************************************************************************/
btm_sec_create_conn(BD_ADDR bda,UINT16 packet_types,UINT8 page_scan_rep_mode,UINT8 page_scan_mode,UINT16 clock_offset,UINT8 allow_switch)4007 BOOLEAN btm_sec_create_conn (BD_ADDR bda, UINT16 packet_types,
4008 UINT8 page_scan_rep_mode, UINT8 page_scan_mode,
4009 UINT16 clock_offset, UINT8 allow_switch)
4010 {
4011 tBTM_SEC_DEV_REC *p_dev_rec = btm_find_or_alloc_dev (bda);
4012
4013 memcpy (btm_cb.connecting_bda, p_dev_rec->bd_addr, BD_ADDR_LEN);
4014 memcpy (btm_cb.connecting_dc, p_dev_rec->dev_class, DEV_CLASS_LEN);
4015
4016 btm_cb.acl_disc_reason = 0xff ;
4017
4018 p_dev_rec->sec_state = BTM_SEC_STATE_IDLE;
4019 p_dev_rec->role_master = TRUE;
4020
4021 /* If any SCO link up, do not allow a switch */
4022 if (BTM_GetNumScoLinks() != 0)
4023 allow_switch = HCI_CR_CONN_NOT_ALLOW_SWITCH;
4024
4025 return(btsnd_hcic_create_conn (bda, packet_types, page_scan_rep_mode,
4026 page_scan_mode, clock_offset, allow_switch));
4027 }
4028
4029 /*******************************************************************************
4030 **
4031 ** Function btm_sec_connect_after_reject_timeout
4032 **
4033 ** Description Connection for bonding could not start because of the collision
4034 ** Initiate outgoing connection
4035 **
4036 ** Returns Pointer to the TLE struct
4037 **
4038 *******************************************************************************/
btm_sec_connect_after_reject_timeout(TIMER_LIST_ENT * p_tle)4039 static void btm_sec_connect_after_reject_timeout (TIMER_LIST_ENT *p_tle)
4040 {
4041 tBTM_SEC_DEV_REC *p_dev_rec = btm_cb.p_collided_dev_rec;
4042
4043 BTM_TRACE_EVENT0 ("btm_sec_connect_after_reject_timeout()");
4044 btm_cb.sec_collision_tle.param = 0;
4045 btm_cb.p_collided_dev_rec = 0;
4046
4047 if (btm_sec_dd_create_conn(p_dev_rec) != BTM_CMD_STARTED)
4048 {
4049 BTM_TRACE_WARNING0 ("Security Manager: btm_sec_connect_after_reject_timeout: failed to start connection");
4050
4051 btm_sec_change_pairing_state (BTM_PAIR_STATE_IDLE);
4052
4053 (*btm_cb.api.p_auth_complete_callback) (p_dev_rec->bd_addr, p_dev_rec->dev_class,
4054 p_dev_rec->sec_bd_name, HCI_ERR_MEMORY_FULL);
4055 }
4056 }
4057
4058 /*******************************************************************************
4059 **
4060 ** Function btm_sec_connected
4061 **
4062 ** Description This function is when a connection to the peer device is
4063 ** establsihed
4064 **
4065 ** Returns void
4066 **
4067 *******************************************************************************/
btm_sec_connected(UINT8 * bda,UINT16 handle,UINT8 status,UINT8 enc_mode)4068 void btm_sec_connected (UINT8 *bda, UINT16 handle, UINT8 status, UINT8 enc_mode)
4069 {
4070 tBTM_SEC_DEV_REC *p_dev_rec = btm_find_dev (bda);
4071 UINT8 res;
4072 BOOLEAN is_pairing_device = FALSE;
4073 tACL_CONN *p_acl_cb;
4074
4075 btm_acl_resubmit_page();
4076
4077 /* Commenting out trace due to obf/compilation problems.
4078 */
4079 #if (BT_USE_TRACES == TRUE)
4080 if (p_dev_rec)
4081 {
4082 BTM_TRACE_EVENT6 ("Security Manager: btm_sec_connected in state: %s handle:%d status:%d enc_mode:%d bda:%x RName:%s",
4083 btm_pair_state_descr(btm_cb.pairing_state), handle, status, enc_mode,
4084 (bda[2]<<24)+(bda[3]<<16)+(bda[4]<<8)+bda[5],
4085 p_dev_rec->sec_bd_name);
4086 }
4087 else
4088 {
4089 BTM_TRACE_EVENT5 ("Security Manager: btm_sec_connected in state: %s handle:%d status:%d enc_mode:%d bda:%x ",
4090 btm_pair_state_descr(btm_cb.pairing_state), handle, status, enc_mode,
4091 (bda[2]<<24)+(bda[3]<<16)+(bda[4]<<8)+bda[5]);
4092 }
4093 #endif
4094
4095 if (!p_dev_rec)
4096 {
4097 /* There is no device record for new connection. Allocate one */
4098 if (status == HCI_SUCCESS)
4099 {
4100 p_dev_rec = btm_sec_alloc_dev (bda);
4101 #if BLE_INCLUDED == TRUE
4102 p_dev_rec->device_type |= BT_DEVICE_TYPE_BREDR;
4103 #endif
4104 }
4105 else
4106 {
4107 /* can not find the device record and the status is error,
4108 * just ignore it */
4109 return;
4110 }
4111 }
4112 else /* Update the timestamp for this device */
4113 {
4114 p_dev_rec->timestamp = btm_cb.dev_rec_count++;
4115 if (p_dev_rec->sm4 & BTM_SM4_CONN_PEND)
4116 {
4117 /* tell L2CAP it's a bonding connection. */
4118 if ( (btm_cb.pairing_state != BTM_PAIR_STATE_IDLE)
4119 && (memcmp (btm_cb.pairing_bda, p_dev_rec->bd_addr, BD_ADDR_LEN) == 0)
4120 && (btm_cb.pairing_flags & BTM_PAIR_FLAGS_WE_STARTED_DD) )
4121 {
4122 /* if incoming connection failed while pairing, then try to connect and continue */
4123 /* Motorola S9 disconnects without asking pin code */
4124 if ((status != HCI_SUCCESS)&&(btm_cb.pairing_state == BTM_PAIR_STATE_WAIT_PIN_REQ))
4125 {
4126 BTM_TRACE_WARNING0 ("Security Manager: btm_sec_connected: incoming connection failed without asking PIN");
4127
4128 p_dev_rec->sm4 &= ~BTM_SM4_CONN_PEND;
4129 if (p_dev_rec->sec_flags & BTM_SEC_NAME_KNOWN)
4130 {
4131 /* Start timer with 0 to initiate connection with new LCB */
4132 /* because L2CAP will delete current LCB with this event */
4133 btm_cb.p_collided_dev_rec = p_dev_rec;
4134 btm_cb.sec_collision_tle.param = (UINT32) btm_sec_connect_after_reject_timeout;
4135 btu_start_timer (&btm_cb.sec_collision_tle, BTU_TTYPE_USER_FUNC, 0);
4136 }
4137 else
4138 {
4139 btm_sec_change_pairing_state (BTM_PAIR_STATE_GET_REM_NAME);
4140 BTM_ReadRemoteDeviceName(p_dev_rec->bd_addr, NULL);
4141 }
4142 #if BTM_DISC_DURING_RS == TRUE
4143 p_dev_rec->rs_disc_pending = BTM_SEC_RS_NOT_PENDING; /* reset flag */
4144 #endif
4145 return;
4146 }
4147 else
4148 {
4149 l2cu_update_lcb_4_bonding(p_dev_rec->bd_addr, TRUE);
4150 }
4151 }
4152 /* always clear the pending flag */
4153 p_dev_rec->sm4 &= ~BTM_SM4_CONN_PEND;
4154 }
4155 }
4156
4157 #if BTM_DISC_DURING_RS == TRUE
4158 p_dev_rec->rs_disc_pending = BTM_SEC_RS_NOT_PENDING; /* reset flag */
4159 #endif
4160
4161 p_dev_rec->rs_disc_pending = BTM_SEC_RS_NOT_PENDING; /* reset flag */
4162
4163 if ( (btm_cb.pairing_state != BTM_PAIR_STATE_IDLE)
4164 && (memcmp (btm_cb.pairing_bda, bda, BD_ADDR_LEN) == 0) )
4165 {
4166 /* if we rejected incoming connection from bonding device */
4167 if ((status == HCI_ERR_HOST_REJECT_DEVICE)
4168 &&(btm_cb.pairing_flags & BTM_PAIR_FLAGS_REJECTED_CONNECT))
4169 {
4170 BTM_TRACE_WARNING2 ("Security Manager: btm_sec_connected: HCI_Conn_Comp Flags:0x%04x, sm4: 0x%x",
4171 btm_cb.pairing_flags, p_dev_rec->sm4);
4172
4173 btm_cb.pairing_flags &= ~BTM_PAIR_FLAGS_REJECTED_CONNECT;
4174 if (BTM_SEC_IS_SM4_UNKNOWN(p_dev_rec->sm4))
4175 {
4176 /* Try again: RNR when no ACL causes HCI_RMT_HOST_SUP_FEAT_NOTIFY_EVT */
4177 btm_sec_change_pairing_state (BTM_PAIR_STATE_GET_REM_NAME);
4178 BTM_ReadRemoteDeviceName(bda, NULL);
4179 return;
4180 }
4181
4182 /* if we already have pin code */
4183 if (btm_cb.pairing_state != BTM_PAIR_STATE_WAIT_LOCAL_PIN)
4184 {
4185 /* Start timer with 0 to initiate connection with new LCB */
4186 /* because L2CAP will delete current LCB with this event */
4187 btm_cb.p_collided_dev_rec = p_dev_rec;
4188 btm_cb.sec_collision_tle.param = (UINT32) btm_sec_connect_after_reject_timeout;
4189 btu_start_timer (&btm_cb.sec_collision_tle, BTU_TTYPE_USER_FUNC, 0);
4190 }
4191
4192 return;
4193 }
4194 /* wait for incoming connection without resetting pairing state */
4195 else if (status == HCI_ERR_CONNECTION_EXISTS)
4196 {
4197 BTM_TRACE_WARNING0 ("Security Manager: btm_sec_connected: Wait for incoming connection");
4198 return;
4199 }
4200
4201 is_pairing_device = TRUE;
4202 }
4203
4204 /* If connection was made to do bonding restore link security if changed */
4205 btm_restore_mode();
4206
4207 /* if connection fails during pin request, notify application */
4208 if (status != HCI_SUCCESS)
4209 {
4210 /* If connection failed because of during pairing, need to tell user */
4211 if (is_pairing_device)
4212 {
4213 p_dev_rec->security_required &= ~BTM_SEC_OUT_AUTHENTICATE;
4214 p_dev_rec->sec_flags &= ~(BTM_SEC_LINK_KEY_KNOWN | BTM_SEC_LINK_KEY_AUTHED);
4215 BTM_TRACE_DEBUG1 ("security_required:%x ", p_dev_rec->security_required );
4216
4217 btm_sec_change_pairing_state (BTM_PAIR_STATE_IDLE);
4218
4219 /* We need to notify host that the key is not known any more */
4220 if (btm_cb.api.p_auth_complete_callback)
4221 {
4222 (*btm_cb.api.p_auth_complete_callback) (p_dev_rec->bd_addr,
4223 p_dev_rec->dev_class,
4224 p_dev_rec->sec_bd_name, status);
4225 }
4226 }
4227 else if ((status == HCI_ERR_AUTH_FAILURE) ||
4228 (status == HCI_ERR_KEY_MISSING) ||
4229 (status == HCI_ERR_HOST_REJECT_SECURITY) ||
4230 (status == HCI_ERR_PAIRING_NOT_ALLOWED) ||
4231 (status == HCI_ERR_UNIT_KEY_USED) ||
4232 (status == HCI_ERR_PAIRING_WITH_UNIT_KEY_NOT_SUPPORTED) ||
4233 (status == HCI_ERR_ENCRY_MODE_NOT_ACCEPTABLE) ||
4234 (status == HCI_ERR_REPEATED_ATTEMPTS))
4235 {
4236 p_dev_rec->security_required &= ~BTM_SEC_OUT_AUTHENTICATE;
4237 p_dev_rec->sec_flags &= ~BTM_SEC_LINK_KEY_KNOWN;
4238
4239 /* We need to notify host that the key is not known any more */
4240 if (btm_cb.api.p_auth_complete_callback)
4241 {
4242 (*btm_cb.api.p_auth_complete_callback) (p_dev_rec->bd_addr,
4243 p_dev_rec->dev_class,
4244 p_dev_rec->sec_bd_name, status);
4245 }
4246 }
4247
4248 if (status == HCI_ERR_CONNECTION_TOUT || status == HCI_ERR_LMP_RESPONSE_TIMEOUT ||
4249 status == HCI_ERR_UNSPECIFIED || status == HCI_ERR_PAGE_TIMEOUT)
4250 btm_sec_dev_rec_cback_event (p_dev_rec, BTM_DEVICE_TIMEOUT);
4251 else
4252 btm_sec_dev_rec_cback_event (p_dev_rec, BTM_ERR_PROCESSING);
4253
4254 return;
4255 }
4256
4257 /* If initiated dedicated bonding, return the link key now, and initiate disconnect */
4258 /* If dedicated bonding, and we now have a link key, we are all done */
4259 if ( is_pairing_device
4260 && (p_dev_rec->sec_flags & BTM_SEC_LINK_KEY_KNOWN) )
4261 {
4262 if (p_dev_rec->link_key_not_sent)
4263 {
4264 p_dev_rec->link_key_not_sent = FALSE;
4265 btm_send_link_key_notif(p_dev_rec);
4266 }
4267
4268 p_dev_rec->security_required &= ~BTM_SEC_OUT_AUTHENTICATE;
4269
4270 /* remember flag before it is initialized */
4271 if (btm_cb.pairing_flags & BTM_PAIR_FLAGS_WE_STARTED_DD)
4272 res = TRUE;
4273 else
4274 res = FALSE;
4275
4276 if (btm_cb.api.p_auth_complete_callback)
4277 (*btm_cb.api.p_auth_complete_callback) (p_dev_rec->bd_addr,
4278 p_dev_rec->dev_class,
4279 p_dev_rec->sec_bd_name, HCI_SUCCESS);
4280
4281 btm_sec_change_pairing_state (BTM_PAIR_STATE_IDLE);
4282
4283 if ( res )
4284 {
4285 /* Let l2cap start bond timer */
4286 l2cu_update_lcb_4_bonding (p_dev_rec->bd_addr, TRUE);
4287 }
4288
4289 return;
4290 }
4291
4292 p_dev_rec->hci_handle = handle;
4293
4294 /* role may not be correct here, it will be updated by l2cap, but we need to */
4295 /* notify btm_acl that link is up, so starting of rmt name request will not */
4296 /* set paging flag up */
4297 p_acl_cb = btm_bda_to_acl(bda);
4298 if (p_acl_cb)
4299 {
4300 /* whatever is in btm_establish_continue() without reporting the BTM_BL_CONN_EVT event */
4301 #if (!defined(BTM_BYPASS_EXTRA_ACL_SETUP) || BTM_BYPASS_EXTRA_ACL_SETUP == FALSE)
4302 /* For now there are a some devices that do not like sending */
4303 /* commands events and data at the same time. */
4304 /* Set the packet types to the default allowed by the device */
4305 btm_set_packet_types (p_acl_cb, btm_cb.btm_acl_pkt_types_supported);
4306
4307 if (btm_cb.btm_def_link_policy)
4308 BTM_SetLinkPolicy (p_acl_cb->remote_addr, &btm_cb.btm_def_link_policy);
4309 #endif
4310 }
4311 btm_acl_created (bda, p_dev_rec->dev_class, p_dev_rec->sec_bd_name, handle, HCI_ROLE_SLAVE, FALSE);
4312
4313 /* Initialize security flags. We need to do that because some */
4314 /* authorization complete could have come after the connection is dropped */
4315 /* and that would set wrong flag that link has been authorized already */
4316 p_dev_rec->sec_flags &= ~(BTM_SEC_AUTHORIZED | BTM_SEC_AUTHENTICATED |
4317 BTM_SEC_ENCRYPTED | BTM_SEC_ROLE_SWITCHED);
4318
4319 if (enc_mode != HCI_ENCRYPT_MODE_DISABLED)
4320 p_dev_rec->sec_flags |= (BTM_SEC_AUTHENTICATED | BTM_SEC_ENCRYPTED);
4321
4322 if (btm_cb.security_mode == BTM_SEC_MODE_LINK)
4323 p_dev_rec->sec_flags |= BTM_SEC_AUTHENTICATED;
4324
4325 p_dev_rec->link_key_changed = FALSE;
4326
4327 /* After connection is established we perform security if we do not know */
4328 /* the name, or if we are originator because some procedure can have */
4329 /* been scheduled while connection was down */
4330 BTM_TRACE_DEBUG1 ("is_originator:%d ", p_dev_rec->is_originator);
4331 if (!(p_dev_rec->sec_flags & BTM_SEC_NAME_KNOWN) || p_dev_rec->is_originator)
4332 {
4333 if ((res = btm_sec_execute_procedure (p_dev_rec)) != BTM_CMD_STARTED)
4334 btm_sec_dev_rec_cback_event (p_dev_rec, res);
4335 }
4336 return;
4337 }
4338
4339 /*******************************************************************************
4340 **
4341 ** Function btm_sec_role_changed
4342 **
4343 ** Description This function is colled when controller reports role
4344 ** changed, or failed command status for Role Change request
4345 **
4346 ** Returns void
4347 **
4348 *******************************************************************************/
btm_sec_role_changed(void * p_ref_data)4349 void btm_sec_role_changed (void *p_ref_data)
4350 {
4351 tBTM_SEC_DEV_REC *p_dev_rec = (tBTM_SEC_DEV_REC *)p_ref_data;
4352 UINT8 res;
4353
4354 BTM_TRACE_EVENT0 ("Security Manager: role changed");
4355
4356 /* If this role switch was started by peer do not need to do anything */
4357 if (p_dev_rec->sec_state != BTM_SEC_STATE_SWITCHING_ROLE)
4358 return;
4359
4360 /* If serurity required was to FORCE switch and it failed, notify the waiting layer */
4361 if (((p_dev_rec->security_required & BTM_SEC_FORCE_MASTER) && !p_dev_rec->role_master)
4362 || ((p_dev_rec->security_required & BTM_SEC_FORCE_SLAVE) && p_dev_rec->role_master))
4363 {
4364 btm_sec_dev_rec_cback_event (p_dev_rec, BTM_ERR_PROCESSING);
4365 return;
4366 }
4367
4368 p_dev_rec->sec_flags |= BTM_SEC_ROLE_SWITCHED;
4369
4370 p_dev_rec->security_required &= ~(BTM_SEC_FORCE_MASTER | BTM_SEC_ATTEMPT_MASTER |
4371 BTM_SEC_FORCE_SLAVE | BTM_SEC_ATTEMPT_SLAVE);
4372
4373 p_dev_rec->sec_state = BTM_SEC_STATE_IDLE;
4374
4375 if ((res = (UINT8)btm_sec_execute_procedure (p_dev_rec)) != BTM_CMD_STARTED)
4376 {
4377 btm_sec_dev_rec_cback_event (p_dev_rec, res);
4378 }
4379 }
4380
4381 /*******************************************************************************
4382 **
4383 ** Function btm_sec_disconnect
4384 **
4385 ** Description This function is called to disconnect HCI link
4386 **
4387 ** Returns btm status
4388 **
4389 *******************************************************************************/
btm_sec_disconnect(UINT16 handle,UINT8 reason)4390 tBTM_STATUS btm_sec_disconnect (UINT16 handle, UINT8 reason)
4391 {
4392 tBTM_SEC_DEV_REC *p_dev_rec = btm_find_dev_by_handle (handle);
4393
4394 /* In some weird race condition we may not have a record */
4395 if (!p_dev_rec)
4396 {
4397 btsnd_hcic_disconnect (handle, reason);
4398 return(BTM_SUCCESS);
4399 }
4400
4401 /* If we are in the process of bonding we need to tell client that auth failed */
4402 if ( (btm_cb.pairing_state != BTM_PAIR_STATE_IDLE)
4403 && (memcmp (btm_cb.pairing_bda, p_dev_rec->bd_addr, BD_ADDR_LEN) == 0)
4404 && (btm_cb.pairing_flags & BTM_PAIR_FLAGS_WE_STARTED_DD) )
4405 {
4406 /* we are currently doing bonding. Link will be disconnected when done */
4407 btm_cb.pairing_flags |= BTM_PAIR_FLAGS_DISC_WHEN_DONE;
4408 return(BTM_BUSY);
4409 }
4410
4411 return(btm_sec_send_hci_disconnect(p_dev_rec, reason));
4412 }
4413
4414 /*******************************************************************************
4415 **
4416 ** Function btm_sec_disconnected
4417 **
4418 ** Description This function is when a connection to the peer device is
4419 ** dropped
4420 **
4421 ** Returns void
4422 **
4423 *******************************************************************************/
btm_sec_disconnected(UINT16 handle,UINT8 reason)4424 void btm_sec_disconnected (UINT16 handle, UINT8 reason)
4425 {
4426 tBTM_SEC_DEV_REC *p_dev_rec = btm_find_dev_by_handle (handle);
4427 UINT8 old_pairing_flags = btm_cb.pairing_flags;
4428 int result = HCI_ERR_AUTH_FAILURE;
4429 tBTM_SEC_CALLBACK *p_callback = NULL;
4430
4431 /* If page was delayed for disc complete, can do it now */
4432 btm_cb.discing = FALSE;
4433
4434 btm_acl_resubmit_page();
4435
4436 if (!p_dev_rec)
4437 return;
4438
4439 p_dev_rec->rs_disc_pending = BTM_SEC_RS_NOT_PENDING; /* reset flag */
4440
4441 #if BTM_DISC_DURING_RS == TRUE
4442 BTM_TRACE_ERROR0("btm_sec_disconnected - Clearing Pending flag");
4443 p_dev_rec->rs_disc_pending = BTM_SEC_RS_NOT_PENDING; /* reset flag */
4444 #endif
4445
4446 /* clear unused flags */
4447 p_dev_rec->sm4 &= BTM_SM4_TRUE;
4448
4449 BTM_TRACE_EVENT6("btm_sec_disconnected() sec_req:x%x State: %s reason:%d bda:%04x%08x RName:%s",
4450 p_dev_rec->security_required, btm_pair_state_descr(btm_cb.pairing_state), reason, (p_dev_rec->bd_addr[0]<<8)+p_dev_rec->bd_addr[1],
4451 (p_dev_rec->bd_addr[2]<<24)+(p_dev_rec->bd_addr[3]<<16)+(p_dev_rec->bd_addr[4]<<8)+p_dev_rec->bd_addr[5], p_dev_rec->sec_bd_name);
4452
4453 BTM_TRACE_EVENT1("before Update sec_flags=0x%x", p_dev_rec->sec_flags);
4454
4455 /* If we are in the process of bonding we need to tell client that auth failed */
4456 if ( (btm_cb.pairing_state != BTM_PAIR_STATE_IDLE)
4457 && (memcmp (btm_cb.pairing_bda, p_dev_rec->bd_addr, BD_ADDR_LEN) == 0))
4458 {
4459 btm_sec_change_pairing_state (BTM_PAIR_STATE_IDLE);
4460 p_dev_rec->sec_flags &= ~BTM_SEC_LINK_KEY_KNOWN;
4461 if (btm_cb.api.p_auth_complete_callback)
4462 {
4463 /* If the disconnection reason is REPEATED_ATTEMPTS,
4464 send this error message to complete callback function
4465 to display the error message of Repeated attempts.
4466 All others, send HCI_ERR_AUTH_FAILURE. */
4467 if (reason == HCI_ERR_REPEATED_ATTEMPTS)
4468 {
4469 result = HCI_ERR_REPEATED_ATTEMPTS;
4470 }
4471 else if (old_pairing_flags & BTM_PAIR_FLAGS_WE_STARTED_DD)
4472 {
4473 result = HCI_ERR_HOST_REJECT_SECURITY;
4474 }
4475 (*btm_cb.api.p_auth_complete_callback) (p_dev_rec->bd_addr, p_dev_rec->dev_class,
4476 p_dev_rec->sec_bd_name, result);
4477 }
4478 }
4479
4480 p_dev_rec->hci_handle = BTM_SEC_INVALID_HANDLE;
4481 p_dev_rec->sec_state = BTM_SEC_STATE_IDLE;
4482
4483 #if BLE_INCLUDED == TRUE && SMP_INCLUDED == TRUE
4484 p_dev_rec->enc_key_size = 0;
4485 btm_ble_update_mode_operation(HCI_ROLE_UNKNOWN, p_dev_rec->bd_addr, FALSE);
4486 /* see sec_flags processing in btm_acl_removed */
4487 #endif
4488 p_dev_rec->sec_flags &= ~(BTM_SEC_AUTHORIZED | BTM_SEC_AUTHENTICATED | BTM_SEC_ENCRYPTED | BTM_SEC_ROLE_SWITCHED);
4489
4490 p_dev_rec->security_required = BTM_SEC_NONE;
4491
4492 p_callback = p_dev_rec->p_callback;
4493
4494 /* if security is pending, send callback to clean up the security state */
4495 if(p_callback)
4496 {
4497 p_dev_rec->p_callback = NULL; /* when the peer device time out the authentication before
4498 we do, this call back must be reset here */
4499 (*p_callback) (p_dev_rec->bd_addr, p_dev_rec->p_ref_data, BTM_ERR_PROCESSING);
4500 }
4501
4502 BTM_TRACE_EVENT1("after Update sec_flags=0x%x", p_dev_rec->sec_flags);
4503 }
4504
4505 /*******************************************************************************
4506 **
4507 ** Function btm_sec_link_key_notification
4508 **
4509 ** Description This function is called when a new connection link key is
4510 ** generated
4511 **
4512 ** Returns Pointer to the record or NULL
4513 **
4514 *******************************************************************************/
btm_sec_link_key_notification(UINT8 * p_bda,UINT8 * p_link_key,UINT8 key_type)4515 void btm_sec_link_key_notification (UINT8 *p_bda, UINT8 *p_link_key, UINT8 key_type)
4516 {
4517 tBTM_SEC_DEV_REC *p_dev_rec = btm_find_or_alloc_dev (p_bda);
4518 BOOLEAN we_are_bonding = FALSE;
4519
4520 BTM_TRACE_EVENT3 ("btm_sec_link_key_notification() BDA:%04x%08x, TYPE: %d",
4521 (p_bda[0]<<8)+p_bda[1], (p_bda[2]<<24)+(p_bda[3]<<16)+(p_bda[4]<<8)+p_bda[5],
4522 key_type);
4523
4524 /* If connection was made to do bonding restore link security if changed */
4525 btm_restore_mode();
4526
4527 /* Override the key type if version is pre-1.1 */
4528 if (btm_cb.devcb.local_version.hci_version < HCI_VERSION_1_1)
4529 p_dev_rec->link_key_type = BTM_LKEY_TYPE_IGNORE;
4530 if (key_type != BTM_LKEY_TYPE_CHANGED_COMB)
4531 p_dev_rec->link_key_type = key_type;
4532
4533 p_dev_rec->sec_flags |= BTM_SEC_LINK_KEY_KNOWN;
4534 #if (BLE_INCLUDED == TRUE)
4535 /* BR/EDR connection, update the encryption key size to be 16 as always */
4536 p_dev_rec->enc_key_size = 16;
4537 #endif
4538 memcpy (p_dev_rec->link_key, p_link_key, LINK_KEY_LEN);
4539
4540 if ( (btm_cb.pairing_state != BTM_PAIR_STATE_IDLE)
4541 && (memcmp (btm_cb.pairing_bda, p_bda, BD_ADDR_LEN) == 0) )
4542 {
4543 if (btm_cb.pairing_flags & BTM_PAIR_FLAGS_WE_STARTED_DD)
4544 we_are_bonding = TRUE;
4545 else
4546 btm_sec_change_pairing_state (BTM_PAIR_STATE_IDLE);
4547 }
4548
4549 /* If name is not known at this point delay calling callback until the name is */
4550 /* resolved. Unless it is a HID Device and we really need to send all link keys. */
4551 if ((!(p_dev_rec->sec_flags & BTM_SEC_NAME_KNOWN)
4552 && ((p_dev_rec->dev_class[1] & BTM_COD_MAJOR_CLASS_MASK) != BTM_COD_MAJOR_PERIPHERAL)) )
4553 {
4554 BTM_TRACE_EVENT3 ("btm_sec_link_key_notification() Delayed BDA: %08x%04x Type:%d",
4555 (p_bda[0]<<24) + (p_bda[1]<<16) + (p_bda[2]<<8) + p_bda[3], (p_bda[4] << 8) + p_bda[5], key_type);
4556
4557 p_dev_rec->link_key_not_sent = TRUE;
4558
4559 /* If it is for bonding nothing else will follow, so we need to start name resolution */
4560 if (we_are_bonding)
4561 {
4562 if (!(btsnd_hcic_rmt_name_req (p_bda, HCI_PAGE_SCAN_REP_MODE_R1, HCI_MANDATARY_PAGE_SCAN_MODE, 0)))
4563 btm_inq_rmt_name_failed();
4564 }
4565
4566 BTM_TRACE_EVENT3 ("rmt_io_caps:%d, sec_flags:x%x, dev_class[1]:x%02x", p_dev_rec->rmt_io_caps, p_dev_rec->sec_flags, p_dev_rec->dev_class[1])
4567 return;
4568 }
4569
4570 /* If its not us who perform authentication, we should tell stackserver */
4571 /* that some authentication has been completed */
4572 /* This is required when different entities receive link notification and auth complete */
4573 if (!(p_dev_rec->security_required & BTM_SEC_OUT_AUTHENTICATE))
4574 {
4575 if (btm_cb.api.p_auth_complete_callback)
4576 (*btm_cb.api.p_auth_complete_callback) (p_dev_rec->bd_addr, p_dev_rec->dev_class,
4577 p_dev_rec->sec_bd_name, HCI_SUCCESS);
4578 }
4579
4580 /* We will save link key only if the user authorized it - BTE report link key in all cases */
4581 #ifdef BRCM_NONE_BTE
4582 if (p_dev_rec->sec_flags & BTM_SEC_LINK_KEY_AUTHED)
4583 #endif
4584 {
4585 if (btm_cb.api.p_link_key_callback)
4586 {
4587 (*btm_cb.api.p_link_key_callback) (p_bda, p_dev_rec->dev_class, p_dev_rec->sec_bd_name,
4588 p_link_key, p_dev_rec->link_key_type);
4589 }
4590 }
4591 }
4592
4593 /*******************************************************************************
4594 **
4595 ** Function btm_sec_link_key_request
4596 **
4597 ** Description This function is called when controller requests link key
4598 **
4599 ** Returns Pointer to the record or NULL
4600 **
4601 *******************************************************************************/
btm_sec_link_key_request(UINT8 * p_bda)4602 void btm_sec_link_key_request (UINT8 *p_bda)
4603 {
4604 tBTM_SEC_DEV_REC *p_dev_rec = btm_find_or_alloc_dev (p_bda);
4605
4606 BTM_TRACE_EVENT6 ("btm_sec_link_key_request() BDA: %02x:%02x:%02x:%02x:%02x:%02x",
4607 p_bda[0], p_bda[1], p_bda[2], p_bda[3], p_bda[4], p_bda[5]);
4608
4609 if (p_dev_rec->sec_flags & BTM_SEC_LINK_KEY_KNOWN)
4610 {
4611 btsnd_hcic_link_key_req_reply (p_bda, p_dev_rec->link_key);
4612 return;
4613 }
4614
4615 /* Notify L2CAP to increase timeout */
4616 l2c_pin_code_request (p_bda);
4617
4618 /* Only ask the host for a key if this guy is not already bonding */
4619 if ( (btm_cb.pairing_state == BTM_PAIR_STATE_IDLE)
4620 || (memcmp (p_bda, btm_cb.pairing_bda, BD_ADDR_LEN) != 0) )
4621 {
4622 if (btm_cb.api.p_link_key_req_callback)
4623 {
4624 if ((*btm_cb.api.p_link_key_req_callback)(p_bda, p_dev_rec->link_key) == BTM_SUCCESS)
4625 {
4626 btsnd_hcic_link_key_req_reply (p_bda, p_dev_rec->link_key);
4627 return;
4628 }
4629 }
4630 }
4631
4632 /* The link key is not in the database and it is not known to the manager */
4633 btsnd_hcic_link_key_neg_reply (p_bda);
4634 }
4635
4636 /*******************************************************************************
4637 **
4638 ** Function btm_sec_pairing_timeout
4639 **
4640 ** Description This function is called when host does not provide PIN
4641 ** within requested time
4642 **
4643 ** Returns Pointer to the TLE struct
4644 **
4645 *******************************************************************************/
btm_sec_pairing_timeout(TIMER_LIST_ENT * p_tle)4646 static void btm_sec_pairing_timeout (TIMER_LIST_ENT *p_tle)
4647 {
4648 tBTM_CB *p_cb = &btm_cb;
4649 tBTM_SEC_DEV_REC *p_dev_rec;
4650 #if BTM_OOB_INCLUDED == TRUE
4651 #if (BTM_LOCAL_IO_CAPS == BTM_IO_CAP_NONE)
4652 tBTM_AUTH_REQ auth_req = BTM_AUTH_AP_NO;
4653 #else
4654 tBTM_AUTH_REQ auth_req = BTM_AUTH_AP_YES;
4655 #endif
4656 #endif
4657 UINT8 name[2];
4658
4659 p_cb->pairing_tle.param = 0;
4660 /* Coverity: FALSE-POSITIVE error from Coverity tool. Please do NOT remove following comment. */
4661 /* coverity[UNUSED_VALUE] pointer p_dev_rec is actually used several times... This is a Coverity false-positive, i.e. a fake issue.
4662 */
4663 p_dev_rec = btm_find_dev (p_cb->pairing_bda);
4664
4665 BTM_TRACE_EVENT2 ("btm_sec_pairing_timeout() State: %s Flags: %u",
4666 btm_pair_state_descr(p_cb->pairing_state), p_cb->pairing_flags);
4667
4668 switch (p_cb->pairing_state)
4669 {
4670 case BTM_PAIR_STATE_WAIT_PIN_REQ:
4671 btm_sec_bond_cancel_complete();
4672 break;
4673
4674 case BTM_PAIR_STATE_WAIT_LOCAL_PIN:
4675 if ( (btm_cb.pairing_flags & BTM_PAIR_FLAGS_PRE_FETCH_PIN) == 0)
4676 btsnd_hcic_pin_code_neg_reply (p_cb->pairing_bda);
4677 btm_sec_change_pairing_state (BTM_PAIR_STATE_IDLE);
4678 /* We need to notify the UI that no longer need the PIN */
4679 if (btm_cb.api.p_auth_complete_callback)
4680 {
4681 if (p_dev_rec == NULL)
4682 {
4683 name[0] = 0;
4684 (*btm_cb.api.p_auth_complete_callback) (p_cb->pairing_bda,
4685 NULL,
4686 name, HCI_ERR_CONNECTION_TOUT);
4687 }
4688 else
4689 (*btm_cb.api.p_auth_complete_callback) (p_dev_rec->bd_addr,
4690 p_dev_rec->dev_class,
4691 p_dev_rec->sec_bd_name, HCI_ERR_CONNECTION_TOUT);
4692 }
4693 break;
4694
4695 case BTM_PAIR_STATE_WAIT_NUMERIC_CONFIRM:
4696 btsnd_hcic_user_conf_reply (p_cb->pairing_bda, FALSE);
4697 /* btm_sec_change_pairing_state (BTM_PAIR_STATE_IDLE); */
4698 break;
4699
4700 #if (BTM_LOCAL_IO_CAPS != BTM_IO_CAP_NONE)
4701 case BTM_PAIR_STATE_KEY_ENTRY:
4702 btsnd_hcic_user_passkey_neg_reply(p_cb->pairing_bda);
4703 /* btm_sec_change_pairing_state (BTM_PAIR_STATE_IDLE); */
4704 break;
4705 #endif /* !BTM_IO_CAP_NONE */
4706
4707 #if BTM_OOB_INCLUDED == TRUE
4708 case BTM_PAIR_STATE_WAIT_LOCAL_IOCAPS:
4709 if (btm_cb.pairing_flags & BTM_PAIR_FLAGS_WE_STARTED_DD)
4710 auth_req |= BTM_AUTH_DD_BOND;
4711
4712 btsnd_hcic_io_cap_req_reply (p_cb->pairing_bda, btm_cb.devcb.loc_io_caps,
4713 BTM_OOB_NONE, auth_req);
4714 btm_sec_change_pairing_state (BTM_PAIR_STATE_IDLE);
4715 break;
4716
4717 case BTM_PAIR_STATE_WAIT_LOCAL_OOB_RSP:
4718 btsnd_hcic_rem_oob_neg_reply (p_cb->pairing_bda);
4719 btm_sec_change_pairing_state (BTM_PAIR_STATE_IDLE);
4720 break;
4721 #endif /* BTM_OOB_INCLUDED */
4722
4723 case BTM_PAIR_STATE_WAIT_DISCONNECT:
4724 /* simple pairing failed. Started a 1-sec timer at simple pairing complete.
4725 * now it's time to tear down the ACL link*/
4726 if (p_dev_rec == NULL)
4727 {
4728 BTM_TRACE_ERROR2 ("btm_sec_pairing_timeout() BTM_PAIR_STATE_WAIT_DISCONNECT unknown BDA: %08x%04x",
4729 (p_cb->pairing_bda[0]<<24) + (p_cb->pairing_bda[1]<<16) + (p_cb->pairing_bda[2]<<8) + p_cb->pairing_bda[3],
4730 (p_cb->pairing_bda[4] << 8) + p_cb->pairing_bda[5]);
4731 break;
4732 }
4733 btm_sec_send_hci_disconnect (p_dev_rec, HCI_ERR_AUTH_FAILURE);
4734 btm_sec_change_pairing_state (BTM_PAIR_STATE_IDLE);
4735 break;
4736
4737 case BTM_PAIR_STATE_WAIT_AUTH_COMPLETE:
4738 /* We need to notify the UI that timeout has happened while waiting for authentication*/
4739 btm_sec_change_pairing_state (BTM_PAIR_STATE_IDLE);
4740 if (btm_cb.api.p_auth_complete_callback)
4741 {
4742 if (p_dev_rec == NULL)
4743 {
4744 name[0] = 0;
4745 (*btm_cb.api.p_auth_complete_callback) (p_cb->pairing_bda,
4746 NULL,
4747 name, HCI_ERR_CONNECTION_TOUT);
4748 }
4749 else
4750 (*btm_cb.api.p_auth_complete_callback) (p_dev_rec->bd_addr,
4751 p_dev_rec->dev_class,
4752 p_dev_rec->sec_bd_name, HCI_ERR_CONNECTION_TOUT);
4753 }
4754 break;
4755
4756 default:
4757 BTM_TRACE_WARNING1 ("btm_sec_pairing_timeout() not processed state: %s", btm_pair_state_descr(btm_cb.pairing_state));
4758 btm_sec_change_pairing_state (BTM_PAIR_STATE_IDLE);
4759 break;
4760 }
4761 }
4762
4763 /*******************************************************************************
4764 **
4765 ** Function btm_sec_pin_code_request
4766 **
4767 ** Description This function is called when controller requests PIN code
4768 **
4769 ** Returns Pointer to the record or NULL
4770 **
4771 *******************************************************************************/
btm_sec_pin_code_request(UINT8 * p_bda)4772 void btm_sec_pin_code_request (UINT8 *p_bda)
4773 {
4774 tBTM_SEC_DEV_REC *p_dev_rec;
4775 tBTM_CB *p_cb = &btm_cb;
4776
4777 BTM_TRACE_EVENT3 ("btm_sec_pin_code_request() State: %s, BDA:%04x%08x",
4778 btm_pair_state_descr(btm_cb.pairing_state),
4779 (p_bda[0]<<8)+p_bda[1], (p_bda[2]<<24)+(p_bda[3]<<16)+(p_bda[4]<<8)+p_bda[5] );
4780
4781 if (btm_cb.pairing_state != BTM_PAIR_STATE_IDLE)
4782 {
4783 if ( (memcmp (p_bda, btm_cb.pairing_bda, BD_ADDR_LEN) == 0) &&
4784 (btm_cb.pairing_state == BTM_PAIR_STATE_WAIT_AUTH_COMPLETE) )
4785 {
4786 /* fake this out - porshe carkit issue - */
4787 // btm_cb.pairing_state = BTM_PAIR_STATE_IDLE;
4788 if(! btm_cb.pin_code_len_saved)
4789 {
4790 btsnd_hcic_pin_code_neg_reply (p_bda);
4791 return;
4792 }
4793 else
4794 {
4795 btsnd_hcic_pin_code_req_reply (p_bda, btm_cb.pin_code_len_saved, p_cb->pin_code);
4796 return;
4797 }
4798 }
4799 else if ((btm_cb.pairing_state != BTM_PAIR_STATE_WAIT_PIN_REQ)
4800 || memcmp (p_bda, btm_cb.pairing_bda, BD_ADDR_LEN) != 0)
4801 {
4802 BTM_TRACE_WARNING1 ("btm_sec_pin_code_request() rejected - state: %s",
4803 btm_pair_state_descr(btm_cb.pairing_state));
4804
4805 #ifdef PORCHE_PAIRING_CONFLICT
4806 /* reply pin code again due to counter in_rand when local initiates pairing */
4807 BTM_TRACE_EVENT0 ("btm_sec_pin_code_request from remote dev. for local initiated pairing");
4808 if(! btm_cb.pin_code_len_saved)
4809 {
4810 btsnd_hcic_pin_code_neg_reply (p_bda);
4811 }
4812 else
4813 {
4814 btm_sec_change_pairing_state (BTM_PAIR_STATE_WAIT_AUTH_COMPLETE);
4815 btsnd_hcic_pin_code_req_reply (p_bda, btm_cb.pin_code_len_saved, p_cb->pin_code);
4816 }
4817 #else
4818 btsnd_hcic_pin_code_neg_reply (p_bda);
4819 #endif
4820 return;
4821 }
4822 }
4823
4824 p_dev_rec = btm_find_or_alloc_dev (p_bda);
4825 /* received PIN code request. must be non-sm4 */
4826 p_dev_rec->sm4 = BTM_SM4_KNOWN;
4827
4828 if (btm_cb.pairing_state == BTM_PAIR_STATE_IDLE)
4829 {
4830 memcpy (btm_cb.pairing_bda, p_bda, BD_ADDR_LEN);
4831
4832 btm_cb.pairing_flags = BTM_PAIR_FLAGS_PEER_STARTED_DD;
4833 /* Make sure we reset the trusted mask to help against attacks */
4834 BTM_SEC_CLR_TRUSTED_DEVICE(p_dev_rec->trusted_mask);
4835 }
4836
4837 if (!p_cb->pairing_disabled && (p_cb->cfg.pin_type == HCI_PIN_TYPE_FIXED))
4838 {
4839 BTM_TRACE_EVENT0 ("btm_sec_pin_code_request fixed pin replying");
4840 btm_sec_change_pairing_state (BTM_PAIR_STATE_WAIT_AUTH_COMPLETE);
4841 btsnd_hcic_pin_code_req_reply (p_bda, p_cb->cfg.pin_code_len, p_cb->cfg.pin_code);
4842 return;
4843 }
4844
4845 /* Use the connecting device's CoD for the connection */
4846 if ( (!memcmp (p_bda, p_cb->connecting_bda, BD_ADDR_LEN))
4847 && (p_cb->connecting_dc[0] || p_cb->connecting_dc[1] || p_cb->connecting_dc[2]) )
4848 memcpy (p_dev_rec->dev_class, p_cb->connecting_dc, DEV_CLASS_LEN);
4849
4850 /* We could have started connection after asking user for the PIN code */
4851 if (btm_cb.pin_code_len != 0)
4852 {
4853 BTM_TRACE_EVENT0 ("btm_sec_pin_code_request bonding sending reply");
4854 btsnd_hcic_pin_code_req_reply (p_bda, btm_cb.pin_code_len, p_cb->pin_code);
4855
4856 #ifdef PORCHE_PAIRING_CONFLICT
4857 btm_cb.pin_code_len_saved = btm_cb.pin_code_len;
4858 #endif
4859
4860 /* Mark that we forwarded received from the user PIN code */
4861 btm_cb.pin_code_len = 0;
4862
4863 /* We can change mode back right away, that other connection being established */
4864 /* is not forced to be secure - found a FW issue, so we can not do this
4865 btm_restore_mode(); */
4866
4867 btm_sec_change_pairing_state (BTM_PAIR_STATE_WAIT_AUTH_COMPLETE);
4868 }
4869
4870 /* If pairing disabled OR (no PIN callback and not bonding) */
4871 /* OR we could not allocate entry in the database reject pairing request */
4872 else if (p_cb->pairing_disabled
4873 || (p_cb->api.p_pin_callback == NULL)
4874
4875 /* OR Microsoft keyboard can for some reason try to establish connection */
4876 /* the only thing we can do here is to shut it up. Normally we will be originator */
4877 /* for keyboard bonding */
4878 || (!p_dev_rec->is_originator
4879 && ((p_dev_rec->dev_class[1] & BTM_COD_MAJOR_CLASS_MASK) == BTM_COD_MAJOR_PERIPHERAL)
4880 && (p_dev_rec->dev_class[2] & BTM_COD_MINOR_KEYBOARD)) )
4881 {
4882 BTM_TRACE_WARNING3("btm_sec_pin_code_request(): Pairing disabled:%d; PIN callback:%x, Dev Rec:%x!",
4883 p_cb->pairing_disabled, p_cb->api.p_pin_callback, p_dev_rec);
4884
4885 btsnd_hcic_pin_code_neg_reply (p_bda);
4886 }
4887 /* Notify upper layer of PIN request and start expiration timer */
4888 else
4889 {
4890 btm_cb.pin_code_len_saved = 0;
4891 btm_sec_change_pairing_state (BTM_PAIR_STATE_WAIT_LOCAL_PIN);
4892 /* Pin code request can not come at the same time as connection request */
4893 memcpy (p_cb->connecting_bda, p_bda, BD_ADDR_LEN);
4894 memcpy (p_cb->connecting_dc, p_dev_rec->dev_class, DEV_CLASS_LEN);
4895
4896 /* Check if the name is known */
4897 /* Even if name is not known we might not be able to get one */
4898 /* this is the case when we are already getting something from the */
4899 /* device, so HCI level is flow controlled */
4900 /* Also cannot send remote name request while paging, i.e. connection is not completed */
4901 if (p_dev_rec->sec_flags & BTM_SEC_NAME_KNOWN)
4902 {
4903 BTM_TRACE_EVENT0 ("btm_sec_pin_code_request going for callback");
4904
4905 btm_cb.pairing_flags |= BTM_PAIR_FLAGS_PIN_REQD;
4906 if (p_cb->api.p_pin_callback)
4907 (*p_cb->api.p_pin_callback) (p_bda, p_dev_rec->dev_class, p_dev_rec->sec_bd_name);
4908 }
4909 else
4910 {
4911 BTM_TRACE_EVENT0 ("btm_sec_pin_code_request going for remote name");
4912
4913 /* We received PIN code request for the device with unknown name */
4914 /* it is not user friendly just to ask for the PIN without name */
4915 /* try to get name at first */
4916 if (!btsnd_hcic_rmt_name_req (p_dev_rec->bd_addr,
4917 HCI_PAGE_SCAN_REP_MODE_R1,
4918 HCI_MANDATARY_PAGE_SCAN_MODE, 0))
4919 {
4920 p_dev_rec->sec_flags |= BTM_SEC_NAME_KNOWN;
4921 p_dev_rec->sec_bd_name[0] = 'f';
4922 p_dev_rec->sec_bd_name[1] = '0';
4923 BTM_TRACE_ERROR0 ("can not send rmt_name_req?? fake a name and call callback");
4924
4925 btm_cb.pairing_flags |= BTM_PAIR_FLAGS_PIN_REQD;
4926 if (p_cb->api.p_pin_callback)
4927 (*p_cb->api.p_pin_callback) (p_bda, p_dev_rec->dev_class, p_dev_rec->sec_bd_name);
4928 }
4929 }
4930 }
4931
4932 return;
4933 }
4934
4935 /*******************************************************************************
4936 **
4937 ** Function btm_sec_update_clock_offset
4938 **
4939 ** Description This function is called to update clock offset
4940 **
4941 ** Returns void
4942 **
4943 *******************************************************************************/
btm_sec_update_clock_offset(UINT16 handle,UINT16 clock_offset)4944 void btm_sec_update_clock_offset (UINT16 handle, UINT16 clock_offset)
4945 {
4946 tBTM_SEC_DEV_REC *p_dev_rec;
4947 tBTM_INQ_INFO *p_inq_info;
4948
4949 if ((p_dev_rec = btm_find_dev_by_handle (handle)) == NULL)
4950 return;
4951
4952 p_dev_rec->clock_offset = clock_offset | BTM_CLOCK_OFFSET_VALID;
4953
4954 if ((p_inq_info = BTM_InqDbRead(p_dev_rec->bd_addr)) == NULL)
4955 return;
4956
4957 p_inq_info->results.clock_offset = clock_offset | BTM_CLOCK_OFFSET_VALID;
4958 }
4959
4960
4961 /******************************************************************
4962 ** S T A T I C F U N C T I O N S
4963 *******************************************************************/
4964
4965 /*******************************************************************************
4966 **
4967 ** Function btm_sec_execute_procedure
4968 **
4969 ** Description This function is called to start required security
4970 ** procedure. There is a case when multiplexing protocol
4971 ** calls this function on the originating side, connection to
4972 ** the peer will not be established. This function in this
4973 ** case performs only authorization.
4974 **
4975 ** Returns BTM_SUCCESS - permission is granted
4976 ** BTM_CMD_STARTED - in process
4977 ** BTM_NO_RESOURCES - permission declined
4978 **
4979 *******************************************************************************/
btm_sec_execute_procedure(tBTM_SEC_DEV_REC * p_dev_rec)4980 static tBTM_STATUS btm_sec_execute_procedure (tBTM_SEC_DEV_REC *p_dev_rec)
4981 {
4982 BTM_TRACE_EVENT3 ("btm_sec_execute_procedure: Required:0x%x Flags:0x%x State:%d",
4983 p_dev_rec->security_required, p_dev_rec->sec_flags, p_dev_rec->sec_state);
4984
4985 /* There is a chance that we are getting name. Wait until done. */
4986 if (p_dev_rec->sec_state != 0)
4987 return(BTM_CMD_STARTED);
4988
4989 /* If any security is required, get the name first */
4990 if (!(p_dev_rec->sec_flags & BTM_SEC_NAME_KNOWN)
4991 && (p_dev_rec->hci_handle != BTM_SEC_INVALID_HANDLE))
4992 {
4993 BTM_TRACE_EVENT0 ("Security Manager: Start get name");
4994 if (!btm_sec_start_get_name (p_dev_rec))
4995 {
4996 return(BTM_NO_RESOURCES);
4997 }
4998 return(BTM_CMD_STARTED);
4999 }
5000
5001 /* If connection is not authenticated and authentication is required */
5002 /* start authentication and return PENDING to the caller */
5003 if ((!(p_dev_rec->sec_flags & BTM_SEC_AUTHENTICATED))
5004 && (( p_dev_rec->is_originator && (p_dev_rec->security_required & BTM_SEC_OUT_AUTHENTICATE))
5005 || (!p_dev_rec->is_originator && (p_dev_rec->security_required & BTM_SEC_IN_AUTHENTICATE)))
5006 && (p_dev_rec->hci_handle != BTM_SEC_INVALID_HANDLE))
5007 {
5008 #if (L2CAP_UCD_INCLUDED == TRUE)
5009 /* if incoming UCD packet, discard it */
5010 if ( !p_dev_rec->is_originator && (p_dev_rec->is_ucd == TRUE ))
5011 return(BTM_FAILED_ON_SECURITY);
5012 #endif
5013
5014 BTM_TRACE_EVENT0 ("Security Manager: Start authentication");
5015
5016 if (!btm_sec_start_authentication (p_dev_rec))
5017 {
5018 return(BTM_NO_RESOURCES);
5019 }
5020 return(BTM_CMD_STARTED);
5021 }
5022
5023 /* If connection is not encrypted and encryption is required */
5024 /* start encryption and return PENDING to the caller */
5025 if (!(p_dev_rec->sec_flags & BTM_SEC_ENCRYPTED)
5026 && (( p_dev_rec->is_originator && (p_dev_rec->security_required & BTM_SEC_OUT_ENCRYPT))
5027 || (!p_dev_rec->is_originator && (p_dev_rec->security_required & BTM_SEC_IN_ENCRYPT)))
5028 && (p_dev_rec->hci_handle != BTM_SEC_INVALID_HANDLE))
5029 {
5030 #if (L2CAP_UCD_INCLUDED == TRUE)
5031 /* if incoming UCD packet, discard it */
5032 if ( !p_dev_rec->is_originator && (p_dev_rec->is_ucd == TRUE ))
5033 return(BTM_FAILED_ON_SECURITY);
5034 #endif
5035
5036 BTM_TRACE_EVENT0 ("Security Manager: Start encryption");
5037
5038 if (!btm_sec_start_encryption (p_dev_rec))
5039 {
5040 return(BTM_NO_RESOURCES);
5041 }
5042 return(BTM_CMD_STARTED);
5043 }
5044
5045 /* If connection is not authorized and authorization is required */
5046 /* start authorization and return PENDING to the caller */
5047 if (!(p_dev_rec->sec_flags & BTM_SEC_AUTHORIZED)
5048 && (( p_dev_rec->is_originator && (p_dev_rec->security_required & BTM_SEC_OUT_AUTHORIZE))
5049 || (!p_dev_rec->is_originator && (p_dev_rec->security_required & BTM_SEC_IN_AUTHORIZE))))
5050 {
5051 BTM_TRACE_EVENT2 ("service id:%d, is trusted:%d",
5052 p_dev_rec->p_cur_service->service_id,
5053 (BTM_SEC_IS_SERVICE_TRUSTED(p_dev_rec->trusted_mask,
5054 p_dev_rec->p_cur_service->service_id)));
5055 if ((btm_sec_are_all_trusted(p_dev_rec->trusted_mask) == FALSE) &&
5056 (p_dev_rec->p_cur_service->service_id < BTM_SEC_MAX_SERVICES) &&
5057 (BTM_SEC_IS_SERVICE_TRUSTED(p_dev_rec->trusted_mask,
5058 p_dev_rec->p_cur_service->service_id) == FALSE))
5059 {
5060 BTM_TRACE_EVENT0 ("Security Manager: Start authorization");
5061 return(btm_sec_start_authorization (p_dev_rec));
5062 }
5063 }
5064
5065 /* All required security procedures already established */
5066 p_dev_rec->security_required &= ~(BTM_SEC_OUT_AUTHORIZE | BTM_SEC_IN_AUTHORIZE |
5067 BTM_SEC_OUT_AUTHENTICATE | BTM_SEC_IN_AUTHENTICATE |
5068 BTM_SEC_OUT_ENCRYPT | BTM_SEC_IN_ENCRYPT |
5069 BTM_SEC_FORCE_MASTER | BTM_SEC_ATTEMPT_MASTER |
5070 BTM_SEC_FORCE_SLAVE | BTM_SEC_ATTEMPT_SLAVE);
5071
5072 BTM_TRACE_EVENT2 ("Security Manager: trusted:0x%04x%04x", p_dev_rec->trusted_mask[1], p_dev_rec->trusted_mask[0]);
5073 BTM_TRACE_EVENT0 ("Security Manager: access granted");
5074
5075 return(BTM_SUCCESS);
5076 }
5077
5078
5079 /*******************************************************************************
5080 **
5081 ** Function btm_sec_start_get_name
5082 **
5083 ** Description This function is called to start get name procedure
5084 **
5085 ** Returns TRUE if started
5086 **
5087 *******************************************************************************/
btm_sec_start_get_name(tBTM_SEC_DEV_REC * p_dev_rec)5088 static BOOLEAN btm_sec_start_get_name (tBTM_SEC_DEV_REC *p_dev_rec)
5089 {
5090 UINT8 tempstate = p_dev_rec->sec_state;
5091
5092 p_dev_rec->sec_state = BTM_SEC_STATE_GETTING_NAME;
5093
5094 /* Device should be connected, no need to provide correct page params */
5095 /* 0 and NULL are as timeout and callback params because they are not used in security get name case */
5096 if ((btm_initiate_rem_name (p_dev_rec->bd_addr, NULL, BTM_RMT_NAME_SEC,
5097 0, NULL)) != BTM_CMD_STARTED)
5098 {
5099 p_dev_rec->sec_state = tempstate;
5100 return(FALSE);
5101 }
5102
5103 return(TRUE);
5104 }
5105
5106 /*******************************************************************************
5107 **
5108 ** Function btm_sec_start_authentication
5109 **
5110 ** Description This function is called to start authentication
5111 **
5112 ** Returns TRUE if started
5113 **
5114 *******************************************************************************/
btm_sec_start_authentication(tBTM_SEC_DEV_REC * p_dev_rec)5115 static BOOLEAN btm_sec_start_authentication (tBTM_SEC_DEV_REC *p_dev_rec)
5116 {
5117 p_dev_rec->sec_state = BTM_SEC_STATE_AUTHENTICATING;
5118
5119 return(btsnd_hcic_auth_request (p_dev_rec->hci_handle));
5120 }
5121
5122 /*******************************************************************************
5123 **
5124 ** Function btm_sec_start_encryption
5125 **
5126 ** Description This function is called to start encryption
5127 **
5128 ** Returns TRUE if started
5129 **
5130 *******************************************************************************/
btm_sec_start_encryption(tBTM_SEC_DEV_REC * p_dev_rec)5131 static BOOLEAN btm_sec_start_encryption (tBTM_SEC_DEV_REC *p_dev_rec)
5132 {
5133 if (!btsnd_hcic_set_conn_encrypt (p_dev_rec->hci_handle, TRUE))
5134 return(FALSE);
5135
5136 p_dev_rec->sec_state = BTM_SEC_STATE_ENCRYPTING;
5137 return(TRUE);
5138 }
5139
5140
5141 /*******************************************************************************
5142 **
5143 ** Function btm_sec_start_authorization
5144 **
5145 ** Description This function is called to start authorization
5146 **
5147 ** Returns TRUE if started
5148 **
5149 *******************************************************************************/
btm_sec_start_authorization(tBTM_SEC_DEV_REC * p_dev_rec)5150 static UINT8 btm_sec_start_authorization (tBTM_SEC_DEV_REC *p_dev_rec)
5151 {
5152 UINT8 result;
5153 UINT8 *p_service_name = NULL;
5154 UINT8 service_id;
5155
5156 if ((p_dev_rec->sec_flags & BTM_SEC_NAME_KNOWN)
5157 || (p_dev_rec->hci_handle == BTM_SEC_INVALID_HANDLE))
5158 {
5159 if (!btm_cb.api.p_authorize_callback)
5160 return(BTM_MODE_UNSUPPORTED);
5161
5162 if (p_dev_rec->p_cur_service)
5163 {
5164 #if BTM_SEC_SERVICE_NAME_LEN > 0
5165 if (p_dev_rec->is_originator)
5166 p_service_name = p_dev_rec->p_cur_service->orig_service_name;
5167 else
5168 p_service_name = p_dev_rec->p_cur_service->term_service_name;
5169 #endif
5170 service_id = p_dev_rec->p_cur_service->service_id;
5171 }
5172 else
5173 service_id = 0;
5174
5175 /* Send authorization request if not already sent during this service connection */
5176 if (p_dev_rec->last_author_service_id == BTM_SEC_NO_LAST_SERVICE_ID
5177 || p_dev_rec->last_author_service_id != service_id)
5178 {
5179 p_dev_rec->sec_state = BTM_SEC_STATE_AUTHORIZING;
5180 result = (*btm_cb.api.p_authorize_callback) (p_dev_rec->bd_addr,
5181 p_dev_rec->dev_class,
5182 p_dev_rec->sec_bd_name,
5183 p_service_name,
5184 service_id,
5185 p_dev_rec->is_originator);
5186 }
5187
5188 else /* Already authorized once for this L2CAP bringup */
5189 {
5190 BTM_TRACE_DEBUG1 ("btm_sec_start_authorization: (Ignoring extra Authorization prompt for service %d)", service_id);
5191 return (BTM_SUCCESS);
5192 }
5193
5194 if (result == BTM_SUCCESS)
5195 {
5196 p_dev_rec->sec_flags |= BTM_SEC_AUTHORIZED;
5197
5198 /* Save the currently authorized service in case we are asked again by another multiplexer layer */
5199 if (!p_dev_rec->is_originator)
5200 p_dev_rec->last_author_service_id = service_id;
5201
5202 p_dev_rec->sec_state = BTM_SEC_STATE_IDLE;
5203 }
5204 return(result);
5205 }
5206 btm_sec_start_get_name (p_dev_rec);
5207 return(BTM_CMD_STARTED);
5208 }
5209
5210 /*******************************************************************************
5211 **
5212 ** Function btm_sec_are_all_trusted
5213 **
5214 ** Description This function is called check if all services are trusted
5215 **
5216 ** Returns TRUE if all are trusted, otherwise FALSE
5217 **
5218 *******************************************************************************/
btm_sec_are_all_trusted(UINT32 p_mask[])5219 BOOLEAN btm_sec_are_all_trusted(UINT32 p_mask[])
5220 {
5221 UINT32 trusted_inx;
5222 for (trusted_inx = 0; trusted_inx < BTM_SEC_SERVICE_ARRAY_SIZE; trusted_inx++)
5223 {
5224 if (p_mask[trusted_inx] != BTM_SEC_TRUST_ALL)
5225 return(FALSE);
5226 }
5227
5228 return(TRUE);
5229 }
5230
5231 /*******************************************************************************
5232 **
5233 ** Function btm_sec_find_first_serv
5234 **
5235 ** Description Look for the first record in the service database
5236 ** with specified PSM
5237 **
5238 ** Returns Pointer to the record or NULL
5239 **
5240 *******************************************************************************/
btm_sec_find_first_serv(CONNECTION_TYPE conn_type,UINT16 psm)5241 static tBTM_SEC_SERV_REC *btm_sec_find_first_serv (CONNECTION_TYPE conn_type, UINT16 psm)
5242 {
5243 tBTM_SEC_SERV_REC *p_serv_rec = &btm_cb.sec_serv_rec[0];
5244 int i;
5245 BOOLEAN is_originator;
5246
5247 #if (L2CAP_UCD_INCLUDED == TRUE)
5248
5249 if ( conn_type & CONNECTION_TYPE_ORIG_MASK )
5250 is_originator = TRUE;
5251 else
5252 is_originator = FALSE;
5253 #else
5254 is_originator = conn_type;
5255 #endif
5256
5257 if (is_originator && btm_cb.p_out_serv && btm_cb.p_out_serv->psm == psm)
5258 {
5259 /* If this is outgoing connection and the PSM matches p_out_serv,
5260 * use it as the current service */
5261 return btm_cb.p_out_serv;
5262 }
5263
5264 /* otherwise, just find the first record with the specified PSM */
5265 for (i = 0; i < BTM_SEC_MAX_SERVICE_RECORDS; i++, p_serv_rec++)
5266 {
5267 if ( (p_serv_rec->security_flags & BTM_SEC_IN_USE) && (p_serv_rec->psm == psm) )
5268 return(p_serv_rec);
5269 }
5270 return(NULL);
5271 }
5272
5273
5274 /*******************************************************************************
5275 **
5276 ** Function btm_sec_find_next_serv
5277 **
5278 ** Description Look for the next record in the service database
5279 ** with specified PSM
5280 **
5281 ** Returns Pointer to the record or NULL
5282 **
5283 *******************************************************************************/
btm_sec_find_next_serv(tBTM_SEC_SERV_REC * p_cur)5284 static tBTM_SEC_SERV_REC *btm_sec_find_next_serv (tBTM_SEC_SERV_REC *p_cur)
5285 {
5286 tBTM_SEC_SERV_REC *p_serv_rec = &btm_cb.sec_serv_rec[0];
5287 int i;
5288
5289 for (i = 0; i < BTM_SEC_MAX_SERVICE_RECORDS; i++, p_serv_rec++)
5290 {
5291 if ((p_serv_rec->security_flags & BTM_SEC_IN_USE)
5292 && (p_serv_rec->psm == p_cur->psm) )
5293 {
5294 if (p_cur != p_serv_rec)
5295 {
5296 return(p_serv_rec);
5297 }
5298 }
5299 }
5300 return(NULL);
5301 }
5302
5303
5304 /*******************************************************************************
5305 **
5306 ** Function btm_sec_find_mx_serv
5307 **
5308 ** Description Look for the record in the service database with specified
5309 ** PSM and multiplexor channel information
5310 **
5311 ** Returns Pointer to the record or NULL
5312 **
5313 *******************************************************************************/
btm_sec_find_mx_serv(UINT8 is_originator,UINT16 psm,UINT32 mx_proto_id,UINT32 mx_chan_id)5314 static tBTM_SEC_SERV_REC *btm_sec_find_mx_serv (UINT8 is_originator, UINT16 psm,
5315 UINT32 mx_proto_id, UINT32 mx_chan_id)
5316 {
5317 tBTM_SEC_SERV_REC *p_out_serv = btm_cb.p_out_serv;
5318 tBTM_SEC_SERV_REC *p_serv_rec = &btm_cb.sec_serv_rec[0];
5319 int i;
5320
5321 BTM_TRACE_DEBUG0 ("btm_sec_find_mx_serv");
5322 if (is_originator && p_out_serv && p_out_serv->psm == psm
5323 && p_out_serv->mx_proto_id == mx_proto_id
5324 && p_out_serv->orig_mx_chan_id == mx_chan_id)
5325 {
5326 /* If this is outgoing connection and the parameters match p_out_serv,
5327 * use it as the current service */
5328 return btm_cb.p_out_serv;
5329 }
5330
5331 /* otherwise, the old way */
5332 for (i = 0; i < BTM_SEC_MAX_SERVICE_RECORDS; i++, p_serv_rec++)
5333 {
5334 if ((p_serv_rec->security_flags & BTM_SEC_IN_USE)
5335 && (p_serv_rec->psm == psm)
5336 && (p_serv_rec->mx_proto_id == mx_proto_id)
5337 && (( is_originator && (p_serv_rec->orig_mx_chan_id == mx_chan_id))
5338 || (!is_originator && (p_serv_rec->term_mx_chan_id == mx_chan_id))))
5339 {
5340 return(p_serv_rec);
5341 }
5342 }
5343 return(NULL);
5344 }
5345
5346
5347 /*******************************************************************************
5348 **
5349 ** Function btm_sec_collision_timeout
5350 **
5351 ** Description Encryption could not start because of the collision
5352 ** try to do it again
5353 **
5354 ** Returns Pointer to the TLE struct
5355 **
5356 *******************************************************************************/
btm_sec_collision_timeout(TIMER_LIST_ENT * p_tle)5357 static void btm_sec_collision_timeout (TIMER_LIST_ENT *p_tle)
5358 {
5359 tBTM_STATUS status;
5360
5361 BTM_TRACE_EVENT0 ("btm_sec_collision_timeout()");
5362 btm_cb.sec_collision_tle.param = 0;
5363
5364 status = btm_sec_execute_procedure (btm_cb.p_collided_dev_rec);
5365
5366 /* If result is pending reply from the user or from the device is pending */
5367 if (status != BTM_CMD_STARTED)
5368 {
5369 /* There is no next procedure or start of procedure failed, notify the waiting layer */
5370 btm_sec_dev_rec_cback_event (btm_cb.p_collided_dev_rec, status);
5371 }
5372 }
5373
5374 /*******************************************************************************
5375 **
5376 ** Function btm_sec_link_key_request
5377 **
5378 ** Description This function is called when controller requests link key
5379 **
5380 ** Returns Pointer to the record or NULL
5381 **
5382 *******************************************************************************/
btm_send_link_key_notif(tBTM_SEC_DEV_REC * p_dev_rec)5383 static void btm_send_link_key_notif (tBTM_SEC_DEV_REC *p_dev_rec)
5384 {
5385 if (btm_cb.api.p_link_key_callback)
5386 (*btm_cb.api.p_link_key_callback) (p_dev_rec->bd_addr, p_dev_rec->dev_class,
5387 p_dev_rec->sec_bd_name, p_dev_rec->link_key,
5388 p_dev_rec->link_key_type);
5389 }
5390
5391 /*******************************************************************************
5392 **
5393 ** Function BTM_ReadTrustedMask
5394 **
5395 ** Description Get trusted mask for the peer device
5396 **
5397 ** Parameters: bd_addr - Address of the device
5398 **
5399 ** Returns NULL, if the device record is not found.
5400 ** otherwise, the trusted mask
5401 **
5402 *******************************************************************************/
BTM_ReadTrustedMask(BD_ADDR bd_addr)5403 UINT32 * BTM_ReadTrustedMask (BD_ADDR bd_addr)
5404 {
5405 tBTM_SEC_DEV_REC *p_dev_rec;
5406
5407 if ((p_dev_rec = btm_find_dev (bd_addr)) != NULL)
5408 {
5409 return(p_dev_rec->trusted_mask);
5410 }
5411 else
5412 {
5413 return NULL;
5414 }
5415 }
5416
5417 /*******************************************************************************
5418 **
5419 ** Function btm_restore_mode
5420 **
5421 ** Description This function returns the security mode to previous setting
5422 ** if it was changed during bonding.
5423 **
5424 **
5425 ** Parameters: void
5426 **
5427 *******************************************************************************/
btm_restore_mode(void)5428 static void btm_restore_mode(void)
5429 {
5430 if (btm_cb.security_mode_changed)
5431 {
5432 btm_cb.security_mode_changed = FALSE;
5433 BTM_TRACE_DEBUG1("btm_restore_mode: Authen Enable -> %d", (btm_cb.security_mode == BTM_SEC_MODE_LINK));
5434 btsnd_hcic_write_auth_enable ((UINT8)(btm_cb.security_mode == BTM_SEC_MODE_LINK));
5435 }
5436
5437 if (btm_cb.pin_type_changed)
5438 {
5439 btm_cb.pin_type_changed = FALSE;
5440 btsnd_hcic_write_pin_type (btm_cb.cfg.pin_type);
5441 }
5442 }
5443
5444
5445 /*******************************************************************************
5446 **
5447 ** Function btm_sec_find_dev_by_sec_state
5448 **
5449 ** Description Look for the record in the device database for the device
5450 ** which is being authenticated or encrypted
5451 **
5452 ** Returns Pointer to the record or NULL
5453 **
5454 *******************************************************************************/
btm_sec_find_dev_by_sec_state(UINT8 state)5455 tBTM_SEC_DEV_REC *btm_sec_find_dev_by_sec_state (UINT8 state)
5456 {
5457 tBTM_SEC_DEV_REC *p_dev_rec = &btm_cb.sec_dev_rec[0];
5458 int i;
5459
5460 for (i = 0; i < BTM_SEC_MAX_DEVICE_RECORDS; i++, p_dev_rec++)
5461 {
5462 if ((p_dev_rec->sec_flags & BTM_SEC_IN_USE)
5463 && (p_dev_rec->sec_state == state))
5464 return(p_dev_rec);
5465 }
5466 return(NULL);
5467 }
5468
5469 /*******************************************************************************
5470 **
5471 ** Function BTM_snd_conn_encrypt
5472 **
5473 ** Description This function is called to start/stop encryption
5474 ** Used by JSR-82
5475 **
5476 ** Returns TRUE if request started
5477 **
5478 *******************************************************************************/
BTM_snd_conn_encrypt(UINT16 handle,BOOLEAN enable)5479 BOOLEAN BTM_snd_conn_encrypt (UINT16 handle, BOOLEAN enable)
5480 {
5481 tBTM_SEC_DEV_REC *p_dev_rec = btm_find_dev_by_handle (handle);
5482
5483 BTM_TRACE_EVENT2 ("BTM_snd_conn_encrypt Security Manager: encrypt_change p_dev_rec : 0x%x, enable = %s", p_dev_rec, (enable == TRUE) ? "TRUE" : "FALSE");
5484
5485 if (!p_dev_rec)
5486 {
5487 BTM_TRACE_EVENT1 ("BTM_snd_conn_encrypt Error no p_dev_rec : 0x%x\n", p_dev_rec);
5488 return(FALSE);
5489 }
5490
5491 if ( p_dev_rec->sec_state == BTM_SEC_STATE_IDLE)
5492 {
5493 if (!btsnd_hcic_set_conn_encrypt (handle, enable))
5494 return(FALSE);
5495
5496 p_dev_rec->sec_state = BTM_SEC_STATE_ENCRYPTING;
5497
5498 return(TRUE);
5499 }
5500 else
5501 return(FALSE);
5502 }
5503
5504 /*******************************************************************************
5505 **
5506 ** Function btm_sec_change_pairing_state
5507 **
5508 ** Description This function is called to change pairing state
5509 **
5510 *******************************************************************************/
btm_sec_change_pairing_state(tBTM_PAIRING_STATE new_state)5511 static void btm_sec_change_pairing_state (tBTM_PAIRING_STATE new_state)
5512 {
5513 tBTM_PAIRING_STATE old_state = btm_cb.pairing_state;
5514
5515 BTM_TRACE_EVENT1 ("btm_sec_change_pairing_state Old: %s", btm_pair_state_descr(btm_cb.pairing_state));
5516 BTM_TRACE_EVENT2 ("btm_sec_change_pairing_state New: %s pairing_flags:0x%x",btm_pair_state_descr(new_state), btm_cb.pairing_flags);
5517
5518 btm_cb.pairing_state = new_state;
5519
5520 if (new_state == BTM_PAIR_STATE_IDLE)
5521 {
5522 btu_stop_timer (&btm_cb.pairing_tle);
5523
5524 btm_cb.pairing_flags = 0;
5525 btm_cb.pin_code_len = 0;
5526
5527 /* Make sure the the lcb shows we are not bonding */
5528 l2cu_update_lcb_4_bonding (btm_cb.pairing_bda, FALSE);
5529
5530 btm_restore_mode();
5531 btm_sec_check_pending_reqs();
5532 btm_inq_clear_ssp();
5533
5534 memset (btm_cb.pairing_bda, 0xFF, BD_ADDR_LEN);
5535 }
5536 else
5537 {
5538 /* If transitionng out of idle, mark the lcb as bonding */
5539 if (old_state == BTM_PAIR_STATE_IDLE)
5540 l2cu_update_lcb_4_bonding (btm_cb.pairing_bda, TRUE);
5541
5542 btm_cb.pairing_tle.param = (TIMER_PARAM_TYPE)btm_sec_pairing_timeout;
5543
5544 btu_start_timer (&btm_cb.pairing_tle, BTU_TTYPE_USER_FUNC, BTM_SEC_TIMEOUT_VALUE);
5545 }
5546 }
5547
5548
5549 /*******************************************************************************
5550 **
5551 ** Function btm_pair_state_descr
5552 **
5553 ** Description Return state description for tracing
5554 **
5555 *******************************************************************************/
5556 #if (BT_USE_TRACES == TRUE)
btm_pair_state_descr(tBTM_PAIRING_STATE state)5557 static char *btm_pair_state_descr (tBTM_PAIRING_STATE state)
5558 {
5559 #if (BT_TRACE_VERBOSE == TRUE)
5560 switch (state)
5561 {
5562 case BTM_PAIR_STATE_IDLE: return("IDLE");
5563 case BTM_PAIR_STATE_GET_REM_NAME: return("GET_REM_NAME");
5564 case BTM_PAIR_STATE_WAIT_PIN_REQ: return("WAIT_PIN_REQ");
5565 case BTM_PAIR_STATE_WAIT_LOCAL_PIN: return("WAIT_LOCAL_PIN");
5566 case BTM_PAIR_STATE_WAIT_NUMERIC_CONFIRM: return("WAIT_NUM_CONFIRM");
5567 case BTM_PAIR_STATE_KEY_ENTRY: return("KEY_ENTRY");
5568 case BTM_PAIR_STATE_WAIT_LOCAL_OOB_RSP: return("WAIT_LOCAL_OOB_RSP");
5569 case BTM_PAIR_STATE_WAIT_LOCAL_IOCAPS: return("WAIT_LOCAL_IOCAPS");
5570 case BTM_PAIR_STATE_INCOMING_SSP: return("INCOMING_SSP");
5571 case BTM_PAIR_STATE_WAIT_AUTH_COMPLETE: return("WAIT_AUTH_COMPLETE");
5572 case BTM_PAIR_STATE_WAIT_DISCONNECT: return("WAIT_DISCONNECT");
5573 }
5574
5575 return("???");
5576 #else
5577 sprintf(btm_cb.state_temp_buffer,"%hu",state);
5578
5579 return(btm_cb.state_temp_buffer);
5580 #endif
5581 }
5582 #endif
5583
5584
5585 /*******************************************************************************
5586 **
5587 ** Function btm_sec_dev_rec_cback_event
5588 **
5589 ** Description This function calls the callback function with the given
5590 ** result and clear the callback function.
5591 **
5592 ** Parameters: void
5593 **
5594 *******************************************************************************/
btm_sec_dev_rec_cback_event(tBTM_SEC_DEV_REC * p_dev_rec,UINT8 res)5595 void btm_sec_dev_rec_cback_event (tBTM_SEC_DEV_REC *p_dev_rec, UINT8 res)
5596 {
5597 tBTM_SEC_CALLBACK *p_callback = p_dev_rec->p_callback;
5598
5599 if (p_dev_rec->p_callback)
5600 {
5601 p_dev_rec->p_callback = NULL;
5602
5603 (*p_callback) (p_dev_rec->bd_addr, p_dev_rec->p_ref_data, res);
5604
5605 }
5606 btm_sec_check_pending_reqs();
5607 }
5608
5609 /*******************************************************************************
5610 **
5611 ** Function btm_sec_queue_mx_request
5612 **
5613 ** Description Return state description for tracing
5614 **
5615 *******************************************************************************/
btm_sec_queue_mx_request(BD_ADDR bd_addr,UINT16 psm,BOOLEAN is_orig,UINT32 mx_proto_id,UINT32 mx_chan_id,tBTM_SEC_CALLBACK * p_callback,void * p_ref_data)5616 static BOOLEAN btm_sec_queue_mx_request (BD_ADDR bd_addr, UINT16 psm, BOOLEAN is_orig,
5617 UINT32 mx_proto_id, UINT32 mx_chan_id,
5618 tBTM_SEC_CALLBACK *p_callback, void *p_ref_data)
5619 {
5620 tBTM_SEC_QUEUE_ENTRY *p_e;
5621
5622 p_e = (tBTM_SEC_QUEUE_ENTRY *)GKI_getbuf (sizeof(tBTM_SEC_QUEUE_ENTRY));
5623
5624 if (p_e)
5625 {
5626 p_e->psm = psm;
5627 p_e->is_orig = is_orig;
5628 p_e->p_callback = p_callback;
5629 p_e->p_ref_data = p_ref_data;
5630 p_e->mx_proto_id = mx_proto_id;
5631 p_e->mx_chan_id = mx_chan_id;
5632
5633 memcpy (p_e->bd_addr, bd_addr, BD_ADDR_LEN);
5634
5635 BTM_TRACE_EVENT4 ("btm_sec_queue_mx_request() PSM: 0x%04x Is_Orig: %u mx_proto_id: %u mx_chan_id: %u",
5636 psm, is_orig, mx_proto_id, mx_chan_id);
5637
5638 GKI_enqueue (&btm_cb.sec_pending_q, p_e);
5639
5640 return(TRUE);
5641 }
5642
5643 return(FALSE);
5644 }
5645
btm_sec_check_prefetch_pin(tBTM_SEC_DEV_REC * p_dev_rec)5646 static BOOLEAN btm_sec_check_prefetch_pin (tBTM_SEC_DEV_REC *p_dev_rec)
5647 {
5648 UINT8 major = (UINT8)(p_dev_rec->dev_class[1] & BTM_COD_MAJOR_CLASS_MASK);
5649 UINT8 minor = (UINT8)(p_dev_rec->dev_class[2] & BTM_COD_MINOR_CLASS_MASK);
5650 BOOLEAN rv = FALSE;
5651
5652 if ((major == BTM_COD_MAJOR_AUDIO)
5653 && ((minor == BTM_COD_MINOR_CONFM_HANDSFREE) || (minor == BTM_COD_MINOR_CAR_AUDIO)) )
5654 {
5655 BTM_TRACE_EVENT2 ("btm_sec_check_prefetch_pin: Skipping pre-fetch PIN for carkit COD Major: 0x%02x Minor: 0x%02x", major, minor);
5656
5657 if (btm_cb.security_mode_changed == FALSE)
5658 {
5659 btm_cb.security_mode_changed = TRUE;
5660 #ifdef APPL_AUTH_WRITE_EXCEPTION
5661 if(!(APPL_AUTH_WRITE_EXCEPTION)(p_dev_rec->bd_addr))
5662 #endif
5663 btsnd_hcic_write_auth_enable (TRUE);
5664 }
5665 }
5666 else
5667 {
5668 btm_sec_change_pairing_state (BTM_PAIR_STATE_WAIT_LOCAL_PIN);
5669
5670 /* If we got a PIN, use that, else try to get one */
5671 if (btm_cb.pin_code_len)
5672 {
5673 BTM_PINCodeReply (p_dev_rec->bd_addr, BTM_SUCCESS, btm_cb.pin_code_len, btm_cb.pin_code, p_dev_rec->trusted_mask);
5674 }
5675 else
5676 {
5677 /* pin was not supplied - pre-fetch pin code now */
5678 if (btm_cb.api.p_pin_callback && ((btm_cb.pairing_flags & BTM_PAIR_FLAGS_PIN_REQD) == 0))
5679 {
5680 BTM_TRACE_DEBUG0("btm_sec_check_prefetch_pin: PIN code callback called");
5681 if (btm_bda_to_acl(p_dev_rec->bd_addr) == NULL)
5682 btm_cb.pairing_flags |= BTM_PAIR_FLAGS_PIN_REQD;
5683 (btm_cb.api.p_pin_callback) (p_dev_rec->bd_addr, p_dev_rec->dev_class, p_dev_rec->sec_bd_name);
5684 }
5685 }
5686
5687 rv = TRUE;
5688 }
5689
5690 return rv;
5691 }
5692
5693 #if (BLE_INCLUDED == TRUE)
5694 /*******************************************************************************
5695 **
5696 ** Function btm_sec_clear_ble_keys
5697 **
5698 ** Description This function is called to clear out the BLE keys.
5699 ** Typically when devices are removed in BTM_SecDeleteDevice,
5700 ** or when a new BT Link key is generated.
5701 **
5702 ** Returns void
5703 **
5704 *******************************************************************************/
btm_sec_clear_ble_keys(tBTM_SEC_DEV_REC * p_dev_rec)5705 void btm_sec_clear_ble_keys (tBTM_SEC_DEV_REC *p_dev_rec)
5706 {
5707
5708 BTM_TRACE_DEBUG0 ("btm_sec_clear_ble_keys: Clearing BLE Keys");
5709 #if (SMP_INCLUDED== TRUE)
5710 p_dev_rec->ble.key_type = 0;
5711 memset (&p_dev_rec->ble.keys, 0, sizeof(tBTM_SEC_BLE_KEYS));
5712 #endif
5713 gatt_delete_dev_from_srv_chg_clt_list(p_dev_rec->bd_addr);
5714 }
5715
5716
5717 /*******************************************************************************
5718 **
5719 ** Function btm_sec_is_a_bonded_dev
5720 **
5721 ** Description Is the specified device is a bonded device
5722 **
5723 ** Returns TRUE - dev is bonded
5724 **
5725 *******************************************************************************/
btm_sec_is_a_bonded_dev(BD_ADDR bda)5726 BOOLEAN btm_sec_is_a_bonded_dev (BD_ADDR bda)
5727 {
5728
5729 tBTM_SEC_DEV_REC *p_dev_rec= btm_find_dev (bda);
5730 BOOLEAN is_bonded= FALSE;
5731
5732 #if (SMP_INCLUDED== TRUE)
5733 if (p_dev_rec && (p_dev_rec->ble.key_type || (p_dev_rec->sec_flags & BTM_SEC_LINK_KEY_KNOWN)))
5734 {
5735 is_bonded = TRUE;
5736 }
5737 #endif
5738 BTM_TRACE_DEBUG1 ("btm_sec_is_a_bonded_dev is_bonded=%d", is_bonded);
5739 return(is_bonded);
5740 }
5741
5742 /*******************************************************************************
5743 **
5744 ** Function btm_sec_is_le_capable_dev
5745 **
5746 ** Description Is the specified device is dual mode or LE only device
5747 **
5748 ** Returns TRUE - dev is a dual mode
5749 **
5750 *******************************************************************************/
btm_sec_is_le_capable_dev(BD_ADDR bda)5751 BOOLEAN btm_sec_is_le_capable_dev (BD_ADDR bda)
5752 {
5753 tBTM_SEC_DEV_REC *p_dev_rec= btm_find_dev (bda);
5754 BOOLEAN le_capable = FALSE;
5755
5756 #if (BLE_INCLUDED== TRUE)
5757 if (p_dev_rec && ((p_dev_rec->device_type == BT_DEVICE_TYPE_DUMO) ||
5758 (p_dev_rec->device_type == BT_DEVICE_TYPE_BLE) ) )
5759 {
5760 le_capable = TRUE;
5761 }
5762 #endif
5763 return le_capable;
5764 }
5765
5766 /*******************************************************************************
5767 **
5768 ** Function btm_sec_find_bonded_dev
5769 **
5770 ** Description Find a bonded device starting from the specified index
5771 **
5772 ** Returns TRUE - found a bonded device
5773 **
5774 *******************************************************************************/
btm_sec_find_bonded_dev(UINT8 start_idx,UINT8 * p_found_idx,tBTM_SEC_DEV_REC * p_rec)5775 BOOLEAN btm_sec_find_bonded_dev (UINT8 start_idx, UINT8 *p_found_idx, tBTM_SEC_DEV_REC *p_rec)
5776 {
5777 BOOLEAN found= FALSE;
5778
5779 #if (SMP_INCLUDED== TRUE)
5780 tBTM_SEC_DEV_REC *p_dev_rec;
5781 int i;
5782 if (start_idx >= BTM_SEC_MAX_DEVICE_RECORDS)
5783 {
5784 BTM_TRACE_DEBUG0 ("LE bonded device not found");
5785 return found;
5786 }
5787
5788 p_dev_rec = &btm_cb.sec_dev_rec[start_idx];
5789 for (i = start_idx; i < BTM_SEC_MAX_DEVICE_RECORDS; i++, p_dev_rec++)
5790 {
5791 if (p_dev_rec->ble.key_type || (p_dev_rec->sec_flags & BTM_SEC_LINK_KEY_KNOWN))
5792 {
5793 *p_found_idx = i;
5794 p_rec = p_dev_rec;
5795 break;
5796 }
5797 }
5798 BTM_TRACE_DEBUG1 ("btm_sec_find_bonded_dev=%d", found);
5799 #endif
5800 return(found);
5801 }
5802 #endif /* BLE_INCLUDED */
5803
5804