• Home
  • Line#
  • Scopes#
  • Navigate#
  • Raw
  • Download
1 /******************************************************************************
2  *
3  *  Copyright (C) 1999-2012 Broadcom Corporation
4  *
5  *  Licensed under the Apache License, Version 2.0 (the "License");
6  *  you may not use this file except in compliance with the License.
7  *  You may obtain a copy of the License at:
8  *
9  *  http://www.apache.org/licenses/LICENSE-2.0
10  *
11  *  Unless required by applicable law or agreed to in writing, software
12  *  distributed under the License is distributed on an "AS IS" BASIS,
13  *  WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
14  *  See the License for the specific language governing permissions and
15  *  limitations under the License.
16  *
17  ******************************************************************************/
18 
19 /******************************************************************************
20  *
21  *  This file contains functions for the Bluetooth Security Manager
22  *
23  ******************************************************************************/
24 
25 #include <string.h>
26 #include "bt_types.h"
27 #include "hcimsgs.h"
28 #include "btu.h"
29 #include "btm_int.h"
30 #include "l2c_int.h"
31 #include "bt_utils.h"
32 
33 #if (BT_USE_TRACES == TRUE && BT_TRACE_VERBOSE == FALSE)
34 /* needed for sprintf() */
35 #include <stdio.h>
36 #endif
37 
38 #if BLE_INCLUDED == TRUE
39     #include "gatt_int.h"
40 #endif
41 
42 #define BTM_SEC_MAX_COLLISION_DELAY     (GKI_SECS_TO_TICKS(5))
43 
44 #ifdef APPL_AUTH_WRITE_EXCEPTION
45 BOOLEAN (APPL_AUTH_WRITE_EXCEPTION)(BD_ADDR bd_addr);
46 #endif
47 
48 
49 /********************************************************************************
50 **              L O C A L    F U N C T I O N     P R O T O T Y P E S            *
51 *********************************************************************************/
52 static tBTM_SEC_SERV_REC *btm_sec_find_first_serv (BOOLEAN is_originator, UINT16 psm);
53 static tBTM_SEC_SERV_REC *btm_sec_find_next_serv (tBTM_SEC_SERV_REC *p_cur);
54 static tBTM_SEC_SERV_REC *btm_sec_find_mx_serv (UINT8 is_originator, UINT16 psm,
55                                                 UINT32 mx_proto_id,
56                                                 UINT32 mx_chan_id);
57 
58 static tBTM_STATUS btm_sec_execute_procedure (tBTM_SEC_DEV_REC *p_dev_rec);
59 static BOOLEAN  btm_sec_start_get_name (tBTM_SEC_DEV_REC *p_dev_rec);
60 static BOOLEAN  btm_sec_start_authentication (tBTM_SEC_DEV_REC *p_dev_rec);
61 static BOOLEAN  btm_sec_start_encryption (tBTM_SEC_DEV_REC *p_dev_rec);
62 static void     btm_sec_collision_timeout (TIMER_LIST_ENT *p_tle);
63 static void     btm_restore_mode(void);
64 static void     btm_sec_pairing_timeout (TIMER_LIST_ENT *p_tle);
65 static tBTM_STATUS btm_sec_dd_create_conn (tBTM_SEC_DEV_REC *p_dev_rec);
66 static void     btm_sec_change_pairing_state (tBTM_PAIRING_STATE new_state);
67 
68 #if (BT_USE_TRACES == TRUE)
69 static char     *btm_pair_state_descr (tBTM_PAIRING_STATE state);
70 #endif
71 
72 static void     btm_sec_check_pending_reqs(void);
73 static BOOLEAN  btm_sec_queue_mx_request (BD_ADDR bd_addr,  UINT16 psm,  BOOLEAN is_orig,
74                                           UINT32 mx_proto_id, UINT32 mx_chan_id,
75                                           tBTM_SEC_CALLBACK *p_callback, void *p_ref_data);
76 static void     btm_sec_bond_cancel_complete (void);
77 static void     btm_send_link_key_notif (tBTM_SEC_DEV_REC *p_dev_rec);
78 static BOOLEAN  btm_sec_check_prefetch_pin (tBTM_SEC_DEV_REC  *p_dev_rec);
79 
80 static UINT8    btm_sec_start_authorization (tBTM_SEC_DEV_REC *p_dev_rec);
81 BOOLEAN         btm_sec_are_all_trusted(UINT32 p_mask[]);
82 
83 static tBTM_STATUS btm_sec_send_hci_disconnect (tBTM_SEC_DEV_REC *p_dev_rec, UINT8 reason, UINT16 conn_handle);
84 UINT8           btm_sec_start_role_switch (tBTM_SEC_DEV_REC *p_dev_rec);
85 tBTM_SEC_DEV_REC *btm_sec_find_dev_by_sec_state (UINT8 state);
86 
87 static BOOLEAN  btm_sec_set_security_level ( CONNECTION_TYPE conn_type, char *p_name, UINT8 service_id,
88                                             UINT16 sec_level, UINT16 psm, UINT32 mx_proto_id,
89                                             UINT32 mx_chan_id);
90 
91 static BOOLEAN btm_dev_authenticated(tBTM_SEC_DEV_REC *p_dev_rec);
92 static BOOLEAN btm_dev_encrypted(tBTM_SEC_DEV_REC *p_dev_rec);
93 static BOOLEAN btm_dev_authorized(tBTM_SEC_DEV_REC *p_dev_rec);
94 static BOOLEAN btm_serv_trusted(tBTM_SEC_DEV_REC *p_dev_rec, tBTM_SEC_SERV_REC *p_serv_rec);
95 
96 /* TRUE - authenticated link key is possible */
97 static const BOOLEAN btm_sec_io_map [BTM_IO_CAP_MAX][BTM_IO_CAP_MAX] =
98 {
99     /*   OUT,    IO,     IN,     NONE */
100 /* OUT  */ {FALSE,  FALSE,  TRUE,   FALSE},
101 /* IO   */ {FALSE,  TRUE,   TRUE,   FALSE},
102 /* IN   */ {TRUE,   TRUE,   TRUE,   FALSE},
103 /* NONE */ {FALSE,  FALSE,  FALSE,  FALSE}
104 };
105 /*  BTM_IO_CAP_OUT      0   DisplayOnly */
106 /*  BTM_IO_CAP_IO       1   DisplayYesNo */
107 /*  BTM_IO_CAP_IN       2   KeyboardOnly */
108 /*  BTM_IO_CAP_NONE     3   NoInputNoOutput */
109 
110 /*******************************************************************************
111 **
112 ** Function         btm_dev_authenticated
113 **
114 ** Description      check device is authenticated
115 **
116 ** Returns          BOOLEAN TRUE or FALSE
117 **
118 *******************************************************************************/
btm_dev_authenticated(tBTM_SEC_DEV_REC * p_dev_rec)119 static BOOLEAN btm_dev_authenticated (tBTM_SEC_DEV_REC *p_dev_rec)
120 {
121     if(p_dev_rec->sec_flags & BTM_SEC_AUTHENTICATED)
122     {
123         return(TRUE);
124     }
125     return(FALSE);
126 }
127 
128 /*******************************************************************************
129 **
130 ** Function         btm_dev_encrypted
131 **
132 ** Description      check device is encrypted
133 **
134 ** Returns          BOOLEAN TRUE or FALSE
135 **
136 *******************************************************************************/
btm_dev_encrypted(tBTM_SEC_DEV_REC * p_dev_rec)137 static BOOLEAN btm_dev_encrypted (tBTM_SEC_DEV_REC *p_dev_rec)
138 {
139     if(p_dev_rec->sec_flags & BTM_SEC_ENCRYPTED)
140     {
141         return(TRUE);
142     }
143     return(FALSE);
144 }
145 
146 /*******************************************************************************
147 **
148 ** Function         btm_dev_authorized
149 **
150 ** Description      check device is authorized
151 **
152 ** Returns          BOOLEAN TRUE or FALSE
153 **
154 *******************************************************************************/
btm_dev_authorized(tBTM_SEC_DEV_REC * p_dev_rec)155 static BOOLEAN btm_dev_authorized (tBTM_SEC_DEV_REC *p_dev_rec)
156 {
157     if(p_dev_rec->sec_flags & BTM_SEC_AUTHORIZED)
158     {
159         return(TRUE);
160     }
161     return(FALSE);
162 }
163 
164 /*******************************************************************************
165 **
166 ** Function         btm_serv_trusted
167 **
168 ** Description      check service is trusted
169 **
170 ** Returns          BOOLEAN TRUE or FALSE
171 **
172 *******************************************************************************/
btm_serv_trusted(tBTM_SEC_DEV_REC * p_dev_rec,tBTM_SEC_SERV_REC * p_serv_rec)173 static BOOLEAN btm_serv_trusted(tBTM_SEC_DEV_REC *p_dev_rec, tBTM_SEC_SERV_REC *p_serv_rec)
174 {
175     if(BTM_SEC_IS_SERVICE_TRUSTED(p_dev_rec->trusted_mask, p_serv_rec->service_id))
176     {
177         return(TRUE);
178     }
179     return(FALSE);
180 }
181 
182 /*******************************************************************************
183 **
184 ** Function         BTM_SecRegister
185 **
186 ** Description      Application manager calls this function to register for
187 **                  security services.  There can be one and only one application
188 **                  saving link keys.  BTM allows only first registration.
189 **
190 ** Returns          TRUE if registered OK, else FALSE
191 **
192 *******************************************************************************/
BTM_SecRegister(tBTM_APPL_INFO * p_cb_info)193 BOOLEAN  BTM_SecRegister (tBTM_APPL_INFO *p_cb_info)
194 {
195 #if BLE_INCLUDED == TRUE
196     BT_OCTET16      temp_value = {0};
197 #endif
198 
199     BTM_TRACE_EVENT ("BTM_Sec: application registered");
200 
201 #if BLE_INCLUDED == TRUE && SMP_INCLUDED == TRUE
202     if (p_cb_info->p_le_callback)
203     {
204         BTM_TRACE_ERROR ("BTM_SecRegister:p_cb_info->p_le_callback == 0x%x ", p_cb_info->p_le_callback);
205 
206         if (p_cb_info->p_le_callback)
207         {
208     #if SMP_INCLUDED == TRUE
209             BTM_TRACE_EVENT ("BTM_Sec: SMP_Register( btm_proc_smp_cback )");
210             SMP_Register(btm_proc_smp_cback);
211     #endif
212             /* if no IR is loaded, need to regenerate all the keys */
213             if (memcmp(btm_cb.devcb.id_keys.ir, &temp_value, sizeof(BT_OCTET16)) == 0)
214             {
215                 btm_ble_reset_id();
216             }
217         }
218         else
219         {
220             BTM_TRACE_ERROR ("BTM_SecRegister:p_cb_info->p_le_callback == NULL ");
221         }
222     }
223 #endif
224 
225     btm_cb.api = *p_cb_info;
226 #if BLE_INCLUDED == TRUE && SMP_INCLUDED == TRUE
227      BTM_TRACE_ERROR ("BTM_SecRegister: btm_cb.api.p_le_callback = 0x%x ", btm_cb.api.p_le_callback);
228 #endif
229     BTM_TRACE_EVENT ("BTM_Sec: application registered");
230     return(TRUE);
231 }
232 
233 
234 /*******************************************************************************
235 **
236 ** Function         BTM_SecRegisterLinkKeyNotificationCallback
237 **
238 ** Description      Application manager calls this function to register for
239 **                  link key notification.  When there is nobody registered
240 **                  we should avoid changing link key
241 **
242 ** Returns          TRUE if registered OK, else FALSE
243 **
244 *******************************************************************************/
BTM_SecRegisterLinkKeyNotificationCallback(tBTM_LINK_KEY_CALLBACK * p_callback)245 BOOLEAN BTM_SecRegisterLinkKeyNotificationCallback (tBTM_LINK_KEY_CALLBACK *p_callback)
246 {
247     btm_cb.api.p_link_key_callback = p_callback;
248     return(TRUE);
249 }
250 
251 
252 /*******************************************************************************
253 **
254 ** Function         BTM_SecAddRmtNameNotifyCallback
255 **
256 ** Description      Any profile can register to be notified when name of the
257 **                  remote device is resolved.
258 **
259 ** Returns          TRUE if registered OK, else FALSE
260 **
261 *******************************************************************************/
BTM_SecAddRmtNameNotifyCallback(tBTM_RMT_NAME_CALLBACK * p_callback)262 BOOLEAN  BTM_SecAddRmtNameNotifyCallback (tBTM_RMT_NAME_CALLBACK *p_callback)
263 {
264     int i;
265 
266     for (i = 0; i < BTM_SEC_MAX_RMT_NAME_CALLBACKS; i++)
267     {
268         if (btm_cb.p_rmt_name_callback[i] == NULL)
269         {
270             btm_cb.p_rmt_name_callback[i] = p_callback;
271             return(TRUE);
272         }
273     }
274 
275     return(FALSE);
276 }
277 
278 
279 /*******************************************************************************
280 **
281 ** Function         BTM_SecDeleteRmtNameNotifyCallback
282 **
283 ** Description      Any profile can deregister notification when a new Link Key
284 **                  is generated per connection.
285 **
286 ** Returns          TRUE if OK, else FALSE
287 **
288 *******************************************************************************/
BTM_SecDeleteRmtNameNotifyCallback(tBTM_RMT_NAME_CALLBACK * p_callback)289 BOOLEAN  BTM_SecDeleteRmtNameNotifyCallback (tBTM_RMT_NAME_CALLBACK *p_callback)
290 {
291     int i;
292 
293     for (i = 0; i < BTM_SEC_MAX_RMT_NAME_CALLBACKS; i++)
294     {
295         if (btm_cb.p_rmt_name_callback[i] == p_callback)
296         {
297             btm_cb.p_rmt_name_callback[i] = NULL;
298             return(TRUE);
299         }
300     }
301 
302     return(FALSE);
303 }
304 
305 
306 /*******************************************************************************
307 **
308 ** Function         BTM_SecSetConnectFilterCallback
309 **
310 ** Description      Host can register to be asked whenever a HCI connection
311 **                  request is received.  In the registered function host
312 **                  suppose to check connectibility filters.  Yes/No result
313 **                  should be returned syncronously
314 **
315 ** Returns          void
316 **
317 *******************************************************************************/
BTM_SecSetConnectFilterCallback(tBTM_FILTER_CB * p_callback)318 void BTM_SecSetConnectFilterCallback (tBTM_FILTER_CB *p_callback)
319 {
320     btm_cb.p_conn_filter_cb = p_callback;
321 }
322 
323 /*******************************************************************************
324 **
325 ** Function         BTM_GetSecurityMode
326 **
327 ** Description      Get security mode for the device
328 **
329 ** Returns          void
330 **
331 *******************************************************************************/
BTM_GetSecurityMode(void)332 UINT8 BTM_GetSecurityMode (void)
333 {
334     return(btm_cb.security_mode);
335 }
336 
337 /*******************************************************************************
338 **
339 ** Function         BTM_GetSecurityFlags
340 **
341 ** Description      Get security flags for the device
342 **
343 ** Returns          BOOLEAN TRUE or FALSE is device found
344 **
345 *******************************************************************************/
BTM_GetSecurityFlags(BD_ADDR bd_addr,UINT8 * p_sec_flags)346 BOOLEAN BTM_GetSecurityFlags (BD_ADDR bd_addr, UINT8 * p_sec_flags)
347 {
348     tBTM_SEC_DEV_REC *p_dev_rec;
349 
350     if ((p_dev_rec = btm_find_dev (bd_addr)) != NULL)
351     {
352         *p_sec_flags = (UINT8) p_dev_rec->sec_flags;
353         return(TRUE);
354     }
355     BTM_TRACE_ERROR ("BTM_GetSecurityFlags false");
356     return(FALSE);
357 }
358 
359 /*******************************************************************************
360 **
361 ** Function         BTM_GetSecurityFlagsByTransport
362 **
363 ** Description      Get security flags for the device on a particular transport
364 **
365 ** Returns          BOOLEAN TRUE or FALSE is device found
366 **
367 *******************************************************************************/
BTM_GetSecurityFlagsByTransport(BD_ADDR bd_addr,UINT8 * p_sec_flags,tBT_TRANSPORT transport)368 BOOLEAN BTM_GetSecurityFlagsByTransport (BD_ADDR bd_addr, UINT8 * p_sec_flags,
369                                                 tBT_TRANSPORT transport)
370 {
371     tBTM_SEC_DEV_REC *p_dev_rec;
372 
373     if ((p_dev_rec = btm_find_dev (bd_addr)) != NULL)
374     {
375         if (transport == BT_TRANSPORT_BR_EDR)
376             *p_sec_flags = (UINT8) p_dev_rec->sec_flags;
377         else
378             *p_sec_flags = (UINT8) (p_dev_rec->sec_flags >> 8);
379 
380         return(TRUE);
381     }
382     BTM_TRACE_ERROR ("BTM_GetSecurityFlags false");
383     return(FALSE);
384 }
385 
386 /*******************************************************************************
387 **
388 ** Function         BTM_SetSecurityMode
389 **
390 ** Description      Set security mode for the device
391 **
392 ** Returns          void
393 **
394 *******************************************************************************/
BTM_SetSecurityMode(UINT8 security_mode)395 void BTM_SetSecurityMode (UINT8 security_mode)
396 {
397     UINT8   old_mode = btm_cb.security_mode;
398 
399     UINT8   sp_mode = HCI_SP_MODE_ENABLED;
400     UINT8   sp_debug_mode = HCI_SPD_MODE_DISABLED;
401 
402     switch (security_mode)
403     {
404 #if (BTM_PRE_LISBON_INCLUDED == TRUE)
405         case BTM_SEC_MODE_NONE:
406         case BTM_SEC_MODE_SERVICE:
407         case BTM_SEC_MODE_LINK:
408             break;
409 #endif
410 
411         case BTM_SEC_MODE_SP_DEBUG:
412             sp_debug_mode = HCI_SPD_MODE_ENABLED;
413             break;
414         case BTM_SEC_MODE_SP:
415             /* the default is enabled */
416             break;
417         default:
418             BTM_TRACE_ERROR ("BTM_SetSecurityMode: unknown mode:%d", security_mode);
419             return;
420     }
421     btm_cb.security_mode = security_mode;
422 
423     if (HCI_SIMPLE_PAIRING_SUPPORTED(btm_cb.devcb.local_lmp_features[HCI_EXT_FEATURES_PAGE_0]))
424     {
425         /* Lisbon devices and only use BTM_SEC_MODE_SP */
426         btm_cb.security_mode = BTM_SEC_MODE_SP;
427         BTM_TRACE_DEBUG("BTM_SetSecurityMode: SP:%d, debug:%d", sp_mode, sp_debug_mode);
428         btsnd_hcic_write_simple_pairing_mode(sp_mode);
429         btsnd_hcic_write_simp_pair_debug_mode(sp_debug_mode);
430         return;
431     }
432 
433     /* must be a pre-Lisbon device */
434 #if (BTM_PRE_LISBON_INCLUDED == TRUE)
435     /* If previously security mode was Link Level and now lesser notify */
436     /* controller not to perform authentication, encryption on startup  */
437     if ((old_mode == BTM_SEC_MODE_LINK)
438         && (       security_mode != BTM_SEC_MODE_LINK))
439     {
440         BTM_TRACE_DEBUG("BTM_SetSecurityMode: Authen Enable -> FALSE");
441         btsnd_hcic_write_auth_enable (FALSE);
442         btsnd_hcic_write_encr_mode (HCI_ENCRYPT_MODE_DISABLED);
443     }
444 
445     /* If previously security is increased to Link Level notify */
446     /* controller to perform authentication, encryption on startup  */
447     if ((old_mode != BTM_SEC_MODE_LINK)
448         && (       security_mode == BTM_SEC_MODE_LINK))
449     {
450         BTM_TRACE_DEBUG("BTM_SetSecurityMode: Authen Enable -> TRUE");
451         btsnd_hcic_write_auth_enable (TRUE);
452         btsnd_hcic_write_encr_mode (HCI_ENCRYPT_MODE_POINT_TO_POINT);
453     }
454 #endif  /* BTM_PRE_LISBON_INCLUDED == TRUE */
455 }
456 
457 /*******************************************************************************
458 **
459 ** Function         BTM_SetPinType
460 **
461 ** Description      Set PIN type for the device.
462 **
463 ** Returns          void
464 **
465 *******************************************************************************/
BTM_SetPinType(UINT8 pin_type,PIN_CODE pin_code,UINT8 pin_code_len)466 void BTM_SetPinType (UINT8 pin_type, PIN_CODE pin_code, UINT8 pin_code_len)
467 {
468     BTM_TRACE_API ("BTM_SetPinType: pin type %d [variable-0, fixed-1], code %s, length %d",
469                     pin_type, (char *) pin_code, pin_code_len);
470 
471     /* If device is not up security mode will be set as a part of startup */
472     if ( (btm_cb.cfg.pin_type != pin_type)
473          && (btm_cb.devcb.state > BTM_DEV_STATE_WAIT_AFTER_RESET) )
474     {
475         btsnd_hcic_write_pin_type (pin_type);
476     }
477 
478     btm_cb.cfg.pin_type     = pin_type;
479     btm_cb.cfg.pin_code_len = pin_code_len;
480     memcpy (btm_cb.cfg.pin_code, pin_code, pin_code_len);
481 }
482 
483 /*******************************************************************************
484 **
485 ** Function         BTM_SetPairableMode
486 **
487 ** Description      Enable or disable pairing
488 **
489 ** Parameters       allow_pairing - (TRUE or FALSE) whether or not the device
490 **                      allows pairing.
491 **                  connect_only_paired - (TRUE or FALSE) whether or not to
492 **                      only allow paired devices to connect.
493 **
494 ** Returns          void
495 **
496 *******************************************************************************/
BTM_SetPairableMode(BOOLEAN allow_pairing,BOOLEAN connect_only_paired)497 void BTM_SetPairableMode (BOOLEAN allow_pairing, BOOLEAN connect_only_paired)
498 {
499     BTM_TRACE_API ("BTM_SetPairableMode()  allow_pairing: %u   connect_only_paired: %u", allow_pairing, connect_only_paired);
500 
501     btm_cb.pairing_disabled    = !allow_pairing;
502     btm_cb.connect_only_paired = connect_only_paired;
503 }
504 
505 
506 #define BTM_NO_AVAIL_SEC_SERVICES   ((UINT16) 0xffff)
507 
508 /*******************************************************************************
509 **
510 ** Function         BTM_SetUCDSecurityLevel
511 **
512 ** Description      Register UCD service security level with Security Manager
513 **
514 ** Parameters:      is_originator - TRUE if originating the connection, FALSE if not
515 **                  p_name      - Name of the service relevant only if
516 **                                authorization will show this name to user. ignored
517 **                                if BTM_SEC_SERVICE_NAME_LEN is 0.
518 **                  service_id  - service ID for the service passed to authorization callback
519 **                  sec_level   - bit mask of the security features
520 **                  psm         - L2CAP PSM
521 **                  mx_proto_id - protocol ID of multiplexing proto below
522 **                  mx_chan_id  - channel ID of multiplexing proto below
523 **
524 ** Returns          TRUE if registered OK, else FALSE
525 **
526 *******************************************************************************/
BTM_SetUCDSecurityLevel(BOOLEAN is_originator,char * p_name,UINT8 service_id,UINT16 sec_level,UINT16 psm,UINT32 mx_proto_id,UINT32 mx_chan_id)527 BOOLEAN BTM_SetUCDSecurityLevel (BOOLEAN is_originator, char *p_name, UINT8 service_id,
528                                  UINT16 sec_level, UINT16 psm, UINT32 mx_proto_id,
529                                  UINT32 mx_chan_id)
530 {
531 #if (L2CAP_UCD_INCLUDED == TRUE)
532     CONNECTION_TYPE conn_type;
533 
534     if (is_originator)
535         conn_type = CONNLESS_ORIG;
536     else
537         conn_type = CONNLESS_TERM;
538 
539     return(btm_sec_set_security_level (conn_type, p_name, service_id,
540                                        sec_level, psm, mx_proto_id, mx_chan_id));
541 #else
542     UNUSED(is_originator);
543     UNUSED(p_name);
544     UNUSED(service_id);
545     UNUSED(sec_level);
546     UNUSED(psm);
547     UNUSED(mx_proto_id);
548     UNUSED(mx_chan_id);
549     return FALSE;
550 #endif
551 }
552 
553 /*******************************************************************************
554 **
555 ** Function         BTM_SetSecurityLevel
556 **
557 ** Description      Register service security level with Security Manager
558 **
559 ** Parameters:      is_originator - TRUE if originating the connection, FALSE if not
560 **                  p_name      - Name of the service relevant only if
561 **                                authorization will show this name to user. ignored
562 **                                if BTM_SEC_SERVICE_NAME_LEN is 0.
563 **                  service_id  - service ID for the service passed to authorization callback
564 **                  sec_level   - bit mask of the security features
565 **                  psm         - L2CAP PSM
566 **                  mx_proto_id - protocol ID of multiplexing proto below
567 **                  mx_chan_id  - channel ID of multiplexing proto below
568 **
569 ** Returns          TRUE if registered OK, else FALSE
570 **
571 *******************************************************************************/
BTM_SetSecurityLevel(BOOLEAN is_originator,char * p_name,UINT8 service_id,UINT16 sec_level,UINT16 psm,UINT32 mx_proto_id,UINT32 mx_chan_id)572 BOOLEAN BTM_SetSecurityLevel (BOOLEAN is_originator, char *p_name, UINT8 service_id,
573                               UINT16 sec_level, UINT16 psm, UINT32 mx_proto_id,
574                               UINT32 mx_chan_id)
575 {
576 #if (L2CAP_UCD_INCLUDED == TRUE)
577     CONNECTION_TYPE conn_type;
578 
579     if (is_originator)
580         conn_type = CONN_ORIENT_ORIG;
581     else
582         conn_type = CONN_ORIENT_TERM;
583 
584     return(btm_sec_set_security_level (conn_type, p_name, service_id,
585                                        sec_level, psm, mx_proto_id, mx_chan_id));
586 #else
587     return(btm_sec_set_security_level (is_originator, p_name, service_id,
588                                        sec_level, psm, mx_proto_id, mx_chan_id));
589 #endif
590 }
591 
592 /*******************************************************************************
593 **
594 ** Function         btm_sec_set_security_level
595 **
596 ** Description      Register service security level with Security Manager
597 **
598 ** Parameters:      conn_type   - TRUE if originating the connection, FALSE if not
599 **                  p_name      - Name of the service relevant only if
600 **                                authorization will show this name to user. ignored
601 **                                if BTM_SEC_SERVICE_NAME_LEN is 0.
602 **                  service_id  - service ID for the service passed to authorization callback
603 **                  sec_level   - bit mask of the security features
604 **                  psm         - L2CAP PSM
605 **                  mx_proto_id - protocol ID of multiplexing proto below
606 **                  mx_chan_id  - channel ID of multiplexing proto below
607 **
608 ** Returns          TRUE if registered OK, else FALSE
609 **
610 *******************************************************************************/
btm_sec_set_security_level(CONNECTION_TYPE conn_type,char * p_name,UINT8 service_id,UINT16 sec_level,UINT16 psm,UINT32 mx_proto_id,UINT32 mx_chan_id)611 static BOOLEAN btm_sec_set_security_level (CONNECTION_TYPE conn_type, char *p_name, UINT8 service_id,
612                                            UINT16 sec_level, UINT16 psm, UINT32 mx_proto_id,
613                                            UINT32 mx_chan_id)
614 {
615     tBTM_SEC_SERV_REC   *p_srec;
616     UINT16               index;
617     UINT16               first_unused_record = BTM_NO_AVAIL_SEC_SERVICES;
618     BOOLEAN              record_allocated = FALSE;
619     BOOLEAN              is_originator;
620 #if (L2CAP_UCD_INCLUDED == TRUE)
621     BOOLEAN              is_ucd;
622 
623     if (conn_type & CONNECTION_TYPE_ORIG_MASK)
624         is_originator = TRUE;
625     else
626         is_originator = FALSE;
627 
628     if (conn_type & CONNECTION_TYPE_CONNLESS_MASK )
629     {
630         is_ucd = TRUE;
631     }
632     else
633     {
634         is_ucd = FALSE;
635     }
636 #else
637     is_originator = conn_type;
638 #endif
639 
640     /* See if the record can be reused (same service name, psm, mx_proto_id,
641        service_id, and mx_chan_id), or obtain the next unused record */
642 
643     p_srec = &btm_cb.sec_serv_rec[0];
644 
645 
646     for (index = 0; index < BTM_SEC_MAX_SERVICE_RECORDS; index++, p_srec++)
647     {
648         /* Check if there is already a record for this service */
649         if (p_srec->security_flags & BTM_SEC_IN_USE)
650         {
651 #if BTM_SEC_SERVICE_NAME_LEN > 0
652             if (p_srec->psm == psm                  &&
653                 p_srec->mx_proto_id == mx_proto_id  &&
654                 service_id == p_srec->service_id    &&
655                 (!strncmp (p_name, (char *) p_srec->orig_service_name,
656                            BTM_SEC_SERVICE_NAME_LEN) ||
657                  !strncmp (p_name, (char *) p_srec->term_service_name,
658                            BTM_SEC_SERVICE_NAME_LEN)))
659 #else
660             if (p_srec->psm == psm                  &&
661                 p_srec->mx_proto_id == mx_proto_id  &&
662                 service_id == p_srec->service_id)
663 #endif
664             {
665                 record_allocated = TRUE;
666                 break;
667             }
668         }
669         /* Mark the first available service record */
670         else if (!record_allocated)
671         {
672             memset (p_srec, 0, sizeof(tBTM_SEC_SERV_REC));
673             record_allocated = TRUE;
674             first_unused_record = index;
675         }
676     }
677 
678     if (!record_allocated)
679     {
680         BTM_TRACE_WARNING("BTM_SEC_REG: Out of Service Records (%d)",  BTM_SEC_MAX_SERVICE_RECORDS);
681         return(record_allocated);
682     }
683 
684     /* Process the request if service record is valid */
685     /* If a duplicate service wasn't found, use the first available */
686     if (index >= BTM_SEC_MAX_SERVICE_RECORDS)
687     {
688         index = first_unused_record;
689         p_srec = &btm_cb.sec_serv_rec[index];
690     }
691 
692     p_srec->psm         = psm;
693     p_srec->service_id  = service_id;
694     p_srec->mx_proto_id = mx_proto_id;
695 
696     if (is_originator)
697     {
698         p_srec->orig_mx_chan_id = mx_chan_id;
699 #if BTM_SEC_SERVICE_NAME_LEN > 0
700         BCM_STRNCPY_S ((char *)p_srec->orig_service_name, sizeof(p_srec->orig_service_name), p_name, BTM_SEC_SERVICE_NAME_LEN);
701 #endif
702         /* clear out the old setting, just in case it exists */
703 #if (L2CAP_UCD_INCLUDED == TRUE)
704         if ( is_ucd )
705         {
706             p_srec->ucd_security_flags &=
707             ~(BTM_SEC_OUT_AUTHORIZE | BTM_SEC_OUT_ENCRYPT    | BTM_SEC_OUT_AUTHENTICATE | BTM_SEC_OUT_MITM |
708               BTM_SEC_FORCE_MASTER | BTM_SEC_ATTEMPT_MASTER | BTM_SEC_FORCE_SLAVE | BTM_SEC_ATTEMPT_SLAVE);
709         }
710         else
711 #endif
712         {
713             p_srec->security_flags &=
714             ~(BTM_SEC_OUT_AUTHORIZE | BTM_SEC_OUT_ENCRYPT    | BTM_SEC_OUT_AUTHENTICATE | BTM_SEC_OUT_MITM |
715               BTM_SEC_FORCE_MASTER | BTM_SEC_ATTEMPT_MASTER | BTM_SEC_FORCE_SLAVE | BTM_SEC_ATTEMPT_SLAVE);
716         }
717 
718         /* Parameter validation.  Originator should not set requirements for incoming connections */
719         sec_level &= ~(BTM_SEC_IN_AUTHORIZE | BTM_SEC_IN_ENCRYPT | BTM_SEC_IN_AUTHENTICATE | BTM_SEC_IN_MITM);
720 
721         if (btm_cb.security_mode == BTM_SEC_MODE_SP)
722         {
723             if (sec_level & BTM_SEC_OUT_AUTHENTICATE)
724                 sec_level |= BTM_SEC_OUT_MITM;
725         }
726 
727         /* Make sure the authenticate bit is set, when encrypt bit is set */
728         if (sec_level & BTM_SEC_OUT_ENCRYPT)
729             sec_level |= BTM_SEC_OUT_AUTHENTICATE;
730 
731         /* outgoing connections usually set the security level right before
732          * the connection is initiated.
733          * set it to be the outgoing service */
734 #if (L2CAP_UCD_INCLUDED == TRUE)
735         if ( is_ucd == FALSE )
736 #endif
737         {
738             btm_cb.p_out_serv = p_srec;
739         }
740     }
741     else
742     {
743         p_srec->term_mx_chan_id = mx_chan_id;
744 #if BTM_SEC_SERVICE_NAME_LEN > 0
745         BCM_STRNCPY_S ((char *)p_srec->term_service_name, sizeof(p_srec->term_service_name), p_name, BTM_SEC_SERVICE_NAME_LEN);
746 #endif
747         /* clear out the old setting, just in case it exists */
748 #if (L2CAP_UCD_INCLUDED == TRUE)
749         if ( is_ucd )
750         {
751             p_srec->ucd_security_flags &=
752             ~(BTM_SEC_IN_AUTHORIZE | BTM_SEC_IN_ENCRYPT     | BTM_SEC_IN_AUTHENTICATE | BTM_SEC_IN_MITM |
753               BTM_SEC_FORCE_MASTER | BTM_SEC_ATTEMPT_MASTER | BTM_SEC_FORCE_SLAVE | BTM_SEC_ATTEMPT_SLAVE);
754         }
755         else
756 #endif
757         {
758             p_srec->security_flags &=
759             ~(BTM_SEC_IN_AUTHORIZE | BTM_SEC_IN_ENCRYPT     | BTM_SEC_IN_AUTHENTICATE | BTM_SEC_IN_MITM |
760               BTM_SEC_FORCE_MASTER | BTM_SEC_ATTEMPT_MASTER | BTM_SEC_FORCE_SLAVE | BTM_SEC_ATTEMPT_SLAVE);
761         }
762 
763         /* Parameter validation.  Acceptor should not set requirements for outgoing connections */
764         sec_level &= ~(BTM_SEC_OUT_AUTHORIZE | BTM_SEC_OUT_ENCRYPT | BTM_SEC_OUT_AUTHENTICATE | BTM_SEC_OUT_MITM);
765 
766         if (btm_cb.security_mode == BTM_SEC_MODE_SP)
767         {
768             if (sec_level & BTM_SEC_IN_AUTHENTICATE)
769                 sec_level |= BTM_SEC_IN_MITM;
770         }
771 
772         /* Make sure the authenticate bit is set, when encrypt bit is set */
773         if (sec_level & BTM_SEC_IN_ENCRYPT)
774             sec_level |= BTM_SEC_IN_AUTHENTICATE;
775     }
776 
777 #if (L2CAP_UCD_INCLUDED == TRUE)
778     if ( is_ucd )
779     {
780         p_srec->security_flags     |= (UINT16)(BTM_SEC_IN_USE);
781         p_srec->ucd_security_flags |= (UINT16)(sec_level | BTM_SEC_IN_USE);
782     }
783     else
784     {
785         p_srec->security_flags |= (UINT16)(sec_level | BTM_SEC_IN_USE);
786     }
787 
788     BTM_TRACE_API("BTM_SEC_REG[%d]: id %d, conn_type 0x%x, psm 0x%04x, proto_id %d, chan_id %d",
789                    index, service_id, conn_type, psm, mx_proto_id, mx_chan_id);
790 
791     BTM_TRACE_API("               : security_flags: 0x%04x, ucd_security_flags: 0x%04x",
792                    p_srec->security_flags, p_srec->ucd_security_flags);
793 
794 #if BTM_SEC_SERVICE_NAME_LEN > 0
795     BTM_TRACE_API("               : service name [%s] (up to %d chars saved)",
796                    p_name, BTM_SEC_SERVICE_NAME_LEN);
797 #endif
798 #else
799     p_srec->security_flags |= (UINT16)(sec_level | BTM_SEC_IN_USE);
800 
801     BTM_TRACE_API("BTM_SEC_REG[%d]: id %d, is_orig %d, psm 0x%04x, proto_id %d, chan_id %d",
802                    index, service_id, is_originator, psm, mx_proto_id, mx_chan_id);
803 
804 #if BTM_SEC_SERVICE_NAME_LEN > 0
805     BTM_TRACE_API("               : sec: 0x%x, service name [%s] (up to %d chars saved)",
806                    p_srec->security_flags, p_name, BTM_SEC_SERVICE_NAME_LEN);
807 #endif
808 #endif
809 
810 
811     return(record_allocated);
812 }
813 
814 /*******************************************************************************
815 **
816 ** Function         BTM_SecClrService
817 **
818 ** Description      Removes specified service record(s) from the security database.
819 **                  All service records with the specified name are removed.
820 **                  Typically used only by devices with limited RAM so that it can
821 **                  reuse an old security service record.
822 **
823 **                  Note: Unpredictable results may occur if a service is cleared
824 **                      that is still in use by an application/profile.
825 **
826 ** Parameters       Service ID - Id of the service to remove. ('0' removes all service
827 **                          records (except SDP).
828 **
829 ** Returns          Number of records that were freed.
830 **
831 *******************************************************************************/
BTM_SecClrService(UINT8 service_id)832 UINT8 BTM_SecClrService (UINT8 service_id)
833 {
834     tBTM_SEC_SERV_REC   *p_srec = &btm_cb.sec_serv_rec[0];
835     UINT8   num_freed = 0;
836     int     i;
837 
838     for (i = 0; i < BTM_SEC_MAX_SERVICE_RECORDS; i++, p_srec++)
839     {
840         /* Delete services with specified name (if in use and not SDP) */
841         if ((p_srec->security_flags & BTM_SEC_IN_USE) && (p_srec->psm != BT_PSM_SDP) &&
842             (!service_id || (service_id == p_srec->service_id)))
843         {
844             BTM_TRACE_API("BTM_SEC_CLR[%d]: id %d", i, service_id);
845             p_srec->security_flags = 0;
846 #if (L2CAP_UCD_INCLUDED == TRUE)
847             p_srec->ucd_security_flags = 0;
848 #endif
849             num_freed++;
850         }
851     }
852 
853     return(num_freed);
854 }
855 
856 /*******************************************************************************
857 **
858 ** Function         btm_sec_clr_service_by_psm
859 **
860 ** Description      Removes specified service record from the security database.
861 **                  All service records with the specified psm are removed.
862 **                  Typically used by L2CAP to free up the service record used
863 **                  by dynamic PSM clients when the channel is closed.
864 **                  The given psm must be a virtual psm.
865 **
866 ** Parameters       Service ID - Id of the service to remove. ('0' removes all service
867 **                          records (except SDP).
868 **
869 ** Returns          Number of records that were freed.
870 **
871 *******************************************************************************/
btm_sec_clr_service_by_psm(UINT16 psm)872 UINT8 btm_sec_clr_service_by_psm (UINT16 psm)
873 {
874     tBTM_SEC_SERV_REC   *p_srec = &btm_cb.sec_serv_rec[0];
875     UINT8   num_freed = 0;
876     int     i;
877 
878     for (i = 0; i < BTM_SEC_MAX_SERVICE_RECORDS; i++, p_srec++)
879     {
880         /* Delete services with specified name (if in use and not SDP) */
881         if ((p_srec->security_flags & BTM_SEC_IN_USE) && (p_srec->psm == psm) )
882         {
883             BTM_TRACE_API("BTM_SEC_CLR[%d]: id %d ", i, p_srec->service_id);
884             p_srec->security_flags = 0;
885             num_freed++;
886         }
887     }
888     BTM_TRACE_API("btm_sec_clr_service_by_psm psm:0x%x num_freed:%d", psm, num_freed);
889 
890     return(num_freed);
891 }
892 
893 /*******************************************************************************
894 **
895 ** Function         btm_sec_clr_temp_auth_service
896 **
897 ** Description      Removes specified device record's temporary authorization
898 **                  flag from the security database.
899 **
900 ** Parameters       Device address to be cleared
901 **
902 ** Returns          void.
903 **
904 *******************************************************************************/
btm_sec_clr_temp_auth_service(BD_ADDR bda)905 void btm_sec_clr_temp_auth_service (BD_ADDR bda)
906 {
907     tBTM_SEC_DEV_REC   *p_dev_rec;
908 
909     if ((p_dev_rec = btm_find_dev (bda)) == NULL)
910     {
911         BTM_TRACE_WARNING ("btm_sec_clr_temp_auth_service() - no dev CB");
912         return;
913     }
914 
915     /* Reset the temporary authorized flag so that next time (untrusted) service is accessed autorization will take place */
916     if (p_dev_rec->last_author_service_id != BTM_SEC_NO_LAST_SERVICE_ID && p_dev_rec->p_cur_service)
917     {
918         BTM_TRACE_DEBUG ("btm_sec_clr_auth_service_by_psm [clearing device: %02x:%02x:%02x:%02x:%02x:%02x]",
919                     bda[0], bda[1], bda[2], bda[3], bda[4], bda[5]);
920 
921         p_dev_rec->last_author_service_id = BTM_SEC_NO_LAST_SERVICE_ID;
922     }
923 }
924 
925 /*******************************************************************************
926 **
927 **
928 ** Function         BTM_SecClrUCDService
929 **
930 ** Description
931 **
932 ** Parameters       Service ID - Id of the service to remove.
933 **                               ('0' removes all service records )
934 **
935 ** Returns          Number of records that were cleared.
936 **
937 *******************************************************************************/
BTM_SecClrUCDService(UINT8 service_id)938 UINT8 BTM_SecClrUCDService (UINT8 service_id)
939 {
940 #if (L2CAP_UCD_INCLUDED == TRUE)
941     tBTM_SEC_SERV_REC   *p_srec = &btm_cb.sec_serv_rec[0];
942     UINT8   num_cleared = 0;
943     int     i;
944 
945     for (i = 0; i < BTM_SEC_MAX_SERVICE_RECORDS; i++, p_srec++)
946     {
947         /* Delete services with specified name (if in use and not SDP) */
948         if ((p_srec->security_flags & BTM_SEC_IN_USE) &&
949             (!service_id || (service_id == (UINT32)p_srec->service_id)))
950         {
951             BTM_TRACE_API("BTM_UCD_SEC_CLR[%d]: id %d", i, service_id);
952             p_srec->ucd_security_flags = 0;
953             num_cleared++;
954         }
955     }
956 
957     return(num_cleared);
958 #else
959     UNUSED(service_id);
960     return(0);
961 #endif
962 }
963 
964 /*******************************************************************************
965 **
966 ** Function         BTM_PINCodeReply
967 **
968 ** Description      This function is called after Security Manager submitted
969 **                  PIN code request to the UI.
970 **
971 ** Parameters:      bd_addr      - Address of the device for which PIN was requested
972 **                  res          - result of the operation BTM_SUCCESS if success
973 **                  pin_len      - length in bytes of the PIN Code
974 **                  p_pin        - pointer to array with the PIN Code
975 **                  trusted_mask - bitwise OR of trusted services (array of UINT32)
976 **
977 *******************************************************************************/
BTM_PINCodeReply(BD_ADDR bd_addr,UINT8 res,UINT8 pin_len,UINT8 * p_pin,UINT32 trusted_mask[])978 void BTM_PINCodeReply (BD_ADDR bd_addr, UINT8 res, UINT8 pin_len, UINT8 *p_pin, UINT32 trusted_mask[])
979 {
980     tBTM_SEC_DEV_REC *p_dev_rec;
981 
982     BTM_TRACE_API ("BTM_PINCodeReply(): PairState: %s   PairFlags: 0x%02x  PinLen:%d  Result:%d",
983                     btm_pair_state_descr(btm_cb.pairing_state), btm_cb.pairing_flags, pin_len, res);
984 
985     /* If timeout already expired or has been canceled, ignore the reply */
986     if (btm_cb.pairing_state != BTM_PAIR_STATE_WAIT_LOCAL_PIN)
987     {
988         BTM_TRACE_WARNING ("BTM_PINCodeReply() - Wrong State: %d", btm_cb.pairing_state);
989         return;
990     }
991 
992     if (memcmp (bd_addr, btm_cb.pairing_bda, BD_ADDR_LEN) != 0)
993     {
994         BTM_TRACE_ERROR ("BTM_PINCodeReply() - Wrong BD Addr");
995         return;
996     }
997 
998     if ((p_dev_rec = btm_find_dev (bd_addr)) == NULL)
999     {
1000         BTM_TRACE_ERROR ("BTM_PINCodeReply() - no dev CB");
1001         return;
1002     }
1003 
1004     if ( (pin_len > PIN_CODE_LEN) || (pin_len == 0) || (p_pin == NULL) )
1005         res = BTM_ILLEGAL_VALUE;
1006 
1007     if (res != BTM_SUCCESS)
1008     {
1009         /* if peer started dd OR we started dd and pre-fetch pin was not used send negative reply */
1010         if ((btm_cb.pairing_flags & BTM_PAIR_FLAGS_PEER_STARTED_DD) ||
1011             ((btm_cb.pairing_flags & BTM_PAIR_FLAGS_WE_STARTED_DD) &&
1012             (btm_cb.pairing_flags & BTM_PAIR_FLAGS_DISC_WHEN_DONE)) )
1013         {
1014             /* use BTM_PAIR_STATE_WAIT_AUTH_COMPLETE to report authentication failed event */
1015             btm_sec_change_pairing_state (BTM_PAIR_STATE_WAIT_AUTH_COMPLETE);
1016             btm_cb.acl_disc_reason = HCI_ERR_HOST_REJECT_SECURITY;
1017 
1018             btsnd_hcic_pin_code_neg_reply (bd_addr);
1019         }
1020         else
1021         {
1022             p_dev_rec->security_required = BTM_SEC_NONE;
1023             btm_sec_change_pairing_state (BTM_PAIR_STATE_IDLE);
1024         }
1025         return;
1026     }
1027     if (trusted_mask)
1028         BTM_SEC_COPY_TRUSTED_DEVICE(trusted_mask, p_dev_rec->trusted_mask);
1029     p_dev_rec->sec_flags   |= BTM_SEC_LINK_KEY_AUTHED;
1030 
1031     if ( (btm_cb.pairing_flags & BTM_PAIR_FLAGS_WE_STARTED_DD)
1032          &&  (p_dev_rec->hci_handle == BTM_SEC_INVALID_HANDLE)
1033          &&  (btm_cb.security_mode_changed == FALSE) )
1034     {
1035         /* This is start of the dedicated bonding if local device is 2.0 */
1036         btm_cb.pin_code_len = pin_len;
1037         memcpy (btm_cb.pin_code, p_pin, pin_len);
1038 
1039         btm_cb.security_mode_changed = TRUE;
1040 #ifdef APPL_AUTH_WRITE_EXCEPTION
1041         if(!(APPL_AUTH_WRITE_EXCEPTION)(p_dev_rec->bd_addr))
1042 #endif
1043         btsnd_hcic_write_auth_enable (TRUE);
1044 
1045         btm_cb.acl_disc_reason = 0xff ;
1046 
1047         /* if we rejected incoming connection request, we have to wait HCI_Connection_Complete event */
1048         /*  before originating  */
1049         if (btm_cb.pairing_flags & BTM_PAIR_FLAGS_REJECTED_CONNECT)
1050         {
1051             BTM_TRACE_WARNING ("BTM_PINCodeReply(): waiting HCI_Connection_Complete after rejected incoming connection");
1052             /* we change state little bit early so btm_sec_connected() will originate connection */
1053             /*   when existing ACL link is down completely */
1054             btm_sec_change_pairing_state (BTM_PAIR_STATE_WAIT_PIN_REQ);
1055         }
1056         /* if we already accepted incoming connection from pairing device */
1057         else if (p_dev_rec->sm4 & BTM_SM4_CONN_PEND)
1058         {
1059             BTM_TRACE_WARNING ("BTM_PINCodeReply(): link is connecting so wait pin code request from peer");
1060             btm_sec_change_pairing_state (BTM_PAIR_STATE_WAIT_PIN_REQ);
1061         }
1062         else if (btm_sec_dd_create_conn(p_dev_rec) != BTM_CMD_STARTED)
1063         {
1064             btm_sec_change_pairing_state (BTM_PAIR_STATE_IDLE);
1065             p_dev_rec->sec_flags &= ~BTM_SEC_LINK_KEY_AUTHED;
1066 
1067             if (btm_cb.api.p_auth_complete_callback)
1068                 (*btm_cb.api.p_auth_complete_callback) (p_dev_rec->bd_addr,  p_dev_rec->dev_class,
1069                                                     p_dev_rec->sec_bd_name, HCI_ERR_AUTH_FAILURE);
1070         }
1071         return;
1072     }
1073 
1074     btm_sec_change_pairing_state (BTM_PAIR_STATE_WAIT_AUTH_COMPLETE);
1075     btm_cb.acl_disc_reason = HCI_SUCCESS;
1076 
1077 #ifdef PORCHE_PAIRING_CONFLICT
1078     BTM_TRACE_EVENT("BTM_PINCodeReply(): Saving pin_len: %d btm_cb.pin_code_len: %d", pin_len, btm_cb.pin_code_len);
1079     /* if this was not pre-fetched, save the PIN */
1080     if (btm_cb.pin_code_len == 0)
1081         memcpy (btm_cb.pin_code, p_pin, pin_len);
1082     btm_cb.pin_code_len_saved = pin_len;
1083 #endif
1084     btsnd_hcic_pin_code_req_reply (bd_addr, pin_len, p_pin);
1085 }
1086 
1087 
1088 /*******************************************************************************
1089 **
1090 ** Function         BTM_DeviceAuthorized
1091 **
1092 ** Description      This function is called after Security Manager submitted
1093 **                  authorization request to the UI.
1094 **
1095 ** Parameters:      bd_addr     - Address of the device for which PIN was requested
1096 **                  res         - result of the operation BTM_SUCCESS if success
1097 **
1098 *******************************************************************************/
BTM_DeviceAuthorized(BD_ADDR bd_addr,UINT8 res,UINT32 trusted_mask[])1099 void BTM_DeviceAuthorized (BD_ADDR bd_addr, UINT8 res, UINT32 trusted_mask[])
1100 {
1101     tBTM_SEC_DEV_REC *p_dev_rec;
1102 
1103     if ((p_dev_rec = btm_find_dev (bd_addr)) == NULL)
1104     {
1105         BTM_TRACE_WARNING ("Security Manager: Attempting Authorization of Unknown Device Address [%02x%02x%02x%02x%02x%02x]",
1106                             bd_addr[0], bd_addr[1], bd_addr[2], bd_addr[3], bd_addr[4], bd_addr[5]);
1107         return;
1108     }
1109 
1110     BTM_TRACE_EVENT ("Security Manager: authorized status:%d State:%d Trusted:%08x %08x",
1111                       res, (p_dev_rec) ? p_dev_rec->sec_state : 0, trusted_mask[0], trusted_mask[1]);
1112 
1113     if (res == BTM_SUCCESS)
1114     {
1115         p_dev_rec->sec_flags   |= BTM_SEC_AUTHORIZED;
1116         if (trusted_mask)
1117         {
1118             BTM_SEC_COPY_TRUSTED_DEVICE(trusted_mask, p_dev_rec->trusted_mask);
1119         }
1120 
1121         /* Save the currently authorized service in case we are asked again
1122         by another multiplexer layer */
1123         if (!p_dev_rec->is_originator)
1124         {
1125             BTM_TRACE_DEBUG("BTM_DeviceAuthorized: Setting last_author_service_id to %d",
1126                              p_dev_rec->p_cur_service->service_id);
1127             p_dev_rec->last_author_service_id = p_dev_rec->p_cur_service->service_id;
1128         }
1129     }
1130 
1131     if (p_dev_rec->sec_state != BTM_SEC_STATE_AUTHORIZING)
1132         return;
1133 
1134     p_dev_rec->sec_state = BTM_SEC_STATE_IDLE;
1135 
1136     if (res != BTM_SUCCESS)
1137     {
1138         btm_sec_dev_rec_cback_event (p_dev_rec, res, FALSE);
1139         return;
1140     }
1141 
1142     if ((res = (UINT8)btm_sec_execute_procedure (p_dev_rec)) != BTM_CMD_STARTED)
1143     {
1144         btm_sec_dev_rec_cback_event (p_dev_rec, res, FALSE);
1145     }
1146 }
1147 
1148 /*******************************************************************************
1149 **
1150 ** Function         btm_sec_bond_by_transport
1151 **
1152 ** Description      this is the bond function that will start either SSP or SMP.
1153 **
1154 ** Parameters:      bd_addr      - Address of the device to bond
1155 **                  pin_len      - length in bytes of the PIN Code
1156 **                  p_pin        - pointer to array with the PIN Code
1157 **                  trusted_mask - bitwise OR of trusted services (array of UINT32)
1158 **
1159 **  Note: After 2.1 parameters are not used and preserved here not to change API
1160 *******************************************************************************/
btm_sec_bond_by_transport(BD_ADDR bd_addr,tBT_TRANSPORT transport,UINT8 pin_len,UINT8 * p_pin,UINT32 trusted_mask[])1161 tBTM_STATUS btm_sec_bond_by_transport (BD_ADDR bd_addr, tBT_TRANSPORT transport,
1162                                        UINT8 pin_len, UINT8 *p_pin, UINT32 trusted_mask[])
1163 {
1164     tBTM_SEC_DEV_REC *p_dev_rec;
1165     tBTM_STATUS      status;
1166     UINT8            *p_features;
1167     UINT8            ii;
1168     tACL_CONN        *p= btm_bda_to_acl(bd_addr, transport);
1169     BTM_TRACE_API ("btm_sec_bond_by_transport BDA: %02x:%02x:%02x:%02x:%02x:%02x",
1170                     bd_addr[0], bd_addr[1], bd_addr[2], bd_addr[3], bd_addr[4], bd_addr[5]);
1171 
1172     BTM_TRACE_DEBUG("btm_sec_bond_by_transport: Transport used %d" , transport);
1173 
1174 
1175     /* Other security process is in progress */
1176     if (btm_cb.pairing_state != BTM_PAIR_STATE_IDLE)
1177     {
1178         BTM_TRACE_ERROR ("BTM_SecBond: already busy in state: %s", btm_pair_state_descr(btm_cb.pairing_state));
1179         return(BTM_WRONG_MODE);
1180     }
1181 
1182     if ((p_dev_rec = btm_find_or_alloc_dev (bd_addr)) == NULL)
1183     {
1184         return(BTM_NO_RESOURCES);
1185     }
1186 
1187     BTM_TRACE_DEBUG ("before update sec_flags=0x%x", p_dev_rec->sec_flags);
1188 
1189     /* Finished if connection is active and already paired */
1190     if ( ((p_dev_rec->hci_handle != BTM_SEC_INVALID_HANDLE) && transport == BT_TRANSPORT_BR_EDR
1191          &&  (p_dev_rec->sec_flags & BTM_SEC_AUTHENTICATED))
1192 #if (BLE_INCLUDED == TRUE)
1193         ||((p_dev_rec->ble_hci_handle != BTM_SEC_INVALID_HANDLE) && transport == BT_TRANSPORT_LE
1194          &&  (p_dev_rec->sec_flags & BTM_SEC_LE_AUTHENTICATED))
1195 #endif
1196 
1197          )
1198     {
1199         BTM_TRACE_WARNING("BTM_SecBond -> Already Paired");
1200         return(BTM_SUCCESS);
1201     }
1202 
1203     /* Tell controller to get rid of the link key if it has one stored */
1204     if ((BTM_DeleteStoredLinkKey (bd_addr, NULL)) != BTM_SUCCESS)
1205         return(BTM_NO_RESOURCES);
1206 
1207     /* Save the PIN code if we got a valid one */
1208     if (p_pin && (pin_len <= PIN_CODE_LEN) && (pin_len != 0))
1209     {
1210         btm_cb.pin_code_len = pin_len;
1211         memcpy (btm_cb.pin_code, p_pin, PIN_CODE_LEN);
1212     }
1213 
1214     memcpy (btm_cb.pairing_bda, bd_addr, BD_ADDR_LEN);
1215 
1216     btm_cb.pairing_flags = BTM_PAIR_FLAGS_WE_STARTED_DD;
1217 
1218     p_dev_rec->security_required = BTM_SEC_OUT_AUTHENTICATE;
1219     p_dev_rec->is_originator     = TRUE;
1220     if (trusted_mask)
1221         BTM_SEC_COPY_TRUSTED_DEVICE(trusted_mask, p_dev_rec->trusted_mask);
1222 
1223 #if BLE_INCLUDED == TRUE && SMP_INCLUDED == TRUE
1224     if (transport == BT_TRANSPORT_LE)
1225     {
1226         p_dev_rec->sec_flags &= ~ BTM_SEC_LE_MASK;
1227 
1228         if (SMP_Pair(bd_addr) == SMP_STARTED)
1229         {
1230             btm_cb.pairing_flags |= BTM_PAIR_FLAGS_LE_ACTIVE;
1231             p_dev_rec->sec_state = BTM_SEC_STATE_AUTHENTICATING;
1232             btm_sec_change_pairing_state (BTM_PAIR_STATE_WAIT_AUTH_COMPLETE);
1233             return BTM_CMD_STARTED;
1234         }
1235 
1236         btm_cb.pairing_flags = 0;
1237         return(BTM_NO_RESOURCES);
1238     }
1239 #endif
1240 
1241     p_dev_rec->sec_flags &= ~(BTM_SEC_LINK_KEY_KNOWN | BTM_SEC_AUTHENTICATED | BTM_SEC_ENCRYPTED
1242                                   | BTM_SEC_ROLE_SWITCHED  | BTM_SEC_LINK_KEY_AUTHED);
1243 
1244 
1245     BTM_TRACE_DEBUG ("after update sec_flags=0x%x", p_dev_rec->sec_flags);
1246     if (!HCI_SIMPLE_PAIRING_SUPPORTED(btm_cb.devcb.local_lmp_features[HCI_EXT_FEATURES_PAGE_0]))
1247     {
1248         /* The special case when we authenticate keyboard.  Set pin type to fixed */
1249         /* It would be probably better to do it from the application, but it is */
1250         /* complicated */
1251         if (((p_dev_rec->dev_class[1] & BTM_COD_MAJOR_CLASS_MASK) == BTM_COD_MAJOR_PERIPHERAL)
1252             && (p_dev_rec->dev_class[2] & BTM_COD_MINOR_KEYBOARD)
1253             && (btm_cb.cfg.pin_type != HCI_PIN_TYPE_FIXED))
1254         {
1255             btm_cb.pin_type_changed = TRUE;
1256             btsnd_hcic_write_pin_type (HCI_PIN_TYPE_FIXED);
1257         }
1258     }
1259 
1260     for (ii = 0; ii <= HCI_EXT_FEATURES_PAGE_MAX; ii++)
1261     {
1262         p_features = p_dev_rec->features[ii];
1263         BTM_TRACE_EVENT("  remote_features page[%1d] = %02x-%02x-%02x-%02x",
1264                          ii, p_features[0], p_features[1], p_features[2], p_features[3]);
1265         BTM_TRACE_EVENT("                              %02x-%02x-%02x-%02x",
1266                              p_features[4], p_features[5], p_features[6], p_features[7]);
1267     }
1268 
1269     BTM_TRACE_EVENT ("BTM_SecBond: Remote sm4: 0x%x  HCI Handle: 0x%04x", p_dev_rec->sm4, p_dev_rec->hci_handle);
1270 
1271 #if BTM_SEC_FORCE_RNR_FOR_DBOND == TRUE
1272     p_dev_rec->sec_flags &= ~BTM_SEC_NAME_KNOWN;
1273 #endif
1274 
1275     /* If connection already exists... */
1276     if (p && p->hci_handle != BTM_SEC_INVALID_HANDLE)
1277     {
1278         if (!btm_sec_start_authentication (p_dev_rec))
1279             return(BTM_NO_RESOURCES);
1280 
1281         btm_sec_change_pairing_state (BTM_PAIR_STATE_WAIT_PIN_REQ);
1282 
1283         /* Mark lcb as bonding */
1284         l2cu_update_lcb_4_bonding (bd_addr, TRUE);
1285         return(BTM_CMD_STARTED);
1286     }
1287 
1288     BTM_TRACE_DEBUG ("sec mode: %d sm4:x%x", btm_cb.security_mode, p_dev_rec->sm4);
1289     if (!HCI_SIMPLE_PAIRING_SUPPORTED(btm_cb.devcb.local_lmp_features[HCI_EXT_FEATURES_PAGE_0])
1290         || (p_dev_rec->sm4 == BTM_SM4_KNOWN))
1291     {
1292         if ( btm_sec_check_prefetch_pin (p_dev_rec) )
1293 	        return(BTM_CMD_STARTED);
1294     }
1295     if (BTM_SEC_MODE_SP == btm_cb.security_mode && BTM_SEC_IS_SM4_UNKNOWN(p_dev_rec->sm4))
1296     {
1297         /* local is 2.1 and peer is unknown */
1298         if ((p_dev_rec->sm4 & BTM_SM4_CONN_PEND) == 0)
1299         {
1300             /* we are not accepting connection request from peer
1301              * -> RNR (to learn if peer is 2.1)
1302              * RNR when no ACL causes HCI_RMT_HOST_SUP_FEAT_NOTIFY_EVT */
1303             btm_sec_change_pairing_state (BTM_PAIR_STATE_GET_REM_NAME);
1304             BTM_ReadRemoteDeviceName(bd_addr, NULL, BT_TRANSPORT_BR_EDR);
1305         }
1306         else
1307         {
1308             /* We are accepting connection request from peer */
1309             btm_sec_change_pairing_state (BTM_PAIR_STATE_WAIT_PIN_REQ);
1310         }
1311         BTM_TRACE_DEBUG ("State:%s sm4: 0x%x sec_state:%d",
1312             btm_pair_state_descr (btm_cb.pairing_state), p_dev_rec->sm4, p_dev_rec->sec_state);
1313         return BTM_CMD_STARTED;
1314     }
1315 
1316     /* both local and peer are 2.1  */
1317     status = btm_sec_dd_create_conn(p_dev_rec);
1318 
1319     if (status != BTM_CMD_STARTED)
1320     {
1321         btm_sec_change_pairing_state (BTM_PAIR_STATE_IDLE);
1322     }
1323 
1324     return status;
1325 }
1326 
1327 /*******************************************************************************
1328 **
1329 ** Function         BTM_SecBondByTransport
1330 **
1331 ** Description      This function is called to perform bonding with peer device.
1332 **                  If the connection is already up, but not secure, pairing
1333 **                  is attempted.  If already paired BTM_SUCCESS is returned.
1334 **
1335 ** Parameters:      bd_addr      - Address of the device to bond
1336 **                  transport    - doing SSP over BR/EDR or SMP over LE
1337 **                  pin_len      - length in bytes of the PIN Code
1338 **                  p_pin        - pointer to array with the PIN Code
1339 **                  trusted_mask - bitwise OR of trusted services (array of UINT32)
1340 **
1341 **  Note: After 2.1 parameters are not used and preserved here not to change API
1342 *******************************************************************************/
BTM_SecBondByTransport(BD_ADDR bd_addr,tBT_TRANSPORT transport,UINT8 pin_len,UINT8 * p_pin,UINT32 trusted_mask[])1343 tBTM_STATUS BTM_SecBondByTransport (BD_ADDR bd_addr, tBT_TRANSPORT transport,
1344                                     UINT8 pin_len, UINT8 *p_pin, UINT32 trusted_mask[])
1345 {
1346 #if SMP_INCLUDED == TRUE
1347     tBT_DEVICE_TYPE     dev_type;
1348     tBLE_ADDR_TYPE      addr_type;
1349 
1350     BTM_ReadDevInfo(bd_addr, &dev_type, &addr_type);
1351     /* LE device, do SMP pairing */
1352     if ((transport == BT_TRANSPORT_LE && (dev_type & BT_DEVICE_TYPE_BLE) == 0) ||
1353         (transport == BT_TRANSPORT_BR_EDR && (dev_type & BT_DEVICE_TYPE_BREDR) == 0))
1354     {
1355         return BTM_ILLEGAL_ACTION;
1356     }
1357 #endif
1358     return btm_sec_bond_by_transport(bd_addr, transport, pin_len, p_pin, trusted_mask);
1359 }
1360 
1361 /*******************************************************************************
1362 **
1363 ** Function         BTM_SecBond
1364 **
1365 ** Description      This function is called to perform bonding with peer device.
1366 **                  If the connection is already up, but not secure, pairing
1367 **                  is attempted.  If already paired BTM_SUCCESS is returned.
1368 **
1369 ** Parameters:      bd_addr      - Address of the device to bond
1370 **                  pin_len      - length in bytes of the PIN Code
1371 **                  p_pin        - pointer to array with the PIN Code
1372 **                  trusted_mask - bitwise OR of trusted services (array of UINT32)
1373 **
1374 **  Note: After 2.1 parameters are not used and preserved here not to change API
1375 *******************************************************************************/
BTM_SecBond(BD_ADDR bd_addr,UINT8 pin_len,UINT8 * p_pin,UINT32 trusted_mask[])1376 tBTM_STATUS BTM_SecBond (BD_ADDR bd_addr, UINT8 pin_len, UINT8 *p_pin, UINT32 trusted_mask[])
1377 {
1378     tBT_TRANSPORT   transport = BT_TRANSPORT_BR_EDR;
1379 #if BLE_INCLUDED == TRUE
1380     if (BTM_UseLeLink(bd_addr))
1381         transport = BT_TRANSPORT_LE;
1382 #endif
1383     return btm_sec_bond_by_transport(bd_addr, transport, pin_len, p_pin, trusted_mask);
1384 }
1385 /*******************************************************************************
1386 **
1387 ** Function         BTM_SecBondCancel
1388 **
1389 ** Description      This function is called to cancel ongoing bonding process
1390 **                  with peer device.
1391 **
1392 ** Parameters:      bd_addr      - Address of the peer device
1393 **                         transport    - FALSE for BR/EDR link; TRUE for LE link
1394 **
1395 *******************************************************************************/
BTM_SecBondCancel(BD_ADDR bd_addr)1396 tBTM_STATUS BTM_SecBondCancel (BD_ADDR bd_addr)
1397 {
1398     tBTM_SEC_DEV_REC *p_dev_rec;
1399 
1400     BTM_TRACE_API ("BTM_SecBondCancel()  State: %s flags:0x%x",
1401                     btm_pair_state_descr (btm_cb.pairing_state), btm_cb.pairing_flags);
1402 
1403     if (((p_dev_rec = btm_find_dev (bd_addr)) == NULL)
1404         ||  (memcmp (btm_cb.pairing_bda, bd_addr, BD_ADDR_LEN) != 0) )
1405         return BTM_UNKNOWN_ADDR;
1406 
1407 #if SMP_INCLUDED == TRUE
1408     if (btm_cb.pairing_flags & BTM_PAIR_FLAGS_LE_ACTIVE)
1409     {
1410         if (p_dev_rec->sec_state == BTM_SEC_STATE_AUTHENTICATING)
1411         {
1412             BTM_TRACE_DEBUG ("Cancel LE pairing");
1413             if (SMP_PairCancel(bd_addr))
1414             {
1415                 return BTM_CMD_STARTED;
1416             }
1417         }
1418         return BTM_WRONG_MODE;
1419     }
1420 
1421 #endif
1422     BTM_TRACE_DEBUG ("hci_handle:0x%x sec_state:%d", p_dev_rec->hci_handle, p_dev_rec->sec_state );
1423     if (BTM_PAIR_STATE_WAIT_LOCAL_PIN == btm_cb.pairing_state &&
1424         BTM_PAIR_FLAGS_WE_STARTED_DD & btm_cb.pairing_flags)
1425     {
1426         /* pre-fetching pin for dedicated bonding */
1427         btm_sec_bond_cancel_complete();
1428         return BTM_SUCCESS;
1429     }
1430 
1431     /* If this BDA is in a bonding procedure */
1432     if ( (btm_cb.pairing_state != BTM_PAIR_STATE_IDLE)
1433          &&  (btm_cb.pairing_flags & BTM_PAIR_FLAGS_WE_STARTED_DD))
1434     {
1435         /* If the HCI link is up */
1436         if (p_dev_rec->hci_handle != BTM_SEC_INVALID_HANDLE)
1437         {
1438             /* If some other thread disconnecting, we do not send second command */
1439             if (p_dev_rec->sec_state == BTM_SEC_STATE_DISCONNECTING)
1440                 return(BTM_CMD_STARTED);
1441 
1442             /* If the HCI link was set up by Bonding process */
1443             if (btm_cb.pairing_flags & BTM_PAIR_FLAGS_DISC_WHEN_DONE)
1444                 return btm_sec_send_hci_disconnect(p_dev_rec, HCI_ERR_PEER_USER, p_dev_rec->hci_handle);
1445             else
1446                 l2cu_update_lcb_4_bonding(bd_addr, FALSE);
1447 
1448             return BTM_NOT_AUTHORIZED;
1449         }
1450         else /*HCI link is not up */
1451         {
1452             /* If the HCI link creation was started by Bonding process */
1453             if (btm_cb.pairing_flags & BTM_PAIR_FLAGS_DISC_WHEN_DONE)
1454             {
1455                 if (btsnd_hcic_create_conn_cancel(bd_addr))
1456                     return BTM_CMD_STARTED;
1457 
1458                 return BTM_NO_RESOURCES;
1459             }
1460             if (btm_cb.pairing_state == BTM_PAIR_STATE_GET_REM_NAME)
1461             {
1462                 BTM_CancelRemoteDeviceName();
1463                 btm_cb.pairing_flags |= BTM_PAIR_FLAGS_WE_CANCEL_DD;
1464                 return BTM_CMD_STARTED;
1465             }
1466             return BTM_NOT_AUTHORIZED;
1467         }
1468     }
1469 
1470     return BTM_WRONG_MODE;
1471 }
1472 
1473 /*******************************************************************************
1474 **
1475 ** Function         BTM_SecUseMasterLinkKey
1476 **
1477 ** Description      This function is called to tell master of the piconet to
1478 **                  switch to master link key
1479 **
1480 ** Parameters:      use_master_key - If true Master Link Key shoul be used
1481 **
1482 *******************************************************************************/
BTM_SecUseMasterLinkKey(BOOLEAN use_master_key)1483 tBTM_STATUS BTM_SecUseMasterLinkKey (BOOLEAN use_master_key)
1484 {
1485     return(btsnd_hcic_master_link_key (use_master_key) ?  BTM_SUCCESS :
1486            BTM_NO_RESOURCES);
1487 }
1488 
1489 /*******************************************************************************
1490 **
1491 ** Function         BTM_SetMasterKeyCompCback
1492 **
1493 ** Description      This function is called to register for the master key complete
1494 **                  status event.
1495 **
1496 ** Parameters:      mkey_cback - callback registered with the security manager
1497 **
1498 *******************************************************************************/
BTM_SetMasterKeyCompCback(tBTM_MKEY_CALLBACK * mkey_cback)1499 void BTM_SetMasterKeyCompCback( tBTM_MKEY_CALLBACK *mkey_cback )
1500 {
1501     btm_cb.mkey_cback = mkey_cback;
1502 }
1503 
1504 /*******************************************************************************
1505 **
1506 ** Function         BTM_SecGetDeviceLinkKey
1507 **
1508 ** Description      This function is called to obtain link key for the device
1509 **                  it returns BTM_SUCCESS if link key is available, or
1510 **                  BTM_UNKNOWN_ADDR if Security Manager does not know about
1511 **                  the device or device record does not contain link key info
1512 **
1513 ** Parameters:      bd_addr      - Address of the device
1514 **                  link_key     - Link Key is copied into this array
1515 **
1516 *******************************************************************************/
BTM_SecGetDeviceLinkKey(BD_ADDR bd_addr,LINK_KEY link_key)1517 tBTM_STATUS BTM_SecGetDeviceLinkKey (BD_ADDR bd_addr, LINK_KEY link_key)
1518 {
1519     tBTM_SEC_DEV_REC *p_dev_rec;
1520 
1521     if (((p_dev_rec = btm_find_dev (bd_addr)) != NULL)
1522         && (p_dev_rec->sec_flags & BTM_SEC_LINK_KEY_KNOWN))
1523     {
1524         memcpy (link_key, p_dev_rec->link_key, LINK_KEY_LEN);
1525         return(BTM_SUCCESS);
1526     }
1527     return(BTM_UNKNOWN_ADDR);
1528 }
1529 
1530 
1531 /*******************************************************************************
1532 **
1533 ** Function         BTM_SetEncryption
1534 **
1535 ** Description      This function is called to ensure that connection is
1536 **                  encrypted.  Should be called only on an open connection.
1537 **                  Typically only needed for connections that first want to
1538 **                  bring up unencrypted links, then later encrypt them.
1539 **
1540 ** Parameters:      bd_addr       - Address of the peer device
1541 **                  p_callback    - Pointer to callback function called if
1542 **                                  this function returns PENDING after required
1543 **                                  procedures are completed.  Can be set to NULL
1544 **                                  if status is not desired.
1545 **                  p_ref_data    - pointer to any data the caller wishes to receive
1546 **                                  in the callback function upon completion.
1547 *                                   can be set to NULL if not used.
1548 **                  transport  -    TRUE to encryption the link over LE trasnport
1549 **                                  or FALSE for BR/EDR trasnport
1550 **
1551 ** Returns          BTM_SUCCESS   - already encrypted
1552 **                  BTM_PENDING   - command will be returned in the callback
1553 **                  BTM_WRONG_MODE- connection not up.
1554 **                  BTM_BUSY      - security procedures are currently active
1555 **                  BTM_MODE_UNSUPPORTED - if security manager not linked in.
1556 **
1557 *******************************************************************************/
BTM_SetEncryption(BD_ADDR bd_addr,tBT_TRANSPORT transport,tBTM_SEC_CBACK * p_callback,void * p_ref_data)1558 tBTM_STATUS BTM_SetEncryption (BD_ADDR bd_addr, tBT_TRANSPORT transport, tBTM_SEC_CBACK *p_callback,
1559                                void *p_ref_data)
1560 {
1561     tBTM_SEC_DEV_REC  *p_dev_rec;
1562     tBTM_STATUS       rc;
1563 #if BLE_INCLUDED == TRUE
1564    tACL_CONN         *p = btm_bda_to_acl(bd_addr, transport);
1565 #endif
1566 
1567     p_dev_rec = btm_find_dev (bd_addr);
1568 
1569     if (!p_dev_rec ||
1570         (transport == BT_TRANSPORT_BR_EDR && p_dev_rec->hci_handle == BTM_SEC_INVALID_HANDLE)
1571 #if BLE_INCLUDED == TRUE
1572         || (transport == BT_TRANSPORT_LE && p_dev_rec->ble_hci_handle == BTM_SEC_INVALID_HANDLE)
1573 #endif
1574         )
1575     {
1576         /* Connection should be up and runnning */
1577         BTM_TRACE_WARNING ("Security Manager: BTM_SetEncryption not connected");
1578 
1579         if (p_callback)
1580             (*p_callback) (bd_addr, transport, p_ref_data, BTM_WRONG_MODE);
1581 
1582         return(BTM_WRONG_MODE);
1583     }
1584 
1585     if ((transport == BT_TRANSPORT_BR_EDR &&
1586          (p_dev_rec->sec_flags &  BTM_SEC_ENCRYPTED))
1587 #if BLE_INCLUDED == TRUE && SMP_INCLUDED == TRUE
1588          || (transport == BT_TRANSPORT_LE &&
1589            (p_dev_rec->sec_flags & BTM_SEC_LE_ENCRYPTED))
1590 #endif
1591           )
1592     {
1593         BTM_TRACE_EVENT ("Security Manager: BTM_SetEncryption already encrypted");
1594 
1595         if (p_callback)
1596             (*p_callback) (bd_addr, transport, p_ref_data, BTM_SUCCESS);
1597 
1598         return(BTM_SUCCESS);
1599     }
1600 
1601     if (p_dev_rec->p_callback)
1602     {
1603         /* Connection should be up and runnning */
1604         BTM_TRACE_WARNING ("Security Manager: BTM_SetEncryption busy");
1605 
1606         if (p_callback)
1607             (*p_callback) (bd_addr, transport, p_ref_data, BTM_BUSY);
1608 
1609         return(BTM_BUSY);
1610     }
1611 
1612     p_dev_rec->p_callback        = p_callback;
1613     p_dev_rec->p_ref_data        = p_ref_data;
1614     p_dev_rec->security_required |= (BTM_SEC_IN_AUTHENTICATE | BTM_SEC_IN_ENCRYPT);
1615     p_dev_rec->is_originator     = FALSE;
1616 
1617     BTM_TRACE_API ("Security Manager: BTM_SetEncryption Handle:%d State:%d Flags:0x%x Required:0x%x",
1618                     p_dev_rec->hci_handle, p_dev_rec->sec_state, p_dev_rec->sec_flags,
1619                     p_dev_rec->security_required);
1620 
1621 #if BLE_INCLUDED == TRUE && SMP_INCLUDED == TRUE
1622     if (transport == BT_TRANSPORT_LE)
1623     {
1624         rc = btm_ble_set_encryption(bd_addr, p_ref_data, p->link_role);
1625     }
1626     else
1627 #endif
1628 
1629         rc = btm_sec_execute_procedure (p_dev_rec);
1630 
1631     if (rc != BTM_CMD_STARTED && rc != BTM_BUSY)
1632     {
1633         if (p_callback)
1634         {
1635             p_dev_rec->p_callback = NULL;
1636             (*p_callback) (bd_addr, transport, p_dev_rec->p_ref_data, rc);
1637         }
1638     }
1639     return(rc);
1640 }
1641 
1642 /*******************************************************************************
1643  * disconnect the ACL link, if it's not done yet.
1644 *******************************************************************************/
btm_sec_send_hci_disconnect(tBTM_SEC_DEV_REC * p_dev_rec,UINT8 reason,UINT16 conn_handle)1645 static tBTM_STATUS btm_sec_send_hci_disconnect (tBTM_SEC_DEV_REC *p_dev_rec, UINT8 reason, UINT16 conn_handle)
1646 {
1647     UINT8       old_state = p_dev_rec->sec_state;
1648     tBTM_STATUS status = BTM_CMD_STARTED;
1649 
1650     BTM_TRACE_EVENT ("btm_sec_send_hci_disconnect:  handle:0x%x, reason=0x%x",
1651                       conn_handle, reason);
1652 
1653     /* if some other thread disconnecting, we do not send second command */
1654     if (BTM_SEC_STATE_DISCONNECTING != old_state)
1655     {
1656         p_dev_rec->sec_state = BTM_SEC_STATE_DISCONNECTING;
1657 
1658 #if BTM_DISC_DURING_RS == TRUE
1659         /* If a Role Switch is in progress, delay the HCI Disconnect to avoid controller problem (4329B1) */
1660         if (p_dev_rec->rs_disc_pending == BTM_SEC_RS_PENDING &&
1661              p_dev_rec->hci_handle == conn_handle)
1662 
1663         {
1664                  BTM_TRACE_DEBUG("RS in progress - Set DISC Pending flag in btm_sec_send_hci_disconnect to delay disconnect");
1665                  p_dev_rec->rs_disc_pending = BTM_SEC_DISC_PENDING;
1666                  status = BTM_SUCCESS;
1667         }
1668         else
1669 #endif
1670         /* Tear down the HCI link */
1671         if (!btsnd_hcic_disconnect (conn_handle, reason))
1672         {
1673             /* could not send disconnect. restore old state */
1674             p_dev_rec->sec_state = old_state;
1675             status = BTM_NO_RESOURCES;
1676         }
1677     }
1678     return (status);
1679 }
1680 
1681 /*******************************************************************************
1682 **
1683 ** Function         BTM_ConfirmReqReply
1684 **
1685 ** Description      This function is called to confirm the numeric value for
1686 **                  Simple Pairing in response to BTM_SP_CFM_REQ_EVT
1687 **
1688 ** Parameters:      res           - result of the operation BTM_SUCCESS if success
1689 **                  bd_addr       - Address of the peer device
1690 **
1691 *******************************************************************************/
BTM_ConfirmReqReply(tBTM_STATUS res,BD_ADDR bd_addr)1692 void BTM_ConfirmReqReply(tBTM_STATUS res, BD_ADDR bd_addr)
1693 {
1694     tBTM_SEC_DEV_REC *p_dev_rec;
1695 
1696     BTM_TRACE_EVENT ("BTM_ConfirmReqReply() State: %s  Res: %u",
1697                       btm_pair_state_descr(btm_cb.pairing_state), res);
1698 
1699     /* If timeout already expired or has been canceled, ignore the reply */
1700     if ( (btm_cb.pairing_state != BTM_PAIR_STATE_WAIT_NUMERIC_CONFIRM)
1701          ||  (memcmp (btm_cb.pairing_bda, bd_addr, BD_ADDR_LEN) != 0) )
1702         return;
1703 
1704     btm_sec_change_pairing_state (BTM_PAIR_STATE_WAIT_AUTH_COMPLETE);
1705 
1706     if ( (res == BTM_SUCCESS) || (res == BTM_SUCCESS_NO_SECURITY) )
1707     {
1708         btm_cb.acl_disc_reason = HCI_SUCCESS;
1709 
1710         if (res == BTM_SUCCESS)
1711         {
1712             if ((p_dev_rec = btm_find_dev (bd_addr)) != NULL)
1713                 p_dev_rec->sec_flags |= BTM_SEC_LINK_KEY_AUTHED;
1714         }
1715 
1716         btsnd_hcic_user_conf_reply (bd_addr, TRUE);
1717     }
1718     else
1719     {
1720         /* Report authentication failed event from state BTM_PAIR_STATE_WAIT_AUTH_COMPLETE */
1721         btm_cb.acl_disc_reason = HCI_ERR_HOST_REJECT_SECURITY;
1722         btsnd_hcic_user_conf_reply (bd_addr, FALSE);
1723     }
1724 }
1725 
1726 /*******************************************************************************
1727 **
1728 ** Function         BTM_PasskeyReqReply
1729 **
1730 ** Description      This function is called to provide the passkey for
1731 **                  Simple Pairing in response to BTM_SP_KEY_REQ_EVT
1732 **
1733 ** Parameters:      res     - result of the operation BTM_SUCCESS if success
1734 **                  bd_addr - Address of the peer device
1735 **                  passkey - numeric value in the range of
1736 **                  BTM_MIN_PASSKEY_VAL(0) - BTM_MAX_PASSKEY_VAL(999999(0xF423F)).
1737 **
1738 *******************************************************************************/
1739 #if (BTM_LOCAL_IO_CAPS != BTM_IO_CAP_NONE)
BTM_PasskeyReqReply(tBTM_STATUS res,BD_ADDR bd_addr,UINT32 passkey)1740 void BTM_PasskeyReqReply(tBTM_STATUS res, BD_ADDR bd_addr, UINT32 passkey)
1741 {
1742     tBTM_SEC_DEV_REC *p_dev_rec;
1743 
1744     BTM_TRACE_API ("BTM_PasskeyReqReply: State: %s  res:%d",
1745                     btm_pair_state_descr(btm_cb.pairing_state), res);
1746 
1747     if ( (btm_cb.pairing_state == BTM_PAIR_STATE_IDLE)
1748          ||  (memcmp (btm_cb.pairing_bda, bd_addr, BD_ADDR_LEN) != 0) )
1749     {
1750         return;
1751     }
1752 
1753     /* If timeout already expired or has been canceled, ignore the reply */
1754     if ( (btm_cb.pairing_state == BTM_PAIR_STATE_WAIT_AUTH_COMPLETE) && (res != BTM_SUCCESS) )
1755     {
1756         if ((p_dev_rec = btm_find_dev (bd_addr)) != NULL)
1757         {
1758             btm_cb.acl_disc_reason = HCI_ERR_HOST_REJECT_SECURITY;
1759 
1760             if (p_dev_rec->hci_handle != BTM_SEC_INVALID_HANDLE)
1761                 btm_sec_send_hci_disconnect (p_dev_rec, HCI_ERR_AUTH_FAILURE, p_dev_rec->hci_handle);
1762             else
1763                 BTM_SecBondCancel(bd_addr);
1764 
1765             p_dev_rec->sec_flags &= ~(BTM_SEC_LINK_KEY_AUTHED | BTM_SEC_LINK_KEY_KNOWN);
1766 
1767             btm_sec_change_pairing_state (BTM_PAIR_STATE_IDLE);
1768             return;
1769         }
1770     }
1771     else if (btm_cb.pairing_state != BTM_PAIR_STATE_KEY_ENTRY)
1772         return;
1773 
1774     if (passkey > BTM_MAX_PASSKEY_VAL)
1775         res = BTM_ILLEGAL_VALUE;
1776 
1777     btm_sec_change_pairing_state (BTM_PAIR_STATE_WAIT_AUTH_COMPLETE);
1778 
1779     if (res != BTM_SUCCESS)
1780     {
1781         /* use BTM_PAIR_STATE_WAIT_AUTH_COMPLETE to report authentication failed event */
1782         btm_cb.acl_disc_reason = HCI_ERR_HOST_REJECT_SECURITY;
1783         btsnd_hcic_user_passkey_neg_reply (bd_addr);
1784     }
1785     else
1786     {
1787         btm_cb.acl_disc_reason = HCI_SUCCESS;
1788         btsnd_hcic_user_passkey_reply (bd_addr, passkey);
1789     }
1790 }
1791 #endif
1792 
1793 /*******************************************************************************
1794 **
1795 ** Function         BTM_SendKeypressNotif
1796 **
1797 ** Description      This function is used during the passkey entry model
1798 **                  by a device with KeyboardOnly IO capabilities
1799 **                  (very likely to be a HID Device).
1800 **                  It is called by a HID Device to inform the remote device when
1801 **                  a key has been entered or erased.
1802 **
1803 ** Parameters:      bd_addr - Address of the peer device
1804 **                  type - notification type
1805 **
1806 *******************************************************************************/
1807 #if (BTM_LOCAL_IO_CAPS != BTM_IO_CAP_NONE)
BTM_SendKeypressNotif(BD_ADDR bd_addr,tBTM_SP_KEY_TYPE type)1808 void BTM_SendKeypressNotif(BD_ADDR bd_addr, tBTM_SP_KEY_TYPE type)
1809 {
1810     /* This API only make sense between PASSKEY_REQ and SP complete */
1811     if (btm_cb.pairing_state == BTM_PAIR_STATE_KEY_ENTRY)
1812         btsnd_hcic_send_keypress_notif (bd_addr, type);
1813 }
1814 #endif
1815 
1816 #if BTM_OOB_INCLUDED == TRUE
1817 /*******************************************************************************
1818 **
1819 ** Function         BTM_IoCapRsp
1820 **
1821 ** Description      This function is called in response to BTM_SP_IO_REQ_EVT
1822 **                  When the event data io_req.oob_data is set to BTM_OOB_UNKNOWN
1823 **                  by the tBTM_SP_CALLBACK implementation, this function is
1824 **                  called to provide the actual response
1825 **
1826 ** Parameters:      bd_addr - Address of the peer device
1827 **                  io_cap  - The IO capability of local device.
1828 **                  oob     - BTM_OOB_NONE or BTM_OOB_PRESENT.
1829 **                  auth_req- MITM protection required or not.
1830 **
1831 *******************************************************************************/
BTM_IoCapRsp(BD_ADDR bd_addr,tBTM_IO_CAP io_cap,tBTM_OOB_DATA oob,tBTM_AUTH_REQ auth_req)1832 void BTM_IoCapRsp(BD_ADDR bd_addr, tBTM_IO_CAP io_cap, tBTM_OOB_DATA oob, tBTM_AUTH_REQ auth_req)
1833 {
1834     BTM_TRACE_EVENT ("BTM_IoCapRsp: state: %s  oob: %d io_cap: %d",
1835                       btm_pair_state_descr(btm_cb.pairing_state), oob, io_cap);
1836 
1837     if ( (btm_cb.pairing_state != BTM_PAIR_STATE_WAIT_LOCAL_IOCAPS)
1838          ||  (memcmp (btm_cb.pairing_bda, bd_addr, BD_ADDR_LEN) != 0) )
1839         return;
1840 
1841     if (oob < BTM_OOB_UNKNOWN && io_cap < BTM_IO_CAP_MAX)
1842     {
1843         btm_cb.devcb.loc_auth_req   = auth_req;
1844         btm_cb.devcb.loc_io_caps    = io_cap;
1845 
1846         if (btm_cb.pairing_flags & BTM_PAIR_FLAGS_WE_STARTED_DD)
1847             auth_req = (BTM_AUTH_DD_BOND | (auth_req&BTM_AUTH_YN_BIT));
1848 
1849         btsnd_hcic_io_cap_req_reply (bd_addr, io_cap, oob, auth_req);
1850     }
1851 }
1852 
1853 /*******************************************************************************
1854 **
1855 ** Function         BTM_ReadLocalOobData
1856 **
1857 ** Description      This function is called to read the local OOB data from
1858 **                  LM
1859 **
1860 *******************************************************************************/
BTM_ReadLocalOobData(void)1861 tBTM_STATUS BTM_ReadLocalOobData(void)
1862 {
1863     tBTM_STATUS status = BTM_SUCCESS;
1864 
1865     if (btsnd_hcic_read_local_oob_data() == FALSE)
1866         status = BTM_NO_RESOURCES;
1867 
1868     return status;
1869 }
1870 
1871 /*******************************************************************************
1872 **
1873 ** Function         BTM_RemoteOobDataReply
1874 **
1875 ** Description      This function is called to provide the remote OOB data for
1876 **                  Simple Pairing in response to BTM_SP_RMT_OOB_EVT
1877 **
1878 ** Parameters:      bd_addr     - Address of the peer device
1879 **                  c           - simple pairing Hash C.
1880 **                  r           - simple pairing Randomizer  C.
1881 **
1882 *******************************************************************************/
BTM_RemoteOobDataReply(tBTM_STATUS res,BD_ADDR bd_addr,BT_OCTET16 c,BT_OCTET16 r)1883 void BTM_RemoteOobDataReply(tBTM_STATUS res, BD_ADDR bd_addr, BT_OCTET16 c, BT_OCTET16 r)
1884 {
1885     BTM_TRACE_EVENT ("BTM_RemoteOobDataReply():  State: %s  res:%d",
1886                       btm_pair_state_descr(btm_cb.pairing_state), res);
1887 
1888     /* If timeout already expired or has been canceled, ignore the reply */
1889     if (btm_cb.pairing_state != BTM_PAIR_STATE_WAIT_LOCAL_OOB_RSP)
1890         return;
1891 
1892     btm_sec_change_pairing_state (BTM_PAIR_STATE_WAIT_AUTH_COMPLETE);
1893 
1894     if (res != BTM_SUCCESS)
1895     {
1896         /* use BTM_PAIR_STATE_WAIT_AUTH_COMPLETE to report authentication failed event */
1897         btm_cb.acl_disc_reason = HCI_ERR_HOST_REJECT_SECURITY;
1898         btsnd_hcic_rem_oob_neg_reply (bd_addr);
1899     }
1900     else
1901     {
1902         btm_cb.acl_disc_reason = HCI_SUCCESS;
1903         btsnd_hcic_rem_oob_reply (bd_addr, c, r);
1904     }
1905 }
1906 
1907 /*******************************************************************************
1908 **
1909 ** Function         BTM_BuildOobData
1910 **
1911 ** Description      This function is called to build the OOB data payload to
1912 **                  be sent over OOB (non-Bluetooth) link
1913 **
1914 ** Parameters:      p_data  - the location for OOB data
1915 **                  max_len - p_data size.
1916 **                  c       - simple pairing Hash C.
1917 **                  r       - simple pairing Randomizer  C.
1918 **                  name_len- 0, local device name would not be included.
1919 **                            otherwise, the local device name is included for
1920 **                            up to this specified length
1921 **
1922 ** Returns          Number of bytes in p_data.
1923 **
1924 *******************************************************************************/
BTM_BuildOobData(UINT8 * p_data,UINT16 max_len,BT_OCTET16 c,BT_OCTET16 r,UINT8 name_len)1925 UINT16 BTM_BuildOobData(UINT8 *p_data, UINT16 max_len, BT_OCTET16 c,
1926                         BT_OCTET16 r, UINT8 name_len)
1927 {
1928     UINT8   *p = p_data;
1929     UINT16  len = 0;
1930     UINT16  delta;
1931 #if BTM_MAX_LOC_BD_NAME_LEN > 0
1932     UINT16  name_size;
1933     UINT8   name_type = BTM_EIR_SHORTENED_LOCAL_NAME_TYPE;
1934 #endif
1935 
1936     if (p_data && max_len >= BTM_OOB_MANDATORY_SIZE)
1937     {
1938         /* add mandatory part */
1939         UINT16_TO_STREAM(p, len);
1940         BDADDR_TO_STREAM(p, btm_cb.devcb.local_addr);
1941 
1942         len = BTM_OOB_MANDATORY_SIZE;
1943         max_len -= len;
1944 
1945         /* now optional part */
1946 
1947         /* add Hash C */
1948         delta = BTM_OOB_HASH_C_SIZE + 2;
1949         if (max_len >= delta)
1950         {
1951             *p++ = BTM_OOB_HASH_C_SIZE + 1;
1952             *p++ = BTM_EIR_OOB_SSP_HASH_C_TYPE;
1953             ARRAY_TO_STREAM(p, c, BTM_OOB_HASH_C_SIZE);
1954             len     += delta;
1955             max_len -= delta;
1956         }
1957 
1958         /* add Rand R */
1959         delta = BTM_OOB_RAND_R_SIZE + 2;
1960         if (max_len >= delta)
1961         {
1962             *p++ = BTM_OOB_RAND_R_SIZE + 1;
1963             *p++ = BTM_EIR_OOB_SSP_RAND_R_TYPE;
1964             ARRAY_TO_STREAM(p, r, BTM_OOB_RAND_R_SIZE);
1965             len     += delta;
1966             max_len -= delta;
1967         }
1968 
1969         /* add class of device */
1970         delta = BTM_OOB_COD_SIZE + 2;
1971         if (max_len >= delta)
1972         {
1973             *p++ = BTM_OOB_COD_SIZE + 1;
1974             *p++ = BTM_EIR_OOB_COD_TYPE;
1975             DEVCLASS_TO_STREAM(p, btm_cb.devcb.dev_class);
1976             len     += delta;
1977             max_len -= delta;
1978         }
1979 #if BTM_MAX_LOC_BD_NAME_LEN > 0
1980         name_size = name_len;
1981         if (name_size > strlen(btm_cb.cfg.bd_name))
1982         {
1983             name_type = BTM_EIR_COMPLETE_LOCAL_NAME_TYPE;
1984             name_size = (UINT16)strlen(btm_cb.cfg.bd_name);
1985         }
1986         delta = name_size + 2;
1987         if (max_len >= delta)
1988         {
1989             *p++ = name_size + 1;
1990             *p++ = name_type;
1991             ARRAY_TO_STREAM (p, btm_cb.cfg.bd_name, name_size);
1992             len     += delta;
1993             max_len -= delta;
1994         }
1995 #endif
1996         /* update len */
1997         p = p_data;
1998         UINT16_TO_STREAM(p, len);
1999     }
2000     return len;
2001 }
2002 
2003 /*******************************************************************************
2004 **
2005 ** Function         BTM_ReadOobData
2006 **
2007 ** Description      This function is called to parse the OOB data payload
2008 **                  received over OOB (non-Bluetooth) link
2009 **
2010 ** Parameters:      p_data  - the location for OOB data
2011 **                  eir_tag - The associated EIR tag to read the data.
2012 **                  *p_len(output) - the length of the data with the given tag.
2013 **
2014 ** Returns          the beginning of the data with the given tag.
2015 **                  NULL, if the tag is not found.
2016 **
2017 *******************************************************************************/
BTM_ReadOobData(UINT8 * p_data,UINT8 eir_tag,UINT8 * p_len)2018 UINT8 * BTM_ReadOobData(UINT8 *p_data, UINT8 eir_tag, UINT8 *p_len)
2019 {
2020     UINT8   *p = p_data;
2021     UINT16  max_len;
2022     UINT8   len, type;
2023     UINT8   *p_ret = NULL;
2024     UINT8   ret_len = 0;
2025 
2026     if (p_data)
2027     {
2028         STREAM_TO_UINT16(max_len, p);
2029         if (max_len >= BTM_OOB_MANDATORY_SIZE)
2030         {
2031             if (BTM_EIR_OOB_BD_ADDR_TYPE == eir_tag)
2032             {
2033                 p_ret = p; /* the location for bd_addr */
2034                 ret_len = BTM_OOB_BD_ADDR_SIZE;
2035             }
2036             else
2037             {
2038                 p += BD_ADDR_LEN;
2039                 max_len -= BTM_OOB_MANDATORY_SIZE;
2040                 /* now the optional data in EIR format */
2041                 while (max_len > 0)
2042                 {
2043                     len     = *p++; /* tag data len + 1 */
2044                     type    = *p++;
2045                     if (eir_tag == type)
2046                     {
2047                         p_ret = p;
2048                         ret_len = len - 1;
2049                         break;
2050                     }
2051                     /* the data size of this tag is len + 1 (tag data len + 2) */
2052                     if (max_len > len)
2053                     {
2054                         max_len -= len;
2055                         max_len--;
2056                         len--;
2057                         p += len;
2058                     }
2059                     else
2060                         max_len = 0;
2061                 }
2062             }
2063         }
2064     }
2065 
2066     if (p_len)
2067         *p_len = ret_len;
2068 
2069     return p_ret;
2070 }
2071 #endif
2072 
2073 /*******************************************************************************
2074 **
2075 ** Function         BTM_SetOutService
2076 **
2077 ** Description      This function is called to set the service for
2078 **                  outgoing connections.
2079 **
2080 **                  If the profile/application calls BTM_SetSecurityLevel
2081 **                  before initiating a connection, this function does not
2082 **                  need to be called.
2083 **
2084 ** Returns          void
2085 **
2086 *******************************************************************************/
BTM_SetOutService(BD_ADDR bd_addr,UINT8 service_id,UINT32 mx_chan_id)2087 void BTM_SetOutService(BD_ADDR bd_addr, UINT8 service_id, UINT32 mx_chan_id)
2088 {
2089     tBTM_SEC_DEV_REC *p_dev_rec;
2090     tBTM_SEC_SERV_REC *p_serv_rec = &btm_cb.sec_serv_rec[0];
2091     int i;
2092 
2093     btm_cb.p_out_serv = p_serv_rec;
2094     p_dev_rec = btm_find_dev (bd_addr);
2095 
2096     for (i = 0; i < BTM_SEC_MAX_SERVICE_RECORDS; i++, p_serv_rec++)
2097     {
2098         if ((p_serv_rec->security_flags & BTM_SEC_IN_USE)
2099             && (p_serv_rec->service_id == service_id)
2100             && (p_serv_rec->orig_mx_chan_id == mx_chan_id))
2101         {
2102             BTM_TRACE_API("BTM_SetOutService p_out_serv id %d, psm 0x%04x, proto_id %d, chan_id %d",
2103                            p_serv_rec->service_id, p_serv_rec->psm, p_serv_rec->mx_proto_id, p_serv_rec->orig_mx_chan_id);
2104             btm_cb.p_out_serv = p_serv_rec;
2105             if (p_dev_rec)
2106                 p_dev_rec->p_cur_service = p_serv_rec;
2107             break;
2108         }
2109     }
2110 }
2111 
2112 /************************************************************************
2113 **              I N T E R N A L     F U N C T I O N S
2114 *************************************************************************/
2115 /*******************************************************************************
2116 **
2117 ** Function         btm_sec_is_upgrade_possible
2118 **
2119 ** Description      This function returns TRUE if the existing link key
2120 **                  can be upgraded or if the link key does not exist.
2121 **
2122 ** Returns          BOOLEAN
2123 **
2124 *******************************************************************************/
btm_sec_is_upgrade_possible(tBTM_SEC_DEV_REC * p_dev_rec,BOOLEAN is_originator)2125 static BOOLEAN btm_sec_is_upgrade_possible(tBTM_SEC_DEV_REC  *p_dev_rec, BOOLEAN is_originator)
2126 {
2127     UINT16              mtm_check = is_originator ? BTM_SEC_OUT_MITM : BTM_SEC_IN_MITM;
2128     BOOLEAN             is_possible = TRUE;
2129 
2130     if (p_dev_rec->sec_flags & BTM_SEC_LINK_KEY_KNOWN)
2131     {
2132         is_possible = FALSE;
2133         if(p_dev_rec->p_cur_service)
2134         {
2135         BTM_TRACE_DEBUG ("btm_sec_is_upgrade_possible id:%d, link_key_typet:%d, rmt_io_caps:%d, chk flags:x%x, flags:x%x",
2136                           p_dev_rec->p_cur_service->service_id, p_dev_rec->link_key_type, p_dev_rec->rmt_io_caps,
2137                           mtm_check, p_dev_rec->p_cur_service->security_flags);
2138         }
2139         else
2140         {
2141             BTM_TRACE_DEBUG ("btm_sec_is_upgrade_possible link_key_typet:%d, rmt_io_caps:%d, chk flags:x%x, ",
2142                           p_dev_rec->link_key_type, p_dev_rec->rmt_io_caps, mtm_check);
2143         }
2144         /* Already have a link key to the connected peer. Is the link key secure enough?
2145         ** Is a link key upgrade even possible?
2146         */
2147         if ((p_dev_rec->security_required & mtm_check)                          /* needs MITM */
2148             && (p_dev_rec->link_key_type == BTM_LKEY_TYPE_UNAUTH_COMB) /* has unauthenticated link key */
2149             && (p_dev_rec->rmt_io_caps < BTM_IO_CAP_MAX)                           /* a valid peer IO cap */
2150             && (btm_sec_io_map[p_dev_rec->rmt_io_caps][btm_cb.devcb.loc_io_caps])) /* authenticated link key is possible */
2151         {
2152             /* upgrade is possible: check if the application wants the upgrade.
2153              * If the application is configured to use a global MITM flag,
2154              * it probably would not want to upgrade the link key based on the security level database */
2155             is_possible = TRUE;
2156         }
2157     }
2158     BTM_TRACE_DEBUG ("btm_sec_is_upgrade_possible is_possible:%d sec_flags:0x%x", is_possible, p_dev_rec->sec_flags);
2159     return is_possible;
2160 }
2161 
2162 /*******************************************************************************
2163 **
2164 ** Function         btm_sec_check_upgrade
2165 **
2166 ** Description      This function is called to check if the existing link key
2167 **                  needs to be upgraded.
2168 **
2169 ** Returns          void
2170 **
2171 *******************************************************************************/
btm_sec_check_upgrade(tBTM_SEC_DEV_REC * p_dev_rec,BOOLEAN is_originator)2172 static void btm_sec_check_upgrade(tBTM_SEC_DEV_REC  *p_dev_rec, BOOLEAN is_originator)
2173 {
2174     tBTM_SP_UPGRADE     evt_data;
2175 
2176     BTM_TRACE_DEBUG ("btm_sec_check_upgrade...");
2177 
2178     /* Only check if link key already exists */
2179     if (!(p_dev_rec->sec_flags & BTM_SEC_LINK_KEY_KNOWN))
2180         return;
2181     if (btm_sec_is_upgrade_possible (p_dev_rec, is_originator) == TRUE)
2182     {
2183         BTM_TRACE_DEBUG ("need upgrade!! sec_flags:0x%x", p_dev_rec->sec_flags);
2184         /* upgrade is possible: check if the application wants the upgrade.
2185          * If the application is configured to use a global MITM flag,
2186          * it probably would not want to upgrade the link key based on the security level database */
2187         memcpy (evt_data.bd_addr, p_dev_rec->bd_addr, BD_ADDR_LEN);
2188         evt_data.upgrade = TRUE;
2189         if (btm_cb.api.p_sp_callback)
2190             (*btm_cb.api.p_sp_callback) (BTM_SP_UPGRADE_EVT, (tBTM_SP_EVT_DATA *)&evt_data);
2191 
2192         BTM_TRACE_DEBUG ("evt_data.upgrade:0x%x", evt_data.upgrade);
2193         if (evt_data.upgrade)
2194         {
2195             /* if the application confirms the upgrade, set the upgrade bit */
2196             p_dev_rec->sm4 |= BTM_SM4_UPGRADE;
2197 
2198             /* Clear the link key known to go through authentication/pairing again */
2199             p_dev_rec->sec_flags &= ~(BTM_SEC_LINK_KEY_KNOWN | BTM_SEC_LINK_KEY_AUTHED);
2200             p_dev_rec->sec_flags &= ~BTM_SEC_AUTHENTICATED;
2201             BTM_TRACE_DEBUG ("sec_flags:0x%x", p_dev_rec->sec_flags);
2202         }
2203     }
2204 }
2205 
2206 /*******************************************************************************
2207 **
2208 ** Function         btm_sec_l2cap_access_req
2209 **
2210 ** Description      This function is called by the L2CAP to grant permission to
2211 **                  establish L2CAP connection to or from the peer device.
2212 **
2213 ** Parameters:      bd_addr       - Address of the peer device
2214 **                  psm           - L2CAP PSM
2215 **                  is_originator - TRUE if protocol above L2CAP originates
2216 **                                  connection
2217 **                  p_callback    - Pointer to callback function called if
2218 **                                  this function returns PENDING after required
2219 **                                  procedures are complete. MUST NOT BE NULL.
2220 **
2221 ** Returns          tBTM_STATUS
2222 **
2223 *******************************************************************************/
2224 #define BTM_SEC_OUT_FLAGS   (BTM_SEC_OUT_AUTHENTICATE | BTM_SEC_OUT_ENCRYPT | BTM_SEC_OUT_AUTHORIZE)
2225 #define BTM_SEC_IN_FLAGS    (BTM_SEC_IN_AUTHENTICATE | BTM_SEC_IN_ENCRYPT | BTM_SEC_IN_AUTHORIZE)
2226 
btm_sec_l2cap_access_req(BD_ADDR bd_addr,UINT16 psm,UINT16 handle,CONNECTION_TYPE conn_type,tBTM_SEC_CALLBACK * p_callback,void * p_ref_data)2227 tBTM_STATUS btm_sec_l2cap_access_req (BD_ADDR bd_addr, UINT16 psm, UINT16 handle,
2228                                       CONNECTION_TYPE conn_type,
2229                                       tBTM_SEC_CALLBACK *p_callback,
2230                                       void *p_ref_data)
2231 {
2232     tBTM_SEC_DEV_REC  *p_dev_rec;
2233     tBTM_SEC_SERV_REC *p_serv_rec;
2234     UINT16         security_required;
2235     UINT16         old_security_required;
2236     BOOLEAN       old_is_originator;
2237     tBTM_STATUS   rc = BTM_SUCCESS;
2238     BOOLEAN       chk_acp_auth_done = FALSE;
2239     BOOLEAN is_originator;
2240     BOOLEAN     transport = FALSE; /* should check PSM range in LE connection oriented L2CAP connection */
2241 
2242 #if (L2CAP_UCD_INCLUDED == TRUE)
2243     if (conn_type & CONNECTION_TYPE_ORIG_MASK)
2244         is_originator = TRUE;
2245     else
2246         is_originator = FALSE;
2247 
2248     BTM_TRACE_DEBUG ("btm_sec_l2cap_access_req conn_type:0x%x, 0x%x", conn_type, p_ref_data);
2249 #else
2250     is_originator = conn_type;
2251 
2252     BTM_TRACE_DEBUG ("btm_sec_l2cap_access_req is_originator:%d, 0x%x", is_originator, p_ref_data);
2253 #endif
2254 
2255     /* Find or get oldest record */
2256     p_dev_rec = btm_find_or_alloc_dev (bd_addr);
2257 
2258     p_dev_rec->hci_handle = handle;
2259 
2260     /* Find the service record for the PSM */
2261     p_serv_rec = btm_sec_find_first_serv (conn_type, psm);
2262 
2263     /* If there is no application registered with this PSM do not allow connection */
2264     if (!p_serv_rec)
2265     {
2266         BTM_TRACE_WARNING ("btm_sec_l2cap_access_req()  PSM:%d no application registerd", psm);
2267 
2268         (*p_callback) (bd_addr, transport, p_ref_data, BTM_MODE_UNSUPPORTED);
2269 
2270         return(BTM_MODE_UNSUPPORTED);
2271     }
2272 
2273     /* SDP connection we will always let through */
2274     if (BT_PSM_SDP == psm)
2275     {
2276         (*p_callback) (bd_addr,transport, p_ref_data, BTM_SUCCESS_NO_SECURITY);
2277 
2278         return(BTM_SUCCESS);
2279     }
2280 #if (L2CAP_UCD_INCLUDED == TRUE)
2281     if ( conn_type & CONNECTION_TYPE_CONNLESS_MASK )
2282     {
2283         security_required = p_serv_rec->ucd_security_flags;
2284 
2285         rc = BTM_CMD_STARTED;
2286         if (is_originator)
2287         {
2288             if (((security_required & BTM_SEC_OUT_FLAGS) == 0) ||
2289                 ((((security_required & BTM_SEC_OUT_FLAGS) == BTM_SEC_OUT_AUTHENTICATE) && (p_dev_rec->sec_flags & BTM_SEC_AUTHENTICATED))) ||
2290                 ((((security_required & BTM_SEC_OUT_FLAGS) == (BTM_SEC_OUT_AUTHENTICATE | BTM_SEC_OUT_ENCRYPT)) && (p_dev_rec->sec_flags & BTM_SEC_ENCRYPTED))) ||
2291                 ((((security_required & BTM_SEC_OUT_FLAGS) == BTM_SEC_OUT_FLAGS) && (p_dev_rec->sec_flags & BTM_SEC_AUTHORIZED))) )
2292             {
2293                 rc = BTM_SUCCESS;
2294             }
2295         }
2296         else
2297         {
2298             if (((security_required & BTM_SEC_IN_FLAGS) == 0) ||
2299                 ((((security_required & BTM_SEC_IN_FLAGS) == BTM_SEC_IN_AUTHENTICATE) && (p_dev_rec->sec_flags & BTM_SEC_AUTHENTICATED))) ||
2300                 ((((security_required & BTM_SEC_IN_FLAGS) == (BTM_SEC_IN_AUTHENTICATE | BTM_SEC_IN_ENCRYPT)) && (p_dev_rec->sec_flags & BTM_SEC_ENCRYPTED))) ||
2301                 ((((security_required & BTM_SEC_IN_FLAGS) == BTM_SEC_IN_FLAGS) && (p_dev_rec->sec_flags & BTM_SEC_AUTHORIZED))) )
2302             {
2303                 rc = BTM_SUCCESS;
2304             }
2305         }
2306 
2307         if (rc == BTM_SUCCESS)
2308         {
2309             if (p_callback)
2310                 (*p_callback) (bd_addr, transport, (void *)p_ref_data, BTM_SUCCESS);
2311 
2312             return(BTM_SUCCESS);
2313         }
2314     }
2315     else
2316 #endif
2317     {
2318         security_required = p_serv_rec->security_flags;
2319     }
2320 
2321     /* there are some devices (moto KRZR) which connects to several services at the same time */
2322     /* we will process one after another */
2323     if ( (p_dev_rec->p_callback) || (btm_cb.pairing_state != BTM_PAIR_STATE_IDLE) )
2324     {
2325         BTM_TRACE_EVENT ("btm_sec_l2cap_access_req() - busy - PSM:%d delayed  state: %s mode:%d, sm4:0x%x",
2326                           psm, btm_pair_state_descr(btm_cb.pairing_state), btm_cb.security_mode, p_dev_rec->sm4);
2327         BTM_TRACE_EVENT ("security_flags:x%x, sec_flags:x%x", security_required, p_dev_rec->sec_flags);
2328         rc = BTM_CMD_STARTED;
2329         if ((BTM_SEC_MODE_SP != btm_cb.security_mode)
2330             || ((BTM_SEC_MODE_SP == btm_cb.security_mode) && (BTM_SM4_KNOWN == p_dev_rec->sm4))
2331             || (BTM_SEC_IS_SM4(p_dev_rec->sm4) && (btm_sec_is_upgrade_possible(p_dev_rec, is_originator) == FALSE))
2332            )
2333         {
2334             /* legacy mode - local is legacy or local is lisbon/peer is legacy
2335              * or SM4 with no possibility of link key upgrade */
2336             if (is_originator)
2337             {
2338                 if (((security_required & BTM_SEC_OUT_FLAGS) == 0) ||
2339                     ((((security_required & BTM_SEC_OUT_FLAGS) == BTM_SEC_OUT_AUTHENTICATE) && btm_dev_authenticated(p_dev_rec))) ||
2340                     ((((security_required & BTM_SEC_OUT_FLAGS) == (BTM_SEC_OUT_AUTHENTICATE | BTM_SEC_OUT_ENCRYPT)) && btm_dev_encrypted(p_dev_rec))) ||
2341                     ((((security_required & BTM_SEC_OUT_FLAGS) == BTM_SEC_OUT_FLAGS) && btm_dev_authorized(p_dev_rec)  && btm_dev_encrypted(p_dev_rec))) )
2342                 {
2343                     rc = BTM_SUCCESS;
2344                 }
2345             }
2346             else
2347             {
2348                 if (((security_required & BTM_SEC_IN_FLAGS) == 0) ||
2349                 (((security_required & BTM_SEC_IN_FLAGS) == BTM_SEC_IN_AUTHENTICATE) && btm_dev_authenticated(p_dev_rec)) ||
2350                 (((security_required & BTM_SEC_IN_FLAGS) == (BTM_SEC_IN_AUTHENTICATE | BTM_SEC_IN_ENCRYPT)) && btm_dev_encrypted(p_dev_rec)) ||
2351                 (((security_required & BTM_SEC_IN_FLAGS) == BTM_SEC_IN_AUTHORIZE) && (btm_dev_authorized(p_dev_rec)||btm_serv_trusted(p_dev_rec, p_serv_rec))) ||
2352                 (((security_required & BTM_SEC_IN_FLAGS) == (BTM_SEC_IN_AUTHENTICATE | BTM_SEC_IN_AUTHORIZE)) && ((btm_dev_authorized(p_dev_rec)||btm_serv_trusted(p_dev_rec, p_serv_rec)) && btm_dev_authenticated(p_dev_rec))) ||
2353                 (((security_required & BTM_SEC_IN_FLAGS) == (BTM_SEC_IN_ENCRYPT | BTM_SEC_IN_AUTHORIZE)) && ((btm_dev_authorized(p_dev_rec)||btm_serv_trusted(p_dev_rec, p_serv_rec)) && btm_dev_encrypted(p_dev_rec))) ||
2354                 (((security_required & BTM_SEC_IN_FLAGS) == BTM_SEC_IN_FLAGS)  && btm_dev_encrypted(p_dev_rec) && (btm_dev_authorized(p_dev_rec)||btm_serv_trusted(p_dev_rec, p_serv_rec))))
2355                 {
2356                     rc = BTM_SUCCESS;
2357                 }
2358             }
2359 
2360             if (rc == BTM_SUCCESS)
2361             {
2362                 if (p_callback)
2363                     (*p_callback) (bd_addr, transport, (void *)p_ref_data, BTM_SUCCESS);
2364 
2365                 return(BTM_SUCCESS);
2366             }
2367         }
2368 
2369         btm_cb.sec_req_pending = TRUE;
2370         return(BTM_CMD_STARTED);
2371     }
2372 
2373     /* Save pointer to service record */
2374     p_dev_rec->p_cur_service = p_serv_rec;
2375 
2376 
2377     /* mess /w security_required in btm_sec_l2cap_access_req for Lisbon */
2378     if (btm_cb.security_mode == BTM_SEC_MODE_SP)
2379     {
2380         if (is_originator)
2381         {
2382             if (BTM_SEC_IS_SM4(p_dev_rec->sm4))
2383             {
2384                 /* SM4 to SM4 -> always authenticate & encrypt */
2385                 security_required |= (BTM_SEC_OUT_AUTHENTICATE | BTM_SEC_OUT_ENCRYPT);
2386             }
2387             else
2388             {
2389                 if ( !(BTM_SM4_KNOWN & p_dev_rec->sm4))
2390                 {
2391                     BTM_TRACE_DEBUG ("remote features unknown!!sec_flags:0x%x", p_dev_rec->sec_flags);
2392                     /* the remote features are not known yet */
2393                     p_dev_rec->sm4          |= BTM_SM4_REQ_PEND;
2394 
2395                     return(BTM_CMD_STARTED);
2396                 }
2397             }
2398         }
2399         else
2400         {
2401             /* responder */
2402             if (BTM_SEC_IS_SM4(p_dev_rec->sm4))
2403             {
2404                 /* SM4 to SM4: the acceptor needs to make sure the authentication is already done */
2405                 chk_acp_auth_done = TRUE;
2406                 /* SM4 to SM4 -> always authenticate & encrypt */
2407                 security_required |= (BTM_SEC_IN_AUTHENTICATE | BTM_SEC_IN_ENCRYPT);
2408             }
2409             else
2410             {
2411                 if ( !(BTM_SM4_KNOWN & p_dev_rec->sm4))
2412                 {
2413                     BTM_TRACE_DEBUG ("(rsp) remote features unknown!!sec_flags:0x%x", p_dev_rec->sec_flags);
2414                     /* the remote features are not known yet */
2415                     p_dev_rec->sm4          |= BTM_SM4_REQ_PEND;
2416 
2417                     return(BTM_CMD_STARTED);
2418                 }
2419             }
2420         }
2421     }
2422 
2423     BTM_TRACE_DEBUG ("btm_sec_l2cap_access_req()  sm4:0x%x, sec_flags:0x%x, security_required:0x%x chk:%d",
2424                       p_dev_rec->sm4, p_dev_rec->sec_flags, security_required, chk_acp_auth_done);
2425 
2426     old_security_required        = p_dev_rec->security_required;
2427     old_is_originator            = p_dev_rec->is_originator;
2428     p_dev_rec->security_required = security_required;
2429     p_dev_rec->p_ref_data        = p_ref_data;
2430     p_dev_rec->is_originator     = is_originator;
2431 
2432 #if (L2CAP_UCD_INCLUDED == TRUE)
2433     if ( conn_type & CONNECTION_TYPE_CONNLESS_MASK )
2434         p_dev_rec->is_ucd = TRUE;
2435     else
2436         p_dev_rec->is_ucd = FALSE;
2437 #endif
2438 
2439     /* If there are multiple service records used through the same PSM */
2440     /* leave security decision for the multiplexor on the top */
2441 #if (L2CAP_UCD_INCLUDED == TRUE)
2442     if (((btm_sec_find_next_serv (p_serv_rec)) != NULL)
2443         &&(!( conn_type & CONNECTION_TYPE_CONNLESS_MASK ))) /* if not UCD */
2444 #else
2445     if ((btm_sec_find_next_serv (p_serv_rec)) != NULL)
2446 #endif
2447     {
2448         BTM_TRACE_DEBUG ("no next_serv sm4:0x%x, chk:%d", p_dev_rec->sm4, chk_acp_auth_done);
2449         if (!BTM_SEC_IS_SM4(p_dev_rec->sm4))
2450         {
2451             BTM_TRACE_EVENT ("Security Manager: l2cap_access_req PSM:%d postponed for multiplexer", psm);
2452             /* pre-Lisbon: restore the old settings */
2453             p_dev_rec->security_required = old_security_required;
2454             p_dev_rec->is_originator     = old_is_originator;
2455 
2456             (*p_callback) (bd_addr, transport, p_ref_data, BTM_SUCCESS);
2457 
2458             return(BTM_SUCCESS);
2459         }
2460     }
2461 
2462     /* if the originator is using dynamic PSM in legacy mode, do not start any security process now.
2463      * The layer above L2CAP needs to carry out the security requirement after L2CAP connect response is received*/
2464     if (is_originator && (btm_cb.security_mode != BTM_SEC_MODE_SP || !BTM_SEC_IS_SM4(p_dev_rec->sm4)) && (psm >= 0x1001))
2465     {
2466         BTM_TRACE_EVENT ("dynamic PSM:0x%x in legacy mode - postponed for upper layer", psm);
2467         /* restore the old settings */
2468         p_dev_rec->security_required = old_security_required;
2469         p_dev_rec->is_originator     = old_is_originator;
2470 
2471         (*p_callback) (bd_addr, transport, p_ref_data, BTM_SUCCESS);
2472 
2473         return(BTM_SUCCESS);
2474     }
2475 
2476     if (chk_acp_auth_done)
2477     {
2478         BTM_TRACE_DEBUG ("(SM4 to SM4) btm_sec_l2cap_access_req rspd. authenticated: x%x, enc: x%x",
2479                           (p_dev_rec->sec_flags & BTM_SEC_AUTHENTICATED), (p_dev_rec->sec_flags & BTM_SEC_ENCRYPTED));
2480         /* SM4, but we do not know for sure which level of security we need.
2481          * as long as we have a link key, it's OK */
2482         if ((0 == (p_dev_rec->sec_flags & BTM_SEC_AUTHENTICATED))
2483             ||(0 == (p_dev_rec->sec_flags & BTM_SEC_ENCRYPTED)))
2484         {
2485             rc = BTM_DELAY_CHECK;
2486             /*
2487             2046 may report HCI_Encryption_Change and L2C Connection Request out of sequence
2488             because of data path issues. Delay this disconnect a little bit
2489             */
2490             BTM_TRACE_ERROR ("peer should have initiated security process by now (SM4 to SM4)");
2491             p_dev_rec->p_callback        = p_callback;
2492             p_dev_rec->sec_state         = BTM_SEC_STATE_DELAY_FOR_ENC;
2493             (*p_callback) (bd_addr, transport, p_ref_data, rc);
2494 
2495             return(BTM_CMD_STARTED);
2496         }
2497     }
2498 
2499     p_dev_rec->p_callback        = p_callback;
2500 
2501     if (p_dev_rec->last_author_service_id == BTM_SEC_NO_LAST_SERVICE_ID
2502         || p_dev_rec->last_author_service_id != p_dev_rec->p_cur_service->service_id)
2503     {
2504         /* Although authentication and encryption are per connection
2505         ** authorization is per access request.  For example when serial connection
2506         ** is up and authorized and client requests to read file (access to other
2507         ** scn), we need to request user's permission again.
2508         */
2509         p_dev_rec->sec_flags &= ~BTM_SEC_AUTHORIZED;
2510     }
2511 
2512     if (BTM_SEC_IS_SM4(p_dev_rec->sm4))
2513     {
2514         /* If we already have a link key to the connected peer, is the link key secure enough ? */
2515         btm_sec_check_upgrade(p_dev_rec, is_originator);
2516     }
2517 
2518     BTM_TRACE_EVENT ("Security Manager: l2cap_access_req PSM:%d Handle:%d State:%d Flags:0x%x Required:0x%x Service ID:%d",
2519                       psm, handle, p_dev_rec->sec_state, p_dev_rec->sec_flags, p_dev_rec->security_required, p_dev_rec->p_cur_service->service_id);
2520 
2521     if ((rc = btm_sec_execute_procedure (p_dev_rec)) != BTM_CMD_STARTED)
2522     {
2523         p_dev_rec->p_callback = NULL;
2524         (*p_callback) (bd_addr, transport, p_dev_rec->p_ref_data, (UINT8)rc);
2525     }
2526 
2527     return(rc);
2528 }
2529 
2530 /*******************************************************************************
2531 **
2532 ** Function         btm_sec_mx_access_request
2533 **
2534 ** Description      This function is called by all Multiplexing Protocols during
2535 **                  establishing connection to or from peer device to grant
2536 **                  permission to establish application connection.
2537 **
2538 ** Parameters:      bd_addr       - Address of the peer device
2539 **                  psm           - L2CAP PSM
2540 **                  is_originator - TRUE if protocol above L2CAP originates
2541 **                                  connection
2542 **                  mx_proto_id   - protocol ID of the multiplexer
2543 **                  mx_chan_id    - multiplexer channel to reach application
2544 **                  p_callback    - Pointer to callback function called if
2545 **                                  this function returns PENDING after required
2546 **                                  procedures are completed
2547 **                  p_ref_data    - Pointer to any reference data needed by the
2548 **                                  the callback function.
2549 **
2550 ** Returns          BTM_CMD_STARTED
2551 **
2552 *******************************************************************************/
btm_sec_mx_access_request(BD_ADDR bd_addr,UINT16 psm,BOOLEAN is_originator,UINT32 mx_proto_id,UINT32 mx_chan_id,tBTM_SEC_CALLBACK * p_callback,void * p_ref_data)2553 tBTM_STATUS btm_sec_mx_access_request (BD_ADDR bd_addr, UINT16 psm, BOOLEAN is_originator,
2554                                        UINT32 mx_proto_id, UINT32 mx_chan_id,
2555                                        tBTM_SEC_CALLBACK *p_callback, void *p_ref_data)
2556 
2557 {
2558     tBTM_SEC_DEV_REC  *p_dev_rec;
2559     tBTM_SEC_SERV_REC *p_serv_rec;
2560     tBTM_STATUS        rc;
2561     UINT16             security_required;
2562     BOOLEAN transport   = FALSE;/* should check PSM range in LE connection oriented L2CAP connection */
2563 
2564     BTM_TRACE_DEBUG ("btm_sec_mx_access_request is_originator:%d", is_originator);
2565     /* Find or get oldest record */
2566     p_dev_rec = btm_find_or_alloc_dev (bd_addr);
2567 
2568     /* Find the service record for the PSM */
2569     p_serv_rec = btm_sec_find_mx_serv (is_originator, psm, mx_proto_id, mx_chan_id);
2570 
2571     /* If there is no application registered with this PSM do not allow connection */
2572     if (!p_serv_rec)
2573     {
2574         if (p_callback)
2575             (*p_callback) (bd_addr, transport, p_ref_data, BTM_MODE_UNSUPPORTED);
2576 
2577         BTM_TRACE_ERROR ("Security Manager: MX service not found PSM:%d Proto:%d SCN:%d",
2578                           psm, mx_proto_id, mx_chan_id);
2579         return BTM_NO_RESOURCES;
2580     }
2581 
2582     /* there are some devices (moto phone) which connects to several services at the same time */
2583     /* we will process one after another */
2584     if ( (p_dev_rec->p_callback) || (btm_cb.pairing_state != BTM_PAIR_STATE_IDLE) )
2585     {
2586         BTM_TRACE_EVENT ("btm_sec_mx_access_request service PSM:%d Proto:%d SCN:%d delayed  state: %s",
2587                           psm, mx_proto_id, mx_chan_id, btm_pair_state_descr(btm_cb.pairing_state));
2588 
2589         rc = BTM_CMD_STARTED;
2590         security_required = p_serv_rec->security_flags;
2591         if ((BTM_SEC_MODE_SP != btm_cb.security_mode)
2592             || ((BTM_SEC_MODE_SP == btm_cb.security_mode) && (BTM_SM4_KNOWN == p_dev_rec->sm4))
2593             || (BTM_SEC_IS_SM4(p_dev_rec->sm4) && (btm_sec_is_upgrade_possible(p_dev_rec, is_originator) == FALSE))
2594            )
2595         {
2596             /* legacy mode - local is legacy or local is lisbon/peer is legacy
2597              * or SM4 with no possibility of link key upgrade */
2598             if (is_originator)
2599             {
2600                 if (((security_required & BTM_SEC_OUT_FLAGS) == 0) ||
2601                     ((((security_required & BTM_SEC_OUT_FLAGS) == BTM_SEC_OUT_AUTHENTICATE) && btm_dev_authenticated(p_dev_rec))) ||
2602                     ((((security_required & BTM_SEC_OUT_FLAGS) == (BTM_SEC_OUT_AUTHENTICATE | BTM_SEC_OUT_ENCRYPT)) && btm_dev_encrypted(p_dev_rec)))
2603                     )
2604                 {
2605                     rc = BTM_SUCCESS;
2606                 }
2607             }
2608             else
2609             {
2610                 if (((security_required & BTM_SEC_IN_FLAGS) == 0) ||
2611                     ((((security_required & BTM_SEC_IN_FLAGS) == BTM_SEC_IN_AUTHENTICATE) && btm_dev_authenticated(p_dev_rec))) ||
2612                     (((security_required & BTM_SEC_IN_FLAGS) == BTM_SEC_IN_AUTHORIZE) && (btm_dev_authorized(p_dev_rec)||btm_serv_trusted(p_dev_rec, p_serv_rec))) ||
2613                     (((security_required & BTM_SEC_IN_FLAGS) == (BTM_SEC_IN_AUTHORIZE | BTM_SEC_IN_AUTHENTICATE)) && ((btm_dev_authorized(p_dev_rec)||btm_serv_trusted(p_dev_rec, p_serv_rec)) && btm_dev_authenticated(p_dev_rec))) ||
2614                     (((security_required & BTM_SEC_IN_FLAGS) == (BTM_SEC_IN_AUTHORIZE | BTM_SEC_IN_ENCRYPT)) && ((btm_dev_authorized(p_dev_rec)||btm_serv_trusted(p_dev_rec, p_serv_rec))&& btm_dev_encrypted(p_dev_rec))) ||
2615                     ((((security_required & BTM_SEC_IN_FLAGS) == (BTM_SEC_IN_AUTHENTICATE | BTM_SEC_IN_ENCRYPT)) && btm_dev_encrypted(p_dev_rec)))
2616                     )
2617                 {
2618                     rc = BTM_SUCCESS;
2619                 }
2620             }
2621         }
2622         if (rc == BTM_CMD_STARTED)
2623         {
2624             btm_sec_queue_mx_request (bd_addr, psm,  is_originator, mx_proto_id, mx_chan_id, p_callback, p_ref_data);
2625             return rc;
2626         }
2627     }
2628 
2629     p_dev_rec->p_cur_service     = p_serv_rec;
2630     p_dev_rec->security_required = p_serv_rec->security_flags;
2631 
2632     if (BTM_SEC_MODE_SP == btm_cb.security_mode)
2633     {
2634         if (BTM_SEC_IS_SM4(p_dev_rec->sm4))
2635         {
2636             /* If we already have a link key, check if that link key is good enough */
2637             btm_sec_check_upgrade(p_dev_rec, is_originator);
2638         }
2639     }
2640 
2641     p_dev_rec->is_originator     = is_originator;
2642     p_dev_rec->p_callback        = p_callback;
2643     p_dev_rec->p_ref_data        = p_ref_data;
2644 
2645     /* Although authentication and encryption are per connection */
2646     /* authorization is per access request.  For example when serial connection */
2647     /* is up and authorized and client requests to read file (access to other */
2648     /* scn, we need to request user's permission again. */
2649     p_dev_rec->sec_flags &= ~(BTM_SEC_AUTHORIZED);
2650 
2651     BTM_TRACE_EVENT ("Security Manager: mx_access_req proto_id:%d chan_id:%d State:%d Flags:0x%x Required:0x%x Service ID:%d",
2652                       mx_proto_id, mx_chan_id, p_dev_rec->sec_state, p_dev_rec->sec_flags, p_dev_rec->security_required, p_dev_rec->p_cur_service->service_id);
2653 
2654     if ((rc = btm_sec_execute_procedure (p_dev_rec)) != BTM_CMD_STARTED)
2655     {
2656         if (p_callback)
2657         {
2658             p_dev_rec->p_callback = NULL;
2659 
2660             (*p_callback) (bd_addr,transport, p_ref_data, (UINT8)rc);
2661         }
2662     }
2663 
2664     return rc;
2665 }
2666 
2667 /*******************************************************************************
2668 **
2669 ** Function         btm_sec_conn_req
2670 **
2671 ** Description      This function is when the peer device is requesting
2672 **                  connection
2673 **
2674 ** Returns          void
2675 **
2676 *******************************************************************************/
btm_sec_conn_req(UINT8 * bda,UINT8 * dc)2677 void btm_sec_conn_req (UINT8 *bda, UINT8 *dc)
2678 {
2679     tBTM_SEC_DEV_REC  *p_dev_rec = btm_find_dev (bda);
2680 
2681     /* Some device may request a connection before we are done with the HCI_Reset sequence */
2682     if (btm_cb.devcb.state != BTM_DEV_STATE_READY)
2683     {
2684         BTM_TRACE_EVENT ("Security Manager: connect request when device not ready");
2685         btsnd_hcic_reject_conn (bda, HCI_ERR_HOST_REJECT_DEVICE);
2686         return;
2687     }
2688 
2689     /* Security guys wants us not to allow connection from not paired devices */
2690 
2691     /* Check if connection is allowed for only paired devices */
2692     if (btm_cb.connect_only_paired)
2693     {
2694         if (!p_dev_rec || !(p_dev_rec->sec_flags & BTM_SEC_LINK_KEY_AUTHED))
2695         {
2696             BTM_TRACE_EVENT ("Security Manager: connect request from non-paired device");
2697             btsnd_hcic_reject_conn (bda, HCI_ERR_HOST_REJECT_DEVICE);
2698             return;
2699         }
2700     }
2701 
2702 #if BTM_ALLOW_CONN_IF_NONDISCOVER == FALSE
2703     /* If non-discoverable, only allow known devices to connect */
2704     if (btm_cb.btm_inq_vars.discoverable_mode == BTM_NON_DISCOVERABLE)
2705     {
2706         if (!p_dev_rec)
2707         {
2708             BTM_TRACE_EVENT ("Security Manager: connect request from not paired device");
2709             btsnd_hcic_reject_conn (bda, HCI_ERR_HOST_REJECT_DEVICE);
2710             return;
2711         }
2712     }
2713 #endif
2714 
2715     /* Host can be registered to verify comming BDA or DC */
2716     if (btm_cb.p_conn_filter_cb)
2717     {
2718         if (!(* btm_cb.p_conn_filter_cb) (bda, dc))
2719         {
2720             BTM_TRACE_EVENT ("Security Manager: connect request did not pass filter");
2721 
2722             /* incomming call did not pass connection filters.  Reject */
2723             btsnd_hcic_reject_conn (bda, HCI_ERR_HOST_REJECT_DEVICE);
2724             return;
2725         }
2726     }
2727 
2728     if ((btm_cb.pairing_state != BTM_PAIR_STATE_IDLE)
2729         &&(btm_cb.pairing_flags & BTM_PAIR_FLAGS_WE_STARTED_DD)
2730         &&(!memcmp (btm_cb.pairing_bda, bda, BD_ADDR_LEN)))
2731     {
2732         BTM_TRACE_EVENT ("Security Manager: reject connect request from bonding device");
2733 
2734         /* incoming connection from bonding device is rejected */
2735         btm_cb.pairing_flags |= BTM_PAIR_FLAGS_REJECTED_CONNECT;
2736         btsnd_hcic_reject_conn (bda, HCI_ERR_HOST_REJECT_DEVICE);
2737         return;
2738     }
2739 
2740     /* Host is not interested or approved connection.  Save BDA and DC and */
2741     /* pass request to L2CAP */
2742     memcpy (btm_cb.connecting_bda, bda, BD_ADDR_LEN);
2743     memcpy (btm_cb.connecting_dc,  dc,  DEV_CLASS_LEN);
2744 
2745     if (l2c_link_hci_conn_req (bda))
2746     {
2747         if (!p_dev_rec)
2748         {
2749             /* accept the connection -> allocate a device record */
2750             p_dev_rec = btm_sec_alloc_dev (bda);
2751         }
2752         if (p_dev_rec)
2753         {
2754             p_dev_rec->sm4 |= BTM_SM4_CONN_PEND;
2755         }
2756     }
2757 }
2758 
2759 /*******************************************************************************
2760 **
2761 ** Function         btm_sec_bond_cancel_complete
2762 **
2763 ** Description      This function is called to report bond cancel complete
2764 **                  event.
2765 **
2766 ** Returns          void
2767 **
2768 *******************************************************************************/
btm_sec_bond_cancel_complete(void)2769 static void btm_sec_bond_cancel_complete (void)
2770 {
2771     tBTM_SEC_DEV_REC *p_dev_rec;
2772 
2773     if ((btm_cb.pairing_flags & BTM_PAIR_FLAGS_DISC_WHEN_DONE) ||
2774         (BTM_PAIR_STATE_WAIT_LOCAL_PIN == btm_cb.pairing_state &&
2775          BTM_PAIR_FLAGS_WE_STARTED_DD & btm_cb.pairing_flags) ||
2776          (btm_cb.pairing_state == BTM_PAIR_STATE_GET_REM_NAME &&
2777           BTM_PAIR_FLAGS_WE_CANCEL_DD & btm_cb.pairing_flags))
2778     {
2779         /* for dedicated bonding in legacy mode, authentication happens at "link level"
2780          * btm_sec_connected is called with failed status.
2781          * In theory, the code that handles is_pairing_device/TRUE should clean out security related code.
2782          * However, this function may clean out the security related flags and btm_sec_connected would not know
2783          * this function also needs to do proper clean up.
2784          */
2785         if ((p_dev_rec = btm_find_dev (btm_cb.pairing_bda)) != NULL)
2786             p_dev_rec->security_required = BTM_SEC_NONE;
2787         btm_sec_change_pairing_state (BTM_PAIR_STATE_IDLE);
2788 
2789         /* Notify application that the cancel succeeded */
2790         if (btm_cb.api.p_bond_cancel_cmpl_callback)
2791             btm_cb.api.p_bond_cancel_cmpl_callback(BTM_SUCCESS);
2792     }
2793 }
2794 
2795 /*******************************************************************************
2796 **
2797 ** Function         btm_create_conn_cancel_complete
2798 **
2799 ** Description      This function is called when the command complete message
2800 **                  is received from the HCI for the create connection cancel
2801 **                  command.
2802 **
2803 ** Returns          void
2804 **
2805 *******************************************************************************/
btm_create_conn_cancel_complete(UINT8 * p)2806 void btm_create_conn_cancel_complete (UINT8 *p)
2807 {
2808     UINT8       status;
2809 
2810     STREAM_TO_UINT8 (status, p);
2811     BTM_TRACE_EVENT ("btm_create_conn_cancel_complete(): in State: %s  status:%d",
2812                       btm_pair_state_descr(btm_cb.pairing_state), status);
2813 
2814     /* if the create conn cancel cmd was issued by the bond cancel,
2815     ** the application needs to be notified that bond cancel succeeded
2816     */
2817     switch (status)
2818     {
2819         case HCI_SUCCESS:
2820             btm_sec_bond_cancel_complete();
2821             break;
2822         case HCI_ERR_CONNECTION_EXISTS:
2823         case HCI_ERR_NO_CONNECTION:
2824         default:
2825             /* Notify application of the error */
2826             if (btm_cb.api.p_bond_cancel_cmpl_callback)
2827                 btm_cb.api.p_bond_cancel_cmpl_callback(BTM_ERR_PROCESSING);
2828             break;
2829     }
2830 }
2831 
2832 /*******************************************************************************
2833 **
2834 ** Function         btm_sec_check_pending_reqs
2835 **
2836 ** Description      This function is called at the end of the security procedure
2837 **                  to let L2CAP and RFCOMM know to re-submit any pending requests
2838 **
2839 ** Returns          void
2840 **
2841 *******************************************************************************/
btm_sec_check_pending_reqs(void)2842 void btm_sec_check_pending_reqs (void)
2843 {
2844     tBTM_SEC_QUEUE_ENTRY    *p_e;
2845     BUFFER_Q                bq;
2846 
2847     if (btm_cb.pairing_state == BTM_PAIR_STATE_IDLE)
2848     {
2849         /* First, resubmit L2CAP requests */
2850         if (btm_cb.sec_req_pending)
2851         {
2852             btm_cb.sec_req_pending = FALSE;
2853             l2cu_resubmit_pending_sec_req (NULL);
2854         }
2855 
2856         /* Now, re-submit anything in the mux queue */
2857         bq = btm_cb.sec_pending_q;
2858 
2859         GKI_init_q (&btm_cb.sec_pending_q);
2860 
2861         while ((p_e = (tBTM_SEC_QUEUE_ENTRY *)GKI_dequeue (&bq)) != NULL)
2862         {
2863             /* Check that the ACL is still up before starting security procedures */
2864             if (btm_bda_to_acl(p_e->bd_addr, BT_TRANSPORT_BR_EDR) != NULL)
2865             {
2866                 BTM_TRACE_EVENT ("btm_sec_check_pending_reqs() submitting  PSM: 0x%04x  Is_Orig: %u  mx_proto_id: %u  mx_chan_id: %u",
2867                                   p_e->psm, p_e->is_orig, p_e->mx_proto_id, p_e->mx_chan_id);
2868 
2869                 btm_sec_mx_access_request (p_e->bd_addr, p_e->psm, p_e->is_orig,
2870                                            p_e->mx_proto_id, p_e->mx_chan_id,
2871                                            p_e->p_callback, p_e->p_ref_data);
2872             }
2873 
2874             GKI_freebuf (p_e);
2875         }
2876     }
2877 }
2878 
2879 /*******************************************************************************
2880 **
2881 ** Function         btm_sec_init
2882 **
2883 ** Description      This function is on the SEC startup
2884 **
2885 ** Returns          void
2886 **
2887 *******************************************************************************/
btm_sec_init(UINT8 sec_mode)2888 void btm_sec_init (UINT8 sec_mode)
2889 {
2890 #if 0  /* cleared in btm_init; put back in if calling from anywhere else! */
2891     int i;
2892 
2893     memset (btm_cb.sec_serv_rec, 0, sizeof (btm_cb.sec_serv_rec));
2894     memset (btm_cb.sec_dev_rec, 0, sizeof (btm_cb.sec_dev_rec));
2895     memset (&btm_cb.pairing_tle, 0, sizeof(TIMER_LIST_ENT));
2896 
2897 #endif
2898     btm_cb.security_mode = sec_mode;
2899     memset (btm_cb.pairing_bda, 0xff, BD_ADDR_LEN);
2900     btm_cb.max_collision_delay = BTM_SEC_MAX_COLLISION_DELAY;
2901 }
2902 
2903 /*******************************************************************************
2904 **
2905 ** Function         btm_sec_device_down
2906 **
2907 ** Description      This function should be called when device is disabled or
2908 **                  turned off
2909 **
2910 ** Returns          void
2911 **
2912 *******************************************************************************/
btm_sec_device_down(void)2913 void btm_sec_device_down (void)
2914 {
2915     BTM_TRACE_EVENT ("btm_sec_device_down()  State: %s", btm_pair_state_descr(btm_cb.pairing_state));
2916 
2917     btm_sec_change_pairing_state (BTM_PAIR_STATE_IDLE);
2918 }
2919 
2920 /*******************************************************************************
2921 **
2922 ** Function         btm_sec_dev_reset
2923 **
2924 ** Description      This function should be called after device reset
2925 **
2926 ** Returns          void
2927 **
2928 *******************************************************************************/
btm_sec_dev_reset(void)2929 void btm_sec_dev_reset (void)
2930 {
2931 #if (BTM_PRE_LISBON_INCLUDED == TRUE)
2932     if (btm_cb.security_mode == BTM_SEC_MODE_LINK)
2933     {
2934         btsnd_hcic_write_auth_enable (TRUE);
2935         btsnd_hcic_write_encr_mode (HCI_ENCRYPT_MODE_POINT_TO_POINT);
2936     }
2937 #endif
2938 #if (BTM_PRE_LISBON_INCLUDED == TRUE)
2939     else
2940 #endif
2941         /* btm_sec_dev_reset() is only called from btm_decode_ext_features_page(...)
2942          * right now. */
2943         if (HCI_SIMPLE_PAIRING_SUPPORTED(btm_cb.devcb.local_lmp_features[HCI_EXT_FEATURES_PAGE_0]))
2944     {
2945         btsnd_hcic_write_simple_pairing_mode(HCI_SP_MODE_ENABLED);
2946 #if BLE_INCLUDED == TRUE
2947         btsnd_hcic_set_event_mask(LOCAL_BR_EDR_CONTROLLER_ID,
2948                                   (UINT8 *)HCI_DUMO_EVENT_MASK_EXT);
2949 
2950         btsnd_hcic_ble_set_evt_mask((UINT8 *)HCI_BLE_EVENT_MASK_DEF);
2951 
2952 #else
2953         btsnd_hcic_set_event_mask(LOCAL_BR_EDR_CONTROLLER_ID,
2954                                   (UINT8 *)HCI_LISBON_EVENT_MASK_EXT);
2955 #endif
2956         /* set the default IO capabilities */
2957         btm_cb.devcb.loc_io_caps = BTM_LOCAL_IO_CAPS;
2958         /* add mx service to use no security */
2959 #if (RFCOMM_INCLUDED == TRUE)
2960         BTM_SetSecurityLevel(FALSE, "RFC_MUX", BTM_SEC_SERVICE_RFC_MUX,
2961                              BTM_SEC_NONE, BT_PSM_RFCOMM, BTM_SEC_PROTO_RFCOMM, 0);
2962 #endif
2963     }
2964     else
2965     {
2966         btm_cb.security_mode = BTM_SEC_MODE_SERVICE;
2967     }
2968 
2969     BTM_TRACE_DEBUG ("btm_sec_dev_reset sec mode: %d", btm_cb.security_mode);
2970 }
2971 
2972 /*******************************************************************************
2973 **
2974 ** Function         btm_sec_abort_access_req
2975 **
2976 ** Description      This function is called by the L2CAP or RFCOMM to abort
2977 **                  the pending operation.
2978 **
2979 ** Parameters:      bd_addr       - Address of the peer device
2980 **
2981 ** Returns          void
2982 **
2983 *******************************************************************************/
btm_sec_abort_access_req(BD_ADDR bd_addr)2984 void btm_sec_abort_access_req (BD_ADDR bd_addr)
2985 {
2986     tBTM_SEC_DEV_REC  *p_dev_rec = btm_find_dev (bd_addr);
2987 
2988     if (!p_dev_rec)
2989         return;
2990 
2991     if (btm_cb.api.p_abort_callback)
2992         (*btm_cb.api.p_abort_callback)(bd_addr, p_dev_rec->dev_class, p_dev_rec->sec_bd_name);
2993 
2994     if ((p_dev_rec->sec_state != BTM_SEC_STATE_AUTHORIZING)
2995         && (p_dev_rec->sec_state != BTM_SEC_STATE_AUTHENTICATING))
2996         return;
2997 
2998     p_dev_rec->sec_state  = BTM_SEC_STATE_IDLE;
2999     p_dev_rec->p_callback = NULL;
3000 }
3001 
3002 /*******************************************************************************
3003 **
3004 ** Function         btm_sec_dd_create_conn
3005 **
3006 ** Description      This function is called to create the ACL connection for
3007 **                  the dedicated boding process
3008 **
3009 ** Returns          void
3010 **
3011 *******************************************************************************/
btm_sec_dd_create_conn(tBTM_SEC_DEV_REC * p_dev_rec)3012 static tBTM_STATUS btm_sec_dd_create_conn (tBTM_SEC_DEV_REC *p_dev_rec)
3013 {
3014     tL2C_LCB         *p_lcb;
3015 
3016     /* Make sure an L2cap link control block is available */
3017     if ((p_lcb = l2cu_allocate_lcb (p_dev_rec->bd_addr, TRUE, BT_TRANSPORT_BR_EDR)) == NULL)
3018     {
3019         BTM_TRACE_WARNING ("Security Manager: failed allocate LCB [%02x%02x%02x%02x%02x%02x]",
3020                             p_dev_rec->bd_addr[0], p_dev_rec->bd_addr[1], p_dev_rec->bd_addr[2],
3021                             p_dev_rec->bd_addr[3], p_dev_rec->bd_addr[4], p_dev_rec->bd_addr[5]);
3022 
3023         return(BTM_NO_RESOURCES);
3024     }
3025 
3026     /* set up the control block to indicated dedicated bonding */
3027     btm_cb.pairing_flags |= BTM_PAIR_FLAGS_DISC_WHEN_DONE;
3028 
3029     if (l2cu_create_conn(p_lcb, BT_TRANSPORT_BR_EDR) == FALSE)
3030     {
3031         BTM_TRACE_WARNING ("Security Manager: failed create  [%02x%02x%02x%02x%02x%02x]",
3032                             p_dev_rec->bd_addr[0], p_dev_rec->bd_addr[1], p_dev_rec->bd_addr[2],
3033                             p_dev_rec->bd_addr[3], p_dev_rec->bd_addr[4], p_dev_rec->bd_addr[5]);
3034 
3035         l2cu_release_lcb(p_lcb);
3036         return(BTM_NO_RESOURCES);
3037     }
3038 
3039 #if (defined(BTM_BUSY_LEVEL_CHANGE_INCLUDED) && BTM_BUSY_LEVEL_CHANGE_INCLUDED == TRUE)
3040     btm_acl_update_busy_level (BTM_BLI_PAGE_EVT);
3041 #endif
3042 
3043     BTM_TRACE_DEBUG ("Security Manager: btm_sec_dd_create_conn [%02x%02x%02x%02x%02x%02x]",
3044                       p_dev_rec->bd_addr[0], p_dev_rec->bd_addr[1], p_dev_rec->bd_addr[2],
3045                       p_dev_rec->bd_addr[3], p_dev_rec->bd_addr[4], p_dev_rec->bd_addr[5]);
3046 
3047     btm_sec_change_pairing_state (BTM_PAIR_STATE_WAIT_PIN_REQ);
3048 
3049     return(BTM_CMD_STARTED);
3050 }
3051 
3052 /*******************************************************************************
3053 **
3054 ** Function         btm_sec_rmt_name_request_complete
3055 **
3056 ** Description      This function is called when remote name was obtained from
3057 **                  the peer device
3058 **
3059 ** Returns          void
3060 **
3061 *******************************************************************************/
btm_sec_rmt_name_request_complete(UINT8 * p_bd_addr,UINT8 * p_bd_name,UINT8 status)3062 void btm_sec_rmt_name_request_complete (UINT8 *p_bd_addr, UINT8 *p_bd_name, UINT8 status)
3063 {
3064     tBTM_SEC_DEV_REC *p_dev_rec;
3065     int              i;
3066     DEV_CLASS        dev_class;
3067     UINT8            old_sec_state;
3068 
3069     BTM_TRACE_EVENT ("btm_sec_rmt_name_request_complete");
3070     if (((p_bd_addr == NULL) && !BTM_ACL_IS_CONNECTED(btm_cb.connecting_bda))
3071         || ((p_bd_addr != NULL) && !BTM_ACL_IS_CONNECTED(p_bd_addr)))
3072     {
3073         btm_acl_resubmit_page();
3074     }
3075 
3076     /* If remote name request failed, p_bd_addr is null and we need to search */
3077     /* based on state assuming that we are doing 1 at a time */
3078     if (p_bd_addr)
3079         p_dev_rec = btm_find_dev (p_bd_addr);
3080     else
3081     {
3082         p_dev_rec = &btm_cb.sec_dev_rec[0];
3083 
3084         for (i = 0; i < BTM_SEC_MAX_DEVICE_RECORDS; i++, p_dev_rec++)
3085         {
3086             if ((p_dev_rec->sec_flags & BTM_SEC_IN_USE)
3087                 && (p_dev_rec->sec_state == BTM_SEC_STATE_GETTING_NAME))
3088             {
3089                 p_bd_addr = p_dev_rec->bd_addr;
3090                 break;
3091             }
3092         }
3093 
3094         if (i == BTM_SEC_MAX_DEVICE_RECORDS)
3095             p_dev_rec = NULL;
3096     }
3097 
3098 
3099     /* Commenting out trace due to obf/compilation problems.
3100     */
3101 #if (BT_USE_TRACES == TRUE)
3102     if (!p_bd_name)
3103         p_bd_name = (UINT8 *)"";
3104 
3105     if (p_dev_rec)
3106     {
3107         BTM_TRACE_EVENT ("Security Manager: rmt_name_complete PairState: %s  RemName: %s  status: %d State:%d  p_dev_rec: 0x%08x ",
3108                           btm_pair_state_descr (btm_cb.pairing_state), p_bd_name,
3109                           status, p_dev_rec->sec_state, p_dev_rec);
3110     }
3111     else
3112     {
3113         BTM_TRACE_EVENT ("Security Manager: rmt_name_complete PairState: %s  RemName: %s  status: %d",
3114                           btm_pair_state_descr (btm_cb.pairing_state), p_bd_name,
3115                           status);
3116     }
3117 #endif
3118 
3119     if (p_dev_rec)
3120     {
3121         old_sec_state = p_dev_rec->sec_state;
3122         if (status == HCI_SUCCESS)
3123         {
3124             BCM_STRNCPY_S ((char *)p_dev_rec->sec_bd_name, sizeof (p_dev_rec->sec_bd_name), (char *)p_bd_name, BTM_MAX_REM_BD_NAME_LEN);
3125             p_dev_rec->sec_flags |= BTM_SEC_NAME_KNOWN;
3126             BTM_TRACE_EVENT ("setting BTM_SEC_NAME_KNOWN sec_flags:0x%x", p_dev_rec->sec_flags);
3127         }
3128         else
3129         {
3130             /* Notify all clients waiting for name to be resolved even if it failed so clients can continue */
3131             p_dev_rec->sec_bd_name[0] = 0;
3132         }
3133 
3134         if (p_dev_rec->sec_state == BTM_SEC_STATE_GETTING_NAME)
3135             p_dev_rec->sec_state = BTM_SEC_STATE_IDLE;
3136 
3137         /* Notify all clients waiting for name to be resolved */
3138         for (i = 0;i < BTM_SEC_MAX_RMT_NAME_CALLBACKS; i++)
3139         {
3140             if (btm_cb.p_rmt_name_callback[i] && p_bd_addr)
3141                 (*btm_cb.p_rmt_name_callback[i])(p_bd_addr, p_dev_rec->dev_class,
3142                                                  p_dev_rec->sec_bd_name);
3143         }
3144     }
3145     else
3146     {
3147         dev_class[0] = 0;
3148         dev_class[1] = 0;
3149         dev_class[2] = 0;
3150 
3151         /* Notify all clients waiting for name to be resolved even if not found so clients can continue */
3152         for (i = 0;i < BTM_SEC_MAX_RMT_NAME_CALLBACKS; i++)
3153         {
3154             if (btm_cb.p_rmt_name_callback[i] && p_bd_addr)
3155                 (*btm_cb.p_rmt_name_callback[i])(p_bd_addr, dev_class, (UINT8 *)"");
3156         }
3157 
3158         return;
3159     }
3160 
3161     /* If we were delaying asking UI for a PIN because name was not resolved, ask now */
3162     if ( (btm_cb.pairing_state == BTM_PAIR_STATE_WAIT_LOCAL_PIN) && p_bd_addr
3163          &&  (memcmp (btm_cb.pairing_bda, p_bd_addr, BD_ADDR_LEN) == 0) )
3164     {
3165         BTM_TRACE_EVENT ("btm_sec_rmt_name_request_complete() delayed pin now being requested flags:0x%x, (p_pin_callback=0x%p)", btm_cb.pairing_flags, btm_cb.api.p_pin_callback);
3166 
3167         if (((btm_cb.pairing_flags & BTM_PAIR_FLAGS_WE_STARTED_DD) == 0) &&
3168             ((btm_cb.pairing_flags & BTM_PAIR_FLAGS_PIN_REQD) == 0) &&
3169             btm_cb.api.p_pin_callback)
3170         {
3171             BTM_TRACE_EVENT ("btm_sec_rmt_name_request_complete() calling pin_callback");
3172             btm_cb.pairing_flags |= BTM_PAIR_FLAGS_PIN_REQD;
3173             (*btm_cb.api.p_pin_callback) (p_dev_rec->bd_addr, p_dev_rec->dev_class, p_bd_name);
3174         }
3175 
3176         /* Set the same state again to force the timer to be restarted */
3177         btm_sec_change_pairing_state (BTM_PAIR_STATE_WAIT_LOCAL_PIN);
3178         return;
3179     }
3180 
3181     /* Check if we were delaying bonding because name was not resolved */
3182     if ( btm_cb.pairing_state == BTM_PAIR_STATE_GET_REM_NAME)
3183     {
3184         if (p_bd_addr && memcmp (btm_cb.pairing_bda, p_bd_addr, BD_ADDR_LEN) == 0)
3185         {
3186             BTM_TRACE_EVENT ("btm_sec_rmt_name_request_complete() continue bonding sm4: 0x%04x, status:0x%x", p_dev_rec->sm4, status);
3187             if(btm_cb.pairing_flags & BTM_PAIR_FLAGS_WE_CANCEL_DD)
3188             {
3189                 btm_sec_bond_cancel_complete();
3190                 return;
3191             }
3192 
3193             if (status != HCI_SUCCESS)
3194             {
3195                 btm_sec_change_pairing_state (BTM_PAIR_STATE_IDLE);
3196 
3197                 if (btm_cb.api.p_auth_complete_callback)
3198                     (*btm_cb.api.p_auth_complete_callback) (p_dev_rec->bd_addr,  p_dev_rec->dev_class,
3199                                                             p_dev_rec->sec_bd_name, status);
3200                 return;
3201             }
3202 
3203             /* if peer is very old legacy devices, HCI_RMT_HOST_SUP_FEAT_NOTIFY_EVT is not reported */
3204             if (BTM_SEC_IS_SM4_UNKNOWN(p_dev_rec->sm4))
3205             {
3206                 /* set the KNOWN flag only if BTM_PAIR_FLAGS_REJECTED_CONNECT is not set.*/
3207                 /* If it is set, there may be a race condition */
3208                 BTM_TRACE_DEBUG ("btm_sec_rmt_name_request_complete  IS_SM4_UNKNOWN Flags:0x%04x",
3209                                    btm_cb.pairing_flags);
3210                 if ((btm_cb.pairing_flags & BTM_PAIR_FLAGS_REJECTED_CONNECT) == 0)
3211                 {
3212                     p_dev_rec->sm4 |= BTM_SM4_KNOWN;
3213                 }
3214             }
3215 
3216             BTM_TRACE_DEBUG("%s, SM4 Value: %x, Legacy:%d,IS SM4:%d, Unknown:%d",__FUNCTION__,
3217                 p_dev_rec->sm4, BTM_SEC_IS_SM4_LEGACY(p_dev_rec->sm4),
3218                 BTM_SEC_IS_SM4(p_dev_rec->sm4),BTM_SEC_IS_SM4_UNKNOWN(p_dev_rec->sm4));
3219 
3220             /* BT 2.1 or carkit, bring up the connection to force the peer to request PIN.
3221             ** Else prefetch (btm_sec_check_prefetch_pin will do the prefetching if needed)
3222             */
3223             if ((p_dev_rec->sm4 != BTM_SM4_KNOWN) || !btm_sec_check_prefetch_pin(p_dev_rec))
3224             {
3225                 /* if we rejected incoming connection request, we have to wait HCI_Connection_Complete event */
3226                 /*  before originating  */
3227                 if (btm_cb.pairing_flags & BTM_PAIR_FLAGS_REJECTED_CONNECT)
3228                 {
3229                     BTM_TRACE_WARNING ("btm_sec_rmt_name_request_complete: waiting HCI_Connection_Complete after rejecting connection");
3230                 }
3231                 /* Both we and the peer are 2.1 - continue to create connection */
3232                 else if (btm_sec_dd_create_conn(p_dev_rec) != BTM_CMD_STARTED)
3233                 {
3234                     BTM_TRACE_WARNING ("btm_sec_rmt_name_request_complete: failed to start connection");
3235 
3236                     btm_sec_change_pairing_state (BTM_PAIR_STATE_IDLE);
3237 
3238                     if (btm_cb.api.p_auth_complete_callback)
3239                     (*btm_cb.api.p_auth_complete_callback) (p_dev_rec->bd_addr,  p_dev_rec->dev_class,
3240                                                             p_dev_rec->sec_bd_name, HCI_ERR_MEMORY_FULL);
3241                 }
3242             }
3243             return;
3244         }
3245         else
3246         {
3247             BTM_TRACE_WARNING ("btm_sec_rmt_name_request_complete: wrong BDA, retry with pairing BDA");
3248 
3249             BTM_ReadRemoteDeviceName (btm_cb.pairing_bda, NULL, BT_TRANSPORT_BR_EDR);
3250             return;
3251         }
3252     }
3253 
3254     /* check if we were delaying link_key_callback because name was not resolved */
3255     if (p_dev_rec->link_key_not_sent)
3256     {
3257         /* If HCI connection complete has not arrived, wait for it */
3258         if (p_dev_rec->hci_handle == BTM_SEC_INVALID_HANDLE)
3259             return;
3260 
3261         p_dev_rec->link_key_not_sent = FALSE;
3262         btm_send_link_key_notif(p_dev_rec);
3263 
3264         /* If its not us who perform authentication, we should tell stackserver */
3265         /* that some authentication has been completed                          */
3266         /* This is required when different entities receive link notification and auth complete */
3267         if (!(p_dev_rec->security_required & BTM_SEC_OUT_AUTHENTICATE))
3268         {
3269             if (btm_cb.api.p_auth_complete_callback)
3270                 (*btm_cb.api.p_auth_complete_callback) (p_dev_rec->bd_addr,
3271                                                         p_dev_rec->dev_class,
3272                                                         p_dev_rec->sec_bd_name, HCI_SUCCESS);
3273 
3274         }
3275     }
3276 
3277     /* If this is a bonding procedure can disconnect the link now */
3278     if ((btm_cb.pairing_flags & BTM_PAIR_FLAGS_WE_STARTED_DD)
3279         && (p_dev_rec->sec_flags & BTM_SEC_AUTHENTICATED))
3280     {
3281         BTM_TRACE_WARNING ("btm_sec_rmt_name_request_complete (none/ce)");
3282         p_dev_rec->security_required &= ~(BTM_SEC_OUT_AUTHENTICATE);
3283         l2cu_start_post_bond_timer(p_dev_rec->hci_handle);
3284         return;
3285     }
3286 
3287     if (old_sec_state != BTM_SEC_STATE_GETTING_NAME)
3288         return;
3289 
3290     /* If get name failed, notify the waiting layer */
3291     if (status != HCI_SUCCESS)
3292     {
3293         btm_sec_dev_rec_cback_event  (p_dev_rec, BTM_ERR_PROCESSING, FALSE);
3294         return;
3295     }
3296 
3297     if (p_dev_rec->sm4 & BTM_SM4_REQ_PEND)
3298     {
3299         BTM_TRACE_EVENT ("waiting for remote features!!");
3300         return;
3301     }
3302 
3303     /* Remote Name succeeded, execute the next security procedure, if any */
3304     status = (UINT8)btm_sec_execute_procedure (p_dev_rec);
3305 
3306     /* If result is pending reply from the user or from the device is pending */
3307     if (status == BTM_CMD_STARTED)
3308         return;
3309 
3310     /* There is no next procedure or start of procedure failed, notify the waiting layer */
3311     btm_sec_dev_rec_cback_event  (p_dev_rec, status, FALSE);
3312 }
3313 
3314 /*******************************************************************************
3315 **
3316 ** Function         btm_sec_rmt_host_support_feat_evt
3317 **
3318 ** Description      This function is called when the
3319 **                  HCI_RMT_HOST_SUP_FEAT_NOTIFY_EVT is received
3320 **
3321 ** Returns          void
3322 **
3323 *******************************************************************************/
btm_sec_rmt_host_support_feat_evt(UINT8 * p)3324 void btm_sec_rmt_host_support_feat_evt (UINT8 *p)
3325 {
3326     tBTM_SEC_DEV_REC *p_dev_rec;
3327     BD_ADDR         bd_addr;        /* peer address */
3328     BD_FEATURES     features;
3329 
3330     STREAM_TO_BDADDR (bd_addr, p);
3331     p_dev_rec = btm_find_or_alloc_dev (bd_addr);
3332 
3333     BTM_TRACE_EVENT ("btm_sec_rmt_host_support_feat_evt  sm4: 0x%x  p[0]: 0x%x", p_dev_rec->sm4, p[0]);
3334 
3335     if (BTM_SEC_IS_SM4_UNKNOWN(p_dev_rec->sm4))
3336     {
3337         p_dev_rec->sm4 = BTM_SM4_KNOWN;
3338         STREAM_TO_ARRAY(features, p, HCI_FEATURE_BYTES_PER_PAGE);
3339         if (HCI_SSP_HOST_SUPPORTED(features))
3340         {
3341             p_dev_rec->sm4 = BTM_SM4_TRUE;
3342         }
3343         BTM_TRACE_EVENT ("btm_sec_rmt_host_support_feat_evt sm4: 0x%x features[0]: 0x%x", p_dev_rec->sm4, features[0]);
3344     }
3345 }
3346 
3347 /*******************************************************************************
3348 **
3349 ** Function         btm_io_capabilities_req
3350 **
3351 ** Description      This function is called when LM request for the IO
3352 **                  capability of the local device and
3353 **                  if the OOB data is present for the device in the event
3354 **
3355 ** Returns          void
3356 **
3357 *******************************************************************************/
btm_io_capabilities_req(UINT8 * p)3358 void btm_io_capabilities_req (UINT8 *p)
3359 {
3360     tBTM_SP_IO_REQ  evt_data;
3361     UINT8           err_code = 0;
3362     tBTM_SEC_DEV_REC *p_dev_rec;
3363     BOOLEAN         is_orig = TRUE;
3364     UINT8           callback_rc = BTM_SUCCESS;
3365 
3366     STREAM_TO_BDADDR (evt_data.bd_addr, p);
3367 
3368     /* setup the default response according to compile options */
3369     /* assume that the local IO capability does not change
3370      * loc_io_caps is initialized with the default value */
3371     evt_data.io_cap = btm_cb.devcb.loc_io_caps;
3372     evt_data.oob_data = BTM_OOB_NONE;
3373     evt_data.auth_req = BTM_DEFAULT_AUTH_REQ;
3374 
3375     BTM_TRACE_EVENT ("btm_io_capabilities_req() State: %s", btm_pair_state_descr(btm_cb.pairing_state));
3376 
3377     p_dev_rec = btm_find_or_alloc_dev (evt_data.bd_addr);
3378     p_dev_rec->sm4 |= BTM_SM4_TRUE;
3379 
3380     BTM_TRACE_EVENT ("btm_io_capabilities_req() State: %s  Flags: 0x%04x  p_cur_service: 0x%08x",
3381                       btm_pair_state_descr(btm_cb.pairing_state), btm_cb.pairing_flags, p_dev_rec->p_cur_service);
3382 
3383     if (btm_cb.pairing_state != BTM_PAIR_STATE_IDLE)
3384     {
3385         if (btm_cb.pairing_state == BTM_PAIR_STATE_INCOMING_SSP)
3386         {
3387             /* received IO capability response already-> not the originator of SSP */
3388             is_orig = FALSE;
3389 
3390             if (btm_cb.pairing_flags & BTM_PAIR_FLAGS_PEER_STARTED_DD)
3391                 evt_data.auth_req = BTM_DEFAULT_DD_AUTH_REQ;
3392         }
3393         /* security is already in progress */
3394         else if (btm_cb.pairing_state == BTM_PAIR_STATE_WAIT_PIN_REQ)
3395         {
3396 /* coverity[uninit_use_in_call]
3397 Event uninit_use_in_call: Using uninitialized element of array "evt_data.bd_addr" in call to function "memcmp"
3398 False-positive: evt_data.bd_addr is set at the beginning with:     STREAM_TO_BDADDR (evt_data.bd_addr, p);
3399 */
3400             if (memcmp (evt_data.bd_addr, btm_cb.pairing_bda, BD_ADDR_LEN))
3401             {
3402                 /* and it's not the device in bonding -> reject it */
3403                 err_code = HCI_ERR_HOST_BUSY_PAIRING;
3404             }
3405             else
3406             {
3407                 /* local device initiated dedicated bonding */
3408                 evt_data.auth_req = BTM_DEFAULT_DD_AUTH_REQ;
3409             }
3410         }
3411         else
3412         {
3413             err_code = HCI_ERR_HOST_BUSY_PAIRING;
3414         }
3415     }
3416 
3417     /* paring is not allowed */
3418     if (btm_cb.pairing_disabled)
3419         err_code = HCI_ERR_PAIRING_NOT_ALLOWED;
3420 
3421     if (err_code != 0)
3422     {
3423 /* coverity[uninit_use_in_call]
3424 Event uninit_use_in_call: Using uninitialized element of array "evt_data.bd_addr" in call to function "memcmp"
3425 False-positive: evt_data.bd_addr is set at the beginning with:     STREAM_TO_BDADDR (evt_data.bd_addr, p);
3426 */
3427         btsnd_hcic_io_cap_req_neg_reply(evt_data.bd_addr, err_code);
3428         return;
3429     }
3430 
3431     evt_data.is_orig = is_orig;
3432 
3433     if (is_orig)
3434     {
3435         /* local device initiated the pairing non-bonding -> use p_cur_service */
3436         if (!(btm_cb.pairing_flags & BTM_PAIR_FLAGS_WE_STARTED_DD) &&
3437             p_dev_rec->p_cur_service &&
3438             (p_dev_rec->p_cur_service->security_flags & BTM_SEC_OUT_AUTHENTICATE))
3439         {
3440             evt_data.auth_req = (p_dev_rec->p_cur_service->security_flags & BTM_SEC_OUT_MITM) ? BTM_AUTH_SP_YES : BTM_AUTH_SP_NO;
3441         }
3442     }
3443 
3444     /* Notify L2CAP to increase timeout */
3445     l2c_pin_code_request (evt_data.bd_addr);
3446 
3447     memcpy (btm_cb.pairing_bda, evt_data.bd_addr, BD_ADDR_LEN);
3448 
3449 /* coverity[uninit_use_in_call]
3450 Event uninit_use_in_call: Using uninitialized element of array "evt_data.bd_addr" in call to function "memcmp"
3451 False-positive: False-positive: evt_data.bd_addr is set at the beginning with:     STREAM_TO_BDADDR (evt_data.bd_addr, p);
3452 */
3453     if (!memcmp (evt_data.bd_addr, btm_cb.connecting_bda, BD_ADDR_LEN))
3454         memcpy (p_dev_rec->dev_class, btm_cb.connecting_dc, DEV_CLASS_LEN);
3455 
3456     btm_sec_change_pairing_state (BTM_PAIR_STATE_WAIT_LOCAL_IOCAPS);
3457 
3458     callback_rc = BTM_SUCCESS;
3459     if (p_dev_rec->sm4 & BTM_SM4_UPGRADE)
3460     {
3461         p_dev_rec->sm4 &= ~BTM_SM4_UPGRADE;
3462 
3463         /* link key upgrade: always use SPGB_YES - assuming we want to save the link key */
3464         evt_data.auth_req = BTM_AUTH_SPGB_YES;
3465     }
3466     else if (btm_cb.api.p_sp_callback)
3467     {
3468         /* the callback function implementation may change the IO capability... */
3469         callback_rc = (*btm_cb.api.p_sp_callback) (BTM_SP_IO_REQ_EVT, (tBTM_SP_EVT_DATA *)&evt_data);
3470     }
3471 
3472 #if BTM_OOB_INCLUDED == TRUE
3473     if ((callback_rc == BTM_SUCCESS) || (BTM_OOB_UNKNOWN != evt_data.oob_data))
3474 #else
3475     if (callback_rc == BTM_SUCCESS)
3476 #endif
3477     {
3478         if ((btm_cb.pairing_flags & BTM_PAIR_FLAGS_WE_STARTED_DD))
3479         {
3480             evt_data.auth_req = (BTM_AUTH_DD_BOND | (evt_data.auth_req & BTM_AUTH_YN_BIT));
3481         }
3482 
3483         /* if the user does not indicate "reply later" by setting the oob_data to unknown
3484          * send the response right now. Save the current IO capability in the control block */
3485         btm_cb.devcb.loc_auth_req   = evt_data.auth_req;
3486         btm_cb.devcb.loc_io_caps    = evt_data.io_cap;
3487 
3488         BTM_TRACE_EVENT ("btm_io_capabilities_req: State: %s  IO_CAP:%d oob_data:%d auth_req:%d",
3489                           btm_pair_state_descr(btm_cb.pairing_state), evt_data.io_cap,
3490                           evt_data.oob_data, evt_data.auth_req);
3491 
3492         btsnd_hcic_io_cap_req_reply(evt_data.bd_addr, evt_data.io_cap,
3493                                     evt_data.oob_data, evt_data.auth_req);
3494     }
3495 }
3496 
3497 /*******************************************************************************
3498 **
3499 ** Function         btm_io_capabilities_rsp
3500 **
3501 ** Description      This function is called when the IO capability of the
3502 **                  specified device is received
3503 **
3504 ** Returns          void
3505 **
3506 *******************************************************************************/
btm_io_capabilities_rsp(UINT8 * p)3507 void btm_io_capabilities_rsp (UINT8 *p)
3508 {
3509     tBTM_SEC_DEV_REC *p_dev_rec;
3510     tBTM_SP_IO_RSP evt_data;
3511 
3512     STREAM_TO_BDADDR (evt_data.bd_addr, p);
3513     STREAM_TO_UINT8 (evt_data.io_cap, p);
3514     STREAM_TO_UINT8 (evt_data.oob_data, p);
3515     STREAM_TO_UINT8 (evt_data.auth_req, p);
3516 
3517     /* Allocate a new device record or reuse the oldest one */
3518     p_dev_rec = btm_find_or_alloc_dev (evt_data.bd_addr);
3519 
3520     /* If no security is in progress, this indicates incoming security */
3521     if (btm_cb.pairing_state == BTM_PAIR_STATE_IDLE)
3522     {
3523         memcpy (btm_cb.pairing_bda, evt_data.bd_addr, BD_ADDR_LEN);
3524 
3525         btm_sec_change_pairing_state (BTM_PAIR_STATE_INCOMING_SSP);
3526 
3527         /* Make sure we reset the trusted mask to help against attacks */
3528         BTM_SEC_CLR_TRUSTED_DEVICE(p_dev_rec->trusted_mask);
3529 
3530         /* work around for FW bug */
3531         btm_inq_stop_on_ssp();
3532     }
3533 
3534     /* Notify L2CAP to increase timeout */
3535     l2c_pin_code_request (evt_data.bd_addr);
3536 
3537     /* We must have a device record here.
3538      * Use the connecting device's CoD for the connection */
3539 /* coverity[uninit_use_in_call]
3540 Event uninit_use_in_call: Using uninitialized element of array "evt_data.bd_addr" in call to function "memcmp"
3541 FALSE-POSITIVE error from Coverity test-tool. evt_data.bd_addr is set at the beginning with:     STREAM_TO_BDADDR (evt_data.bd_addr, p);
3542 */
3543     if (!memcmp (evt_data.bd_addr, btm_cb.connecting_bda, BD_ADDR_LEN))
3544         memcpy (p_dev_rec->dev_class, btm_cb.connecting_dc, DEV_CLASS_LEN);
3545 
3546     /* peer sets dedicated bonding bit and we did not initiate dedicated bonding */
3547     if (btm_cb.pairing_state == BTM_PAIR_STATE_INCOMING_SSP /* peer initiated bonding */
3548         && (evt_data.auth_req & BTM_AUTH_DD_BOND) )            /* and dedicated bonding bit is set */
3549     {
3550         btm_cb.pairing_flags |= BTM_PAIR_FLAGS_PEER_STARTED_DD;
3551     }
3552 
3553     /* save the IO capability in the device record */
3554     p_dev_rec->rmt_io_caps  = evt_data.io_cap;
3555     p_dev_rec->rmt_auth_req = evt_data.auth_req;
3556 
3557     if (btm_cb.api.p_sp_callback)
3558         (*btm_cb.api.p_sp_callback) (BTM_SP_IO_RSP_EVT, (tBTM_SP_EVT_DATA *)&evt_data);
3559 }
3560 
3561 /*******************************************************************************
3562 **
3563 ** Function         btm_proc_sp_req_evt
3564 **
3565 ** Description      This function is called to process/report
3566 **                  HCI_USER_CONFIRMATION_REQUEST_EVT
3567 **                  or HCI_USER_PASSKEY_REQUEST_EVT
3568 **                  or HCI_USER_PASSKEY_NOTIFY_EVT
3569 **
3570 ** Returns          void
3571 **
3572 *******************************************************************************/
btm_proc_sp_req_evt(tBTM_SP_EVT event,UINT8 * p)3573 void btm_proc_sp_req_evt (tBTM_SP_EVT event, UINT8 *p)
3574 {
3575     tBTM_STATUS status = BTM_ERR_PROCESSING;
3576     tBTM_SP_EVT_DATA evt_data;
3577     UINT8               *p_bda = evt_data.cfm_req.bd_addr;
3578     tBTM_SEC_DEV_REC *p_dev_rec;
3579 
3580     /* All events start with bd_addr */
3581     STREAM_TO_BDADDR (p_bda, p);
3582 
3583     BTM_TRACE_EVENT ("btm_proc_sp_req_evt() BDA: %08x%04x event: 0x%x, State: %s",
3584                       (p_bda[0]<<24) + (p_bda[1]<<16) + (p_bda[2]<<8) + p_bda[3], (p_bda[4] << 8) + p_bda[5],
3585                       event, btm_pair_state_descr(btm_cb.pairing_state));
3586 
3587     if ( ((p_dev_rec = btm_find_dev (p_bda)) != NULL)
3588          &&  (btm_cb.pairing_state != BTM_PAIR_STATE_IDLE)
3589          &&  (memcmp (btm_cb.pairing_bda, p_bda, BD_ADDR_LEN) == 0) )
3590     {
3591         memcpy (evt_data.cfm_req.bd_addr, p_dev_rec->bd_addr, BD_ADDR_LEN);
3592         memcpy (evt_data.cfm_req.dev_class, p_dev_rec->dev_class, DEV_CLASS_LEN);
3593 
3594         BCM_STRNCPY_S ((char *)evt_data.cfm_req.bd_name, sizeof(evt_data.cfm_req.bd_name), (char *)p_dev_rec->sec_bd_name, BTM_MAX_REM_BD_NAME_LEN);
3595 
3596         switch (event)
3597         {
3598             case BTM_SP_CFM_REQ_EVT:
3599                 /* Numeric confirmation. Need user to conf the passkey */
3600                 btm_sec_change_pairing_state (BTM_PAIR_STATE_WAIT_NUMERIC_CONFIRM);
3601 
3602                 /* The device record must be allocated in the "IO cap exchange" step */
3603                 STREAM_TO_UINT32 (evt_data.cfm_req.num_val, p);
3604 
3605                 evt_data.cfm_req.just_works = TRUE;
3606 
3607                 /* process user confirm req in association with the auth_req param */
3608 #if (BTM_LOCAL_IO_CAPS == BTM_IO_CAP_IO)
3609                 if ( (p_dev_rec->rmt_io_caps == BTM_IO_CAP_IO)
3610                      &&  (btm_cb.devcb.loc_io_caps == BTM_IO_CAP_IO)
3611                      &&  ((p_dev_rec->rmt_auth_req & BTM_AUTH_SP_YES) || (btm_cb.devcb.loc_auth_req & BTM_AUTH_SP_YES)) )
3612                 {
3613                     /* Both devices are DisplayYesNo and one or both devices want to authenticate
3614                        -> use authenticated link key */
3615                     evt_data.cfm_req.just_works = FALSE;
3616                 }
3617 #endif
3618                 BTM_TRACE_DEBUG ("btm_proc_sp_req_evt()  just_works:%d, io loc:%d, rmt:%d, auth loc:%d, rmt:%d",
3619                                   evt_data.cfm_req.just_works, btm_cb.devcb.loc_io_caps, p_dev_rec->rmt_io_caps,
3620                                   btm_cb.devcb.loc_auth_req, p_dev_rec->rmt_auth_req);
3621 
3622                 evt_data.cfm_req.loc_auth_req   = btm_cb.devcb.loc_auth_req;
3623                 evt_data.cfm_req.rmt_auth_req   = p_dev_rec->rmt_auth_req;
3624                 evt_data.cfm_req.loc_io_caps    = btm_cb.devcb.loc_io_caps;
3625                 evt_data.cfm_req.rmt_io_caps    = p_dev_rec->rmt_io_caps;
3626                 break;
3627 
3628             case BTM_SP_KEY_NOTIF_EVT:
3629                 /* Passkey notification (other side is a keyboard) */
3630                 STREAM_TO_UINT32 (evt_data.key_notif.passkey, p);
3631 
3632                 BTM_TRACE_DEBUG ("BTM_SP_KEY_NOTIF_EVT:  passkey: %u", evt_data.key_notif.passkey);
3633 
3634                 btm_sec_change_pairing_state (BTM_PAIR_STATE_WAIT_AUTH_COMPLETE);
3635                 break;
3636 
3637 #if (BTM_LOCAL_IO_CAPS != BTM_IO_CAP_NONE)
3638             case BTM_SP_KEY_REQ_EVT:
3639                 /* HCI_USER_PASSKEY_REQUEST_EVT */
3640                 btm_sec_change_pairing_state (BTM_PAIR_STATE_KEY_ENTRY);
3641                 break;
3642 #endif
3643         }
3644 
3645         if (btm_cb.api.p_sp_callback)
3646         {
3647             status = (*btm_cb.api.p_sp_callback) (event, (tBTM_SP_EVT_DATA *)&evt_data);
3648             if (status != BTM_NOT_AUTHORIZED)
3649             {
3650                 return;
3651             }
3652             /* else BTM_NOT_AUTHORIZED means when the app wants to reject the req right now */
3653         }
3654         else if ( (event == BTM_SP_CFM_REQ_EVT) && (evt_data.cfm_req.just_works == TRUE) )
3655         {
3656             /* automatically reply with just works if no sp_cback */
3657             status = BTM_SUCCESS;
3658         }
3659 
3660         if (event == BTM_SP_CFM_REQ_EVT)
3661         {
3662             BTM_TRACE_DEBUG ("calling BTM_ConfirmReqReply with status: %d", status);
3663             BTM_ConfirmReqReply (status, p_bda);
3664         }
3665 #if (BTM_LOCAL_IO_CAPS != BTM_IO_CAP_NONE)
3666         else if (event == BTM_SP_KEY_REQ_EVT)
3667         {
3668             BTM_PasskeyReqReply(status, p_bda, 0);
3669         }
3670 #endif
3671         return;
3672     }
3673 
3674     /* Something bad. we can only fail this connection */
3675     btm_cb.acl_disc_reason = HCI_ERR_HOST_REJECT_SECURITY;
3676 
3677     if (BTM_SP_CFM_REQ_EVT == event)
3678     {
3679         btsnd_hcic_user_conf_reply (p_bda, FALSE);
3680     }
3681     else if (BTM_SP_KEY_NOTIF_EVT == event)
3682     {
3683         /* do nothing -> it very unlikely to happen.
3684         This event is most likely to be received by a HID host when it first connects to a HID device.
3685         Usually the Host initiated the connection in this case.
3686         On Mobile platforms, if there's a security process happening,
3687         the host probably can not initiate another connection.
3688         BTW (PC) is another story.  */
3689         if (NULL != (p_dev_rec = btm_find_dev (p_bda)) )
3690         {
3691             btm_sec_disconnect (p_dev_rec->hci_handle, HCI_ERR_AUTH_FAILURE);
3692         }
3693     }
3694 #if (BTM_LOCAL_IO_CAPS != BTM_IO_CAP_NONE)
3695     else
3696     {
3697         btsnd_hcic_user_passkey_neg_reply(p_bda);
3698     }
3699 #endif
3700 }
3701 
3702 /*******************************************************************************
3703 **
3704 ** Function         btm_keypress_notif_evt
3705 **
3706 ** Description      This function is called when a key press notification is
3707 **                  received
3708 **
3709 ** Returns          void
3710 **
3711 *******************************************************************************/
btm_keypress_notif_evt(UINT8 * p)3712 void  btm_keypress_notif_evt (UINT8 *p)
3713 {
3714     tBTM_SP_KEYPRESS    evt_data;
3715     UINT8 *p_bda;
3716 
3717     /* parse & report BTM_SP_KEYPRESS_EVT */
3718     if (btm_cb.api.p_sp_callback)
3719     {
3720         p_bda = evt_data.bd_addr;
3721 
3722         STREAM_TO_BDADDR (p_bda, p);
3723         evt_data.notif_type = *p;
3724 
3725         (*btm_cb.api.p_sp_callback) (BTM_SP_KEYPRESS_EVT, (tBTM_SP_EVT_DATA *)&evt_data);
3726     }
3727 }
3728 
3729 /*******************************************************************************
3730 **
3731 ** Function         btm_simple_pair_complete
3732 **
3733 ** Description      This function is called when simple pairing process is
3734 **                  complete
3735 **
3736 ** Returns          void
3737 **
3738 *******************************************************************************/
btm_simple_pair_complete(UINT8 * p)3739 void btm_simple_pair_complete (UINT8 *p)
3740 {
3741     tBTM_SP_COMPLT  evt_data;
3742     tBTM_SEC_DEV_REC *p_dev_rec;
3743     UINT8           status;
3744     BOOLEAN         disc = FALSE;
3745 
3746     status = *p++;
3747     STREAM_TO_BDADDR (evt_data.bd_addr, p);
3748 
3749     if ((p_dev_rec = btm_find_dev (evt_data.bd_addr)) == NULL)
3750     {
3751         BTM_TRACE_ERROR ("btm_simple_pair_complete() with unknown BDA: %08x%04x",
3752                           (evt_data.bd_addr[0]<<24) + (evt_data.bd_addr[1]<<16) + (evt_data.bd_addr[2]<<8) + evt_data.bd_addr[3],
3753                           (evt_data.bd_addr[4] << 8) + evt_data.bd_addr[5]);
3754         return;
3755     }
3756 
3757     BTM_TRACE_EVENT ("btm_simple_pair_complete()  Pair State: %s  Status:%d  sec_state: %u",
3758                       btm_pair_state_descr(btm_cb.pairing_state),  status, p_dev_rec->sec_state);
3759 
3760     evt_data.status = BTM_ERR_PROCESSING;
3761     if (status == HCI_SUCCESS)
3762     {
3763         evt_data.status = BTM_SUCCESS;
3764         p_dev_rec->sec_flags |= BTM_SEC_AUTHENTICATED;
3765     }
3766     else
3767     {
3768         if (status == HCI_ERR_PAIRING_NOT_ALLOWED)
3769         {
3770             /* The test spec wants the peer device to get this failure code. */
3771             btm_sec_change_pairing_state (BTM_PAIR_STATE_WAIT_DISCONNECT);
3772 
3773             /* Change the timer to 1 second */
3774             btu_start_timer (&btm_cb.pairing_tle, BTU_TTYPE_USER_FUNC, BT_1SEC_TIMEOUT);
3775         }
3776         else if (memcmp (btm_cb.pairing_bda, evt_data.bd_addr, BD_ADDR_LEN) == 0)
3777         {
3778             /* stop the timer */
3779             btu_stop_timer (&btm_cb.pairing_tle);
3780 
3781             if (p_dev_rec->sec_state != BTM_SEC_STATE_AUTHENTICATING)
3782             {
3783                 /* the initiating side: will receive auth complete event. disconnect ACL at that time */
3784                 disc = TRUE;
3785             }
3786         }
3787         else
3788             disc = TRUE;
3789     }
3790 
3791     /* Let the pairing state stay active, p_auth_complete_callback will report the failure */
3792     memcpy (evt_data.bd_addr, p_dev_rec->bd_addr, BD_ADDR_LEN);
3793     memcpy (evt_data.dev_class, p_dev_rec->dev_class, DEV_CLASS_LEN);
3794 
3795     if (btm_cb.api.p_sp_callback)
3796         (*btm_cb.api.p_sp_callback) (BTM_SP_COMPLT_EVT, (tBTM_SP_EVT_DATA *)&evt_data);
3797 
3798     if (disc)
3799     {
3800         /* simple pairing failed */
3801         /* Avoid sending disconnect on HCI_ERR_PEER_USER */
3802         if ((status != HCI_ERR_PEER_USER) && (status != HCI_ERR_CONN_CAUSE_LOCAL_HOST))
3803         {
3804             btm_sec_send_hci_disconnect (p_dev_rec, HCI_ERR_AUTH_FAILURE, p_dev_rec->hci_handle);
3805         }
3806     }
3807 }
3808 
3809 #if BTM_OOB_INCLUDED == TRUE
3810 /*******************************************************************************
3811 **
3812 ** Function         btm_rem_oob_req
3813 **
3814 ** Description      This function is called to process/report
3815 **                  HCI_REMOTE_OOB_DATA_REQUEST_EVT
3816 **
3817 ** Returns          void
3818 **
3819 *******************************************************************************/
btm_rem_oob_req(UINT8 * p)3820 void btm_rem_oob_req (UINT8 *p)
3821 {
3822     UINT8 *p_bda;
3823     tBTM_SP_RMT_OOB  evt_data;
3824     tBTM_SEC_DEV_REC *p_dev_rec;
3825     BT_OCTET16      c;
3826     BT_OCTET16      r;
3827 
3828     p_bda = evt_data.bd_addr;
3829 
3830     STREAM_TO_BDADDR (p_bda, p);
3831 
3832     BTM_TRACE_EVENT ("btm_rem_oob_req() BDA: %02x:%02x:%02x:%02x:%02x:%02x",
3833                       p_bda[0], p_bda[1], p_bda[2], p_bda[3], p_bda[4], p_bda[5]);
3834 
3835     if ( (NULL != (p_dev_rec = btm_find_dev (p_bda))) &&
3836          btm_cb.api.p_sp_callback)
3837     {
3838         memcpy (evt_data.bd_addr, p_dev_rec->bd_addr, BD_ADDR_LEN);
3839         memcpy (evt_data.dev_class, p_dev_rec->dev_class, DEV_CLASS_LEN);
3840         BCM_STRNCPY_S((char *)evt_data.bd_name, sizeof(evt_data.bd_name), (char *)p_dev_rec->sec_bd_name, BTM_MAX_REM_BD_NAME_LEN+1);
3841         evt_data.bd_name[BTM_MAX_REM_BD_NAME_LEN] = 0;
3842 
3843         btm_sec_change_pairing_state(BTM_PAIR_STATE_WAIT_LOCAL_OOB_RSP);
3844         if ((*btm_cb.api.p_sp_callback) (BTM_SP_RMT_OOB_EVT, (tBTM_SP_EVT_DATA *)&evt_data) == BTM_NOT_AUTHORIZED)
3845         {
3846             BTM_RemoteOobDataReply(TRUE, p_bda, c, r);
3847         }
3848         return;
3849     }
3850 
3851     /* something bad. we can only fail this connection */
3852     btm_cb.acl_disc_reason = HCI_ERR_HOST_REJECT_SECURITY;
3853     btsnd_hcic_rem_oob_neg_reply (p_bda);
3854 }
3855 
3856 /*******************************************************************************
3857 **
3858 ** Function         btm_read_local_oob_complete
3859 **
3860 ** Description      This function is called when read local oob data is
3861 **                  completed by the LM
3862 **
3863 ** Returns          void
3864 **
3865 *******************************************************************************/
btm_read_local_oob_complete(UINT8 * p)3866 void btm_read_local_oob_complete (UINT8 *p)
3867 {
3868     tBTM_SP_LOC_OOB evt_data;
3869     UINT8           status = *p++;
3870 
3871     BTM_TRACE_EVENT ("btm_read_local_oob_complete:%d", status);
3872     if (status == HCI_SUCCESS)
3873     {
3874         evt_data.status = BTM_SUCCESS;
3875         STREAM_TO_ARRAY16(evt_data.c, p);
3876         STREAM_TO_ARRAY16(evt_data.r, p);
3877     }
3878     else
3879         evt_data.status = BTM_ERR_PROCESSING;
3880 
3881     if (btm_cb.api.p_sp_callback)
3882         (*btm_cb.api.p_sp_callback) (BTM_SP_LOC_OOB_EVT, (tBTM_SP_EVT_DATA *)&evt_data);
3883 }
3884 #endif /* BTM_OOB_INCLUDED */
3885 
3886 /*******************************************************************************
3887 **
3888 ** Function         btm_sec_auth_collision
3889 **
3890 ** Description      This function is called when authentication or encryption
3891 **                  needs to be retried at a later time.
3892 **
3893 ** Returns          void
3894 **
3895 *******************************************************************************/
btm_sec_auth_collision(UINT16 handle)3896 static void btm_sec_auth_collision (UINT16 handle)
3897 {
3898     tBTM_SEC_DEV_REC *p_dev_rec;
3899 
3900     if (!btm_cb.collision_start_time)
3901         btm_cb.collision_start_time = GKI_get_tick_count ();
3902 
3903     if ((GKI_get_tick_count () - btm_cb.collision_start_time) < btm_cb.max_collision_delay)
3904     {
3905         if (handle == BTM_SEC_INVALID_HANDLE)
3906         {
3907             if ((p_dev_rec = btm_sec_find_dev_by_sec_state (BTM_SEC_STATE_AUTHENTICATING)) == NULL)
3908                 p_dev_rec = btm_sec_find_dev_by_sec_state (BTM_SEC_STATE_ENCRYPTING);
3909         }
3910         else
3911             p_dev_rec = btm_find_dev_by_handle (handle);
3912 
3913         if (p_dev_rec != NULL)
3914         {
3915             BTM_TRACE_DEBUG ("btm_sec_auth_collision: state %d (retrying in a moment...)", p_dev_rec->sec_state);
3916             /* We will restart authentication after timeout */
3917             if (p_dev_rec->sec_state == BTM_SEC_STATE_AUTHENTICATING || p_dev_rec->sec_state == BTM_SEC_STATE_ENCRYPTING)
3918                 p_dev_rec->sec_state = 0;
3919 
3920             btm_cb.p_collided_dev_rec = p_dev_rec;
3921             btm_cb.sec_collision_tle.param = (UINT32) btm_sec_collision_timeout;
3922             btu_start_timer (&btm_cb.sec_collision_tle, BTU_TTYPE_USER_FUNC, BT_1SEC_TIMEOUT);
3923         }
3924     }
3925 }
3926 
3927 /*******************************************************************************
3928 **
3929 ** Function         btm_sec_auth_complete
3930 **
3931 ** Description      This function is when authentication of the connection is
3932 **                  completed by the LM
3933 **
3934 ** Returns          void
3935 **
3936 *******************************************************************************/
btm_sec_auth_complete(UINT16 handle,UINT8 status)3937 void btm_sec_auth_complete (UINT16 handle, UINT8 status)
3938 {
3939     UINT8            old_sm4;
3940     tBTM_PAIRING_STATE  old_state   = btm_cb.pairing_state;
3941     tBTM_SEC_DEV_REC *p_dev_rec = btm_find_dev_by_handle (handle);
3942     BOOLEAN             are_bonding = FALSE;
3943 
3944     /* Commenting out trace due to obf/compilation problems.
3945     */
3946 #if (BT_USE_TRACES == TRUE)
3947     if (p_dev_rec)
3948     {
3949         BTM_TRACE_EVENT ("Security Manager: auth_complete PairState: %s  handle:%u  status:%d  dev->sec_state: %u  Bda:%08x, RName:%s",
3950                           btm_pair_state_descr (btm_cb.pairing_state),
3951                           handle, status,
3952                           p_dev_rec->sec_state,
3953                           (p_dev_rec->bd_addr[2]<<24)+(p_dev_rec->bd_addr[3]<<16)+(p_dev_rec->bd_addr[4]<<8)+p_dev_rec->bd_addr[5],
3954                           p_dev_rec->sec_bd_name);
3955     }
3956     else
3957     {
3958         BTM_TRACE_EVENT ("Security Manager: auth_complete PairState: %s  handle:%u  status:%d",
3959                           btm_pair_state_descr (btm_cb.pairing_state),
3960                           handle, status);
3961     }
3962 #endif
3963 
3964     /* For transaction collision we need to wait and repeat.  There is no need */
3965     /* for random timeout because only slave should receive the result */
3966     if ((status == HCI_ERR_LMP_ERR_TRANS_COLLISION) || (status == HCI_ERR_DIFF_TRANSACTION_COLLISION))
3967     {
3968         btm_sec_auth_collision(handle);
3969         return;
3970     }
3971     btm_cb.collision_start_time = 0;
3972 
3973     btm_restore_mode();
3974 
3975     /* Check if connection was made just to do bonding.  If we authenticate
3976        the connection that is up, this is the last event received.
3977     */
3978     if (p_dev_rec
3979         && (btm_cb.pairing_flags & BTM_PAIR_FLAGS_WE_STARTED_DD)
3980         && !(btm_cb.pairing_flags & BTM_PAIR_FLAGS_DISC_WHEN_DONE))
3981     {
3982         p_dev_rec->security_required &= ~BTM_SEC_OUT_AUTHENTICATE;
3983 
3984         l2cu_start_post_bond_timer (p_dev_rec->hci_handle);
3985     }
3986 
3987     if (!p_dev_rec)
3988         return;
3989 
3990     /* keep the old sm4 flag and clear the retry bit in control block */
3991     old_sm4 = p_dev_rec->sm4;
3992     p_dev_rec->sm4 &= ~BTM_SM4_RETRY;
3993 
3994     if ( (btm_cb.pairing_state != BTM_PAIR_STATE_IDLE)
3995          &&  (btm_cb.pairing_flags & BTM_PAIR_FLAGS_WE_STARTED_DD)
3996          &&  (memcmp (p_dev_rec->bd_addr, btm_cb.pairing_bda, BD_ADDR_LEN) == 0) )
3997         are_bonding = TRUE;
3998 
3999     btm_sec_change_pairing_state (BTM_PAIR_STATE_IDLE);
4000 
4001     if (p_dev_rec->sec_state != BTM_SEC_STATE_AUTHENTICATING)
4002     {
4003         if ( (btm_cb.api.p_auth_complete_callback && status != HCI_SUCCESS)
4004              &&  (old_state != BTM_PAIR_STATE_IDLE) )
4005         {
4006             (*btm_cb.api.p_auth_complete_callback) (p_dev_rec->bd_addr,
4007                                                     p_dev_rec->dev_class,
4008                                                     p_dev_rec->sec_bd_name, status);
4009         }
4010         return;
4011     }
4012 
4013     /* There can be a race condition, when we are starting authentication and
4014     ** the peer device is doing encryption.
4015     ** If first we receive encryption change up, then initiated authentication
4016     ** can not be performed.  According to the spec we can not do authentication
4017     ** on the encrypted link, so device is correct.
4018     */
4019     if ((status == HCI_ERR_COMMAND_DISALLOWED)
4020         && ((p_dev_rec->sec_flags & (BTM_SEC_AUTHENTICATED | BTM_SEC_ENCRYPTED)) ==
4021             (BTM_SEC_AUTHENTICATED | BTM_SEC_ENCRYPTED)))
4022     {
4023         status = HCI_SUCCESS;
4024     }
4025     /* Currently we do not notify user if it is a keyboard which connects */
4026     /* User probably Disabled the keyboard while it was asleap.  Let her try */
4027     if (btm_cb.api.p_auth_complete_callback)
4028     {
4029         /* report the suthentication status */
4030         if (old_state != BTM_PAIR_STATE_IDLE)
4031             (*btm_cb.api.p_auth_complete_callback) (p_dev_rec->bd_addr,
4032                                                     p_dev_rec->dev_class,
4033                                                     p_dev_rec->sec_bd_name, status);
4034     }
4035 
4036     p_dev_rec->sec_state = BTM_SEC_STATE_IDLE;
4037 
4038     /* If this is a bonding procedure can disconnect the link now */
4039     if (are_bonding)
4040     {
4041         p_dev_rec->security_required &= ~BTM_SEC_OUT_AUTHENTICATE;
4042 
4043         if (status != HCI_SUCCESS)
4044         {
4045             if(((status != HCI_ERR_PEER_USER) && (status != HCI_ERR_CONN_CAUSE_LOCAL_HOST)))
4046                 btm_sec_send_hci_disconnect (p_dev_rec, HCI_ERR_PEER_USER, p_dev_rec->hci_handle);
4047         }
4048         else
4049             l2cu_start_post_bond_timer (p_dev_rec->hci_handle);
4050 
4051         return;
4052     }
4053 
4054     /* If authentication failed, notify the waiting layer */
4055     if (status != HCI_SUCCESS)
4056     {
4057         if ((old_sm4 & BTM_SM4_RETRY) == 0)
4058         {
4059             /* allow retry only once */
4060             if (status == HCI_ERR_LMP_ERR_TRANS_COLLISION)
4061             {
4062                 /* not retried yet. set the retry bit */
4063                 p_dev_rec->sm4 |= BTM_SM4_RETRY;
4064                 BTM_TRACE_DEBUG ("Collision retry sm4:x%x sec_flags:0x%x", p_dev_rec->sm4, p_dev_rec->sec_flags);
4065             }
4066             /* this retry for missing key is for Lisbon or later only.
4067              * Legacy device do not need this. the controller will drive the retry automatically */
4068             else if (HCI_ERR_KEY_MISSING == status && BTM_SEC_IS_SM4(p_dev_rec->sm4))
4069             {
4070                 /* not retried yet. set the retry bit */
4071                 p_dev_rec->sm4 |= BTM_SM4_RETRY;
4072                 p_dev_rec->sec_flags &= ~BTM_SEC_LINK_KEY_KNOWN;
4073                 BTM_TRACE_DEBUG ("Retry for missing key sm4:x%x sec_flags:0x%x", p_dev_rec->sm4, p_dev_rec->sec_flags);
4074 
4075                 /* With BRCM controller, we do not need to delete the stored link key in controller.
4076                 If the stack may sit on top of other controller, we may need this
4077                 BTM_DeleteStoredLinkKey (bd_addr, NULL); */
4078             }
4079 
4080             if (p_dev_rec->sm4 & BTM_SM4_RETRY)
4081             {
4082                 btm_sec_execute_procedure (p_dev_rec);
4083                 return;
4084             }
4085         }
4086 
4087         btm_sec_dev_rec_cback_event (p_dev_rec, BTM_ERR_PROCESSING, FALSE);
4088 
4089         if (btm_cb.pairing_flags & BTM_PAIR_FLAGS_DISC_WHEN_DONE)
4090         {
4091             btm_sec_send_hci_disconnect (p_dev_rec, HCI_ERR_AUTH_FAILURE, p_dev_rec->hci_handle);
4092         }
4093         return;
4094     }
4095 
4096     p_dev_rec->sec_flags |= BTM_SEC_AUTHENTICATED;
4097 
4098     /* Authentication succeeded, execute the next security procedure, if any */
4099     status = btm_sec_execute_procedure (p_dev_rec);
4100 
4101     /* If there is no next procedure, or procedure failed to start, notify the caller */
4102     if (status != BTM_CMD_STARTED)
4103         btm_sec_dev_rec_cback_event (p_dev_rec, status, FALSE);
4104 }
4105 
4106 /*******************************************************************************
4107 **
4108 ** Function         btm_sec_mkey_comp_event
4109 **
4110 ** Description      This function is when encryption of the connection is
4111 **                  completed by the LM
4112 **
4113 ** Returns          void
4114 **
4115 *******************************************************************************/
btm_sec_mkey_comp_event(UINT16 handle,UINT8 status,UINT8 key_flg)4116 void btm_sec_mkey_comp_event (UINT16 handle, UINT8 status, UINT8 key_flg)
4117 {
4118     tBTM_SEC_DEV_REC  *p_dev_rec = btm_find_dev_by_handle (handle);
4119     UINT8 bd_addr[BD_ADDR_LEN] = { 0xff, 0xff, 0xff, 0xff, 0xff, 0xff} ;
4120 
4121     BTM_TRACE_EVENT ("Security Manager: mkey comp status:%d State:%d",
4122                       status, (p_dev_rec) ? p_dev_rec->sec_state : 0);
4123 
4124     /* If encryption setup failed, notify the waiting layer */
4125     /* There is no next procedure or start of procedure failed, notify the waiting layer */
4126     if (btm_cb.mkey_cback)
4127     {
4128         if (!p_dev_rec)
4129             (btm_cb.mkey_cback)(bd_addr, status, key_flg );
4130         else
4131             (btm_cb.mkey_cback)(p_dev_rec->bd_addr, status, key_flg );
4132     }
4133 }
4134 
4135 /*******************************************************************************
4136 **
4137 ** Function         btm_sec_encrypt_change
4138 **
4139 ** Description      This function is when encryption of the connection is
4140 **                  completed by the LM
4141 **
4142 ** Returns          void
4143 **
4144 *******************************************************************************/
btm_sec_encrypt_change(UINT16 handle,UINT8 status,UINT8 encr_enable)4145 void btm_sec_encrypt_change (UINT16 handle, UINT8 status, UINT8 encr_enable)
4146 {
4147     tBTM_SEC_DEV_REC  *p_dev_rec = btm_find_dev_by_handle (handle);
4148 #if BLE_INCLUDED == TRUE && SMP_INCLUDED == TRUE
4149     tACL_CONN       *p_acl = NULL;
4150     UINT8           acl_idx = btm_handle_to_acl_index(handle);
4151 #endif
4152     BTM_TRACE_EVENT ("Security Manager: encrypt_change status:%d State:%d, encr_enable = %d",
4153                       status, (p_dev_rec) ? p_dev_rec->sec_state : 0, encr_enable);
4154     BTM_TRACE_DEBUG ("before update p_dev_rec->sec_flags=0x%x", (p_dev_rec) ? p_dev_rec->sec_flags : 0 );
4155 
4156     /* For transaction collision we need to wait and repeat.  There is no need */
4157     /* for random timeout because only slave should receive the result */
4158     if ((status == HCI_ERR_LMP_ERR_TRANS_COLLISION) || (status == HCI_ERR_DIFF_TRANSACTION_COLLISION))
4159     {
4160         btm_sec_auth_collision(handle);
4161         return;
4162     }
4163     btm_cb.collision_start_time = 0;
4164 
4165     if (!p_dev_rec)
4166         return;
4167 
4168     if ((status == HCI_SUCCESS) && encr_enable)
4169     {
4170         if (p_dev_rec->hci_handle == handle)
4171             p_dev_rec->sec_flags |= (BTM_SEC_AUTHENTICATED | BTM_SEC_ENCRYPTED);
4172         else
4173             p_dev_rec->sec_flags |= (BTM_SEC_LE_AUTHENTICATED | BTM_SEC_LE_ENCRYPTED);
4174     }
4175 
4176     /* It is possible that we decrypted the link to perform role switch */
4177     /* mark link not to be encrypted, so that when we execute security next time it will kick in again */
4178     if ((status == HCI_SUCCESS) && !encr_enable)
4179     {
4180         if (p_dev_rec->hci_handle == handle)
4181             p_dev_rec->sec_flags &= ~BTM_SEC_ENCRYPTED;
4182         else
4183             p_dev_rec->sec_flags &= ~BTM_SEC_LE_ENCRYPTED;
4184     }
4185 
4186     BTM_TRACE_DEBUG ("after update p_dev_rec->sec_flags=0x%x", p_dev_rec->sec_flags );
4187 
4188 #if BLE_INCLUDED == TRUE && SMP_INCLUDED == TRUE
4189     if (acl_idx != MAX_L2CAP_LINKS )
4190         p_acl = &btm_cb.acl_db[acl_idx];
4191 
4192     if (p_acl && p_acl->transport == BT_TRANSPORT_LE)
4193     {
4194         if (status == HCI_ERR_KEY_MISSING || status == HCI_ERR_AUTH_FAILURE
4195             ||status == HCI_ERR_ENCRY_MODE_NOT_ACCEPTABLE)
4196             p_dev_rec->sec_flags &= ~ (BTM_SEC_LE_LINK_KEY_KNOWN);
4197         btm_ble_link_encrypted(p_dev_rec->bd_addr, encr_enable);
4198         return;
4199     }
4200     else
4201         /* BR/EDR connection, update the encryption key size to be 16 as always */
4202         p_dev_rec->enc_key_size = 16;
4203 #endif
4204 
4205     /* If this encryption was started by peer do not need to do anything */
4206     if (p_dev_rec->sec_state != BTM_SEC_STATE_ENCRYPTING)
4207     {
4208         if (BTM_SEC_STATE_DELAY_FOR_ENC == p_dev_rec->sec_state)
4209         {
4210             p_dev_rec->sec_state = BTM_SEC_STATE_IDLE;
4211             p_dev_rec->p_callback = NULL;
4212             l2cu_resubmit_pending_sec_req (p_dev_rec->bd_addr);
4213         }
4214         return;
4215     }
4216 
4217     p_dev_rec->sec_state = BTM_SEC_STATE_IDLE;
4218 
4219     /* If encryption setup failed, notify the waiting layer */
4220     if (status != HCI_SUCCESS)
4221     {
4222         btm_sec_dev_rec_cback_event (p_dev_rec, BTM_ERR_PROCESSING, FALSE);
4223         return;
4224     }
4225 
4226     /* Encryption setup succeeded, execute the next security procedure, if any */
4227     status = (UINT8)btm_sec_execute_procedure (p_dev_rec);
4228 
4229     /* If there is no next procedure, or procedure failed to start, notify the caller */
4230     if (status != BTM_CMD_STARTED)
4231         btm_sec_dev_rec_cback_event (p_dev_rec, status, FALSE);
4232 }
4233 
4234 /*******************************************************************************
4235 **
4236 ** Function         btm_sec_create_conn
4237 **
4238 ** Description      This function records current role and forwards request to
4239 **                  HCI
4240 **
4241 ** Returns          void
4242 **
4243 *******************************************************************************/
btm_sec_create_conn(BD_ADDR bda,UINT16 packet_types,UINT8 page_scan_rep_mode,UINT8 page_scan_mode,UINT16 clock_offset,UINT8 allow_switch)4244 BOOLEAN btm_sec_create_conn (BD_ADDR bda, UINT16 packet_types,
4245                              UINT8 page_scan_rep_mode, UINT8 page_scan_mode,
4246                              UINT16 clock_offset, UINT8 allow_switch)
4247 {
4248     tBTM_SEC_DEV_REC *p_dev_rec = btm_find_or_alloc_dev (bda);
4249 
4250     memcpy (btm_cb.connecting_bda, p_dev_rec->bd_addr,   BD_ADDR_LEN);
4251     memcpy (btm_cb.connecting_dc,  p_dev_rec->dev_class, DEV_CLASS_LEN);
4252 
4253     btm_cb.acl_disc_reason = 0xff ;
4254 
4255     p_dev_rec->sec_state   = BTM_SEC_STATE_IDLE;
4256     p_dev_rec->role_master = TRUE;
4257 
4258     /* If any SCO link up, do not allow a switch */
4259     if (BTM_GetNumScoLinks() != 0)
4260         allow_switch = HCI_CR_CONN_NOT_ALLOW_SWITCH;
4261 
4262     return(btsnd_hcic_create_conn (bda, packet_types, page_scan_rep_mode,
4263                                    page_scan_mode, clock_offset, allow_switch));
4264 }
4265 
4266 /*******************************************************************************
4267 **
4268 ** Function         btm_sec_connect_after_reject_timeout
4269 **
4270 ** Description      Connection for bonding could not start because of the collision
4271 **                  Initiate outgoing connection
4272 **
4273 ** Returns          Pointer to the TLE struct
4274 **
4275 *******************************************************************************/
btm_sec_connect_after_reject_timeout(TIMER_LIST_ENT * p_tle)4276 static void btm_sec_connect_after_reject_timeout (TIMER_LIST_ENT *p_tle)
4277 {
4278     tBTM_SEC_DEV_REC *p_dev_rec = btm_cb.p_collided_dev_rec;
4279     UNUSED(p_tle);
4280 
4281     BTM_TRACE_EVENT ("btm_sec_connect_after_reject_timeout()");
4282     btm_cb.sec_collision_tle.param = 0;
4283     btm_cb.p_collided_dev_rec = 0;
4284 
4285     if (btm_sec_dd_create_conn(p_dev_rec) != BTM_CMD_STARTED)
4286     {
4287         BTM_TRACE_WARNING ("Security Manager: btm_sec_connect_after_reject_timeout: failed to start connection");
4288 
4289         btm_sec_change_pairing_state (BTM_PAIR_STATE_IDLE);
4290 
4291         if (btm_cb.api.p_auth_complete_callback)
4292         (*btm_cb.api.p_auth_complete_callback) (p_dev_rec->bd_addr,  p_dev_rec->dev_class,
4293                                                 p_dev_rec->sec_bd_name, HCI_ERR_MEMORY_FULL);
4294     }
4295 }
4296 
4297 /*******************************************************************************
4298 **
4299 ** Function         btm_sec_connected
4300 **
4301 ** Description      This function is when a connection to the peer device is
4302 **                  establsihed
4303 **
4304 ** Returns          void
4305 **
4306 *******************************************************************************/
btm_sec_connected(UINT8 * bda,UINT16 handle,UINT8 status,UINT8 enc_mode)4307 void btm_sec_connected (UINT8 *bda, UINT16 handle, UINT8 status, UINT8 enc_mode)
4308 {
4309     tBTM_SEC_DEV_REC *p_dev_rec = btm_find_dev (bda);
4310     UINT8            res;
4311     BOOLEAN          is_pairing_device = FALSE;
4312     tACL_CONN        *p_acl_cb;
4313     UINT8            bit_shift = 0;
4314 
4315     btm_acl_resubmit_page();
4316 
4317     /* Commenting out trace due to obf/compilation problems.
4318     */
4319 #if (BT_USE_TRACES == TRUE)
4320     if (p_dev_rec)
4321     {
4322         BTM_TRACE_EVENT ("Security Manager: btm_sec_connected in state: %s  handle:%d status:%d enc_mode:%d  bda:%x RName:%s",
4323                           btm_pair_state_descr(btm_cb.pairing_state), handle, status, enc_mode,
4324                           (bda[2]<<24)+(bda[3]<<16)+(bda[4]<<8)+bda[5],
4325                           p_dev_rec->sec_bd_name);
4326     }
4327     else
4328     {
4329         BTM_TRACE_EVENT ("Security Manager: btm_sec_connected in state: %s  handle:%d status:%d enc_mode:%d  bda:%x ",
4330                           btm_pair_state_descr(btm_cb.pairing_state), handle, status, enc_mode,
4331                           (bda[2]<<24)+(bda[3]<<16)+(bda[4]<<8)+bda[5]);
4332     }
4333 #endif
4334 
4335     if (!p_dev_rec)
4336     {
4337         /* There is no device record for new connection.  Allocate one */
4338         if (status == HCI_SUCCESS)
4339         {
4340             p_dev_rec = btm_sec_alloc_dev (bda);
4341         }
4342         else
4343         {
4344             /* can not find the device record and the status is error,
4345              * just ignore it */
4346             return;
4347         }
4348     }
4349     else    /* Update the timestamp for this device */
4350     {
4351 
4352 #if BLE_INCLUDED == TRUE
4353         bit_shift = (handle == p_dev_rec->ble_hci_handle) ? 8 :0;
4354 #endif
4355         p_dev_rec->timestamp = btm_cb.dev_rec_count++;
4356         if (p_dev_rec->sm4 & BTM_SM4_CONN_PEND)
4357         {
4358             /* tell L2CAP it's a bonding connection. */
4359             if ( (btm_cb.pairing_state != BTM_PAIR_STATE_IDLE)
4360                  &&  (memcmp (btm_cb.pairing_bda, p_dev_rec->bd_addr, BD_ADDR_LEN) == 0)
4361                  &&  (btm_cb.pairing_flags & BTM_PAIR_FLAGS_WE_STARTED_DD) )
4362             {
4363                 /* if incoming connection failed while pairing, then try to connect and continue */
4364                 /* Motorola S9 disconnects without asking pin code */
4365                 if ((status != HCI_SUCCESS)&&(btm_cb.pairing_state == BTM_PAIR_STATE_WAIT_PIN_REQ))
4366                 {
4367                     BTM_TRACE_WARNING ("Security Manager: btm_sec_connected: incoming connection failed without asking PIN");
4368 
4369                     p_dev_rec->sm4 &= ~BTM_SM4_CONN_PEND;
4370                     if (p_dev_rec->sec_flags & BTM_SEC_NAME_KNOWN)
4371                     {
4372                         /* Start timer with 0 to initiate connection with new LCB */
4373                         /* because L2CAP will delete current LCB with this event  */
4374                         btm_cb.p_collided_dev_rec = p_dev_rec;
4375                         btm_cb.sec_collision_tle.param = (UINT32) btm_sec_connect_after_reject_timeout;
4376                         btu_start_timer (&btm_cb.sec_collision_tle, BTU_TTYPE_USER_FUNC, 0);
4377                     }
4378                     else
4379                     {
4380                         btm_sec_change_pairing_state (BTM_PAIR_STATE_GET_REM_NAME);
4381                         BTM_ReadRemoteDeviceName(p_dev_rec->bd_addr, NULL, BT_TRANSPORT_BR_EDR);
4382                     }
4383 #if BTM_DISC_DURING_RS == TRUE
4384                     p_dev_rec->rs_disc_pending   = BTM_SEC_RS_NOT_PENDING;     /* reset flag */
4385 #endif
4386                     return;
4387                 }
4388                 else
4389                 {
4390                     l2cu_update_lcb_4_bonding(p_dev_rec->bd_addr, TRUE);
4391                 }
4392             }
4393             /* always clear the pending flag */
4394             p_dev_rec->sm4 &= ~BTM_SM4_CONN_PEND;
4395         }
4396     }
4397 
4398 #if BLE_INCLUDED == TRUE
4399     p_dev_rec->device_type |= BT_DEVICE_TYPE_BREDR;
4400 #endif
4401 
4402 #if BTM_DISC_DURING_RS == TRUE
4403     p_dev_rec->rs_disc_pending   = BTM_SEC_RS_NOT_PENDING;     /* reset flag */
4404 #endif
4405 
4406     p_dev_rec->rs_disc_pending   = BTM_SEC_RS_NOT_PENDING;     /* reset flag */
4407 
4408     if ( (btm_cb.pairing_state != BTM_PAIR_STATE_IDLE)
4409          && (memcmp (btm_cb.pairing_bda, bda, BD_ADDR_LEN) == 0) )
4410     {
4411         /* if we rejected incoming connection from bonding device */
4412         if ((status == HCI_ERR_HOST_REJECT_DEVICE)
4413             &&(btm_cb.pairing_flags & BTM_PAIR_FLAGS_REJECTED_CONNECT))
4414         {
4415             BTM_TRACE_WARNING ("Security Manager: btm_sec_connected: HCI_Conn_Comp Flags:0x%04x, sm4: 0x%x",
4416                 btm_cb.pairing_flags, p_dev_rec->sm4);
4417 
4418             btm_cb.pairing_flags &= ~BTM_PAIR_FLAGS_REJECTED_CONNECT;
4419             if (BTM_SEC_IS_SM4_UNKNOWN(p_dev_rec->sm4))
4420             {
4421                 /* Try again: RNR when no ACL causes HCI_RMT_HOST_SUP_FEAT_NOTIFY_EVT */
4422                 btm_sec_change_pairing_state (BTM_PAIR_STATE_GET_REM_NAME);
4423                 BTM_ReadRemoteDeviceName(bda, NULL, BT_TRANSPORT_BR_EDR);
4424                 return;
4425             }
4426 
4427             /* if we already have pin code */
4428             if (btm_cb.pairing_state != BTM_PAIR_STATE_WAIT_LOCAL_PIN)
4429             {
4430                 /* Start timer with 0 to initiate connection with new LCB */
4431                 /* because L2CAP will delete current LCB with this event  */
4432                 btm_cb.p_collided_dev_rec = p_dev_rec;
4433                 btm_cb.sec_collision_tle.param = (UINT32) btm_sec_connect_after_reject_timeout;
4434                 btu_start_timer (&btm_cb.sec_collision_tle, BTU_TTYPE_USER_FUNC, 0);
4435             }
4436 
4437             return;
4438         }
4439         /* wait for incoming connection without resetting pairing state */
4440         else if (status == HCI_ERR_CONNECTION_EXISTS)
4441         {
4442             BTM_TRACE_WARNING ("Security Manager: btm_sec_connected: Wait for incoming connection");
4443             return;
4444         }
4445 
4446         is_pairing_device = TRUE;
4447     }
4448 
4449     /* If connection was made to do bonding restore link security if changed */
4450     btm_restore_mode();
4451 
4452     /* if connection fails during pin request, notify application */
4453     if (status != HCI_SUCCESS)
4454     {
4455         /* If connection failed because of during pairing, need to tell user */
4456         if (is_pairing_device)
4457         {
4458             p_dev_rec->security_required &= ~BTM_SEC_OUT_AUTHENTICATE;
4459             p_dev_rec->sec_flags &= ~((BTM_SEC_LINK_KEY_KNOWN | BTM_SEC_LINK_KEY_AUTHED) << bit_shift);
4460             BTM_TRACE_DEBUG ("security_required:%x ", p_dev_rec->security_required );
4461 
4462             btm_sec_change_pairing_state (BTM_PAIR_STATE_IDLE);
4463 
4464             /* We need to notify host that the key is not known any more */
4465             if (btm_cb.api.p_auth_complete_callback)
4466             {
4467                 (*btm_cb.api.p_auth_complete_callback) (p_dev_rec->bd_addr,
4468                                                         p_dev_rec->dev_class,
4469                                                         p_dev_rec->sec_bd_name, status);
4470             }
4471         }
4472  /*
4473      Do not send authentication failure, if following conditions hold good
4474       1.  BTM Sec Pairing state is idle
4475       2.  Link key for the remote device is present.
4476       3.  Remote is SSP capable.
4477   */
4478         else if  ((p_dev_rec->link_key_type  <= BTM_LKEY_TYPE_REMOTE_UNIT) &&
4479                  (((status == HCI_ERR_AUTH_FAILURE)                      ||
4480                  (status == HCI_ERR_KEY_MISSING)                         ||
4481                  (status == HCI_ERR_HOST_REJECT_SECURITY)                ||
4482                  (status == HCI_ERR_PAIRING_NOT_ALLOWED)                 ||
4483                  (status == HCI_ERR_UNIT_KEY_USED)                       ||
4484                  (status == HCI_ERR_PAIRING_WITH_UNIT_KEY_NOT_SUPPORTED) ||
4485                  (status == HCI_ERR_ENCRY_MODE_NOT_ACCEPTABLE)           ||
4486                  (status == HCI_ERR_REPEATED_ATTEMPTS))))
4487         {
4488             p_dev_rec->security_required &= ~BTM_SEC_OUT_AUTHENTICATE;
4489             p_dev_rec->sec_flags &= ~ (BTM_SEC_LE_LINK_KEY_KNOWN << bit_shift);
4490 
4491 
4492 #ifdef BRCM_NOT_4_BTE
4493             /* If we rejected pairing, pass this special result code */
4494             if (btm_cb.acl_disc_reason == HCI_ERR_HOST_REJECT_SECURITY)
4495             {
4496                 status = HCI_ERR_HOST_REJECT_SECURITY;
4497             }
4498 #endif
4499 
4500             /* We need to notify host that the key is not known any more */
4501             if (btm_cb.api.p_auth_complete_callback)
4502             {
4503                 (*btm_cb.api.p_auth_complete_callback) (p_dev_rec->bd_addr,
4504                                                         p_dev_rec->dev_class,
4505                                                         p_dev_rec->sec_bd_name, status);
4506             }
4507         }
4508 
4509         if (status == HCI_ERR_CONNECTION_TOUT || status == HCI_ERR_LMP_RESPONSE_TIMEOUT  ||
4510             status == HCI_ERR_UNSPECIFIED     || status == HCI_ERR_PAGE_TIMEOUT)
4511             btm_sec_dev_rec_cback_event (p_dev_rec, BTM_DEVICE_TIMEOUT, FALSE);
4512         else
4513             btm_sec_dev_rec_cback_event (p_dev_rec, BTM_ERR_PROCESSING, FALSE);
4514 
4515         return;
4516     }
4517 
4518     /* If initiated dedicated bonding, return the link key now, and initiate disconnect */
4519     /* If dedicated bonding, and we now have a link key, we are all done */
4520     if ( is_pairing_device
4521          && (p_dev_rec->sec_flags & BTM_SEC_LINK_KEY_KNOWN) )
4522     {
4523         if (p_dev_rec->link_key_not_sent)
4524         {
4525             p_dev_rec->link_key_not_sent = FALSE;
4526             btm_send_link_key_notif(p_dev_rec);
4527         }
4528 
4529         p_dev_rec->security_required &= ~BTM_SEC_OUT_AUTHENTICATE;
4530 
4531         /* remember flag before it is initialized */
4532         if (btm_cb.pairing_flags & BTM_PAIR_FLAGS_WE_STARTED_DD)
4533             res = TRUE;
4534         else
4535             res = FALSE;
4536 
4537         if (btm_cb.api.p_auth_complete_callback)
4538             (*btm_cb.api.p_auth_complete_callback) (p_dev_rec->bd_addr,
4539                                                     p_dev_rec->dev_class,
4540                                                     p_dev_rec->sec_bd_name, HCI_SUCCESS);
4541 
4542         btm_sec_change_pairing_state (BTM_PAIR_STATE_IDLE);
4543 
4544         if ( res )
4545         {
4546             /* Let l2cap start bond timer */
4547             l2cu_update_lcb_4_bonding (p_dev_rec->bd_addr, TRUE);
4548         }
4549 
4550         return;
4551     }
4552 
4553     p_dev_rec->hci_handle = handle;
4554 
4555     /* role may not be correct here, it will be updated by l2cap, but we need to */
4556     /* notify btm_acl that link is up, so starting of rmt name request will not */
4557     /* set paging flag up */
4558     p_acl_cb = btm_bda_to_acl(bda, BT_TRANSPORT_BR_EDR);
4559     if (p_acl_cb)
4560     {
4561         /* whatever is in btm_establish_continue() without reporting the BTM_BL_CONN_EVT event */
4562 #if (!defined(BTM_BYPASS_EXTRA_ACL_SETUP) || BTM_BYPASS_EXTRA_ACL_SETUP == FALSE)
4563         /* For now there are a some devices that do not like sending */
4564         /* commands events and data at the same time. */
4565         /* Set the packet types to the default allowed by the device */
4566         btm_set_packet_types (p_acl_cb, btm_cb.btm_acl_pkt_types_supported);
4567 
4568         if (btm_cb.btm_def_link_policy)
4569             BTM_SetLinkPolicy (p_acl_cb->remote_addr, &btm_cb.btm_def_link_policy);
4570 #endif
4571     }
4572     btm_acl_created (bda, p_dev_rec->dev_class, p_dev_rec->sec_bd_name, handle, HCI_ROLE_SLAVE, BT_TRANSPORT_BR_EDR);
4573 
4574     /* Initialize security flags.  We need to do that because some            */
4575     /* authorization complete could have come after the connection is dropped */
4576     /* and that would set wrong flag that link has been authorized already    */
4577     p_dev_rec->sec_flags &= ~((BTM_SEC_AUTHORIZED | BTM_SEC_AUTHENTICATED |
4578                               BTM_SEC_ENCRYPTED | BTM_SEC_ROLE_SWITCHED) << bit_shift);
4579 
4580     if (enc_mode != HCI_ENCRYPT_MODE_DISABLED)
4581         p_dev_rec->sec_flags |= ((BTM_SEC_AUTHENTICATED | BTM_SEC_ENCRYPTED) << bit_shift);
4582 
4583     if (btm_cb.security_mode == BTM_SEC_MODE_LINK)
4584         p_dev_rec->sec_flags |= (BTM_SEC_AUTHENTICATED << bit_shift);
4585 
4586     p_dev_rec->link_key_changed = FALSE;
4587 
4588     /* After connection is established we perform security if we do not know */
4589     /* the name, or if we are originator because some procedure can have */
4590     /* been scheduled while connection was down */
4591     BTM_TRACE_DEBUG ("is_originator:%d ", p_dev_rec->is_originator);
4592     if (!(p_dev_rec->sec_flags & BTM_SEC_NAME_KNOWN) || p_dev_rec->is_originator)
4593     {
4594         if ((res = btm_sec_execute_procedure (p_dev_rec)) != BTM_CMD_STARTED)
4595             btm_sec_dev_rec_cback_event (p_dev_rec, res, FALSE);
4596     }
4597     return;
4598 }
4599 
4600 /*******************************************************************************
4601 **
4602 ** Function         btm_sec_role_changed
4603 **
4604 ** Description      This function is colled when controller reports role
4605 **                  changed, or failed command status for Role Change request
4606 **
4607 ** Returns          void
4608 **
4609 *******************************************************************************/
btm_sec_role_changed(void * p_ref_data)4610 void btm_sec_role_changed (void *p_ref_data)
4611 {
4612     tBTM_SEC_DEV_REC *p_dev_rec = (tBTM_SEC_DEV_REC *)p_ref_data;
4613     UINT8 res;
4614 
4615     BTM_TRACE_EVENT ("Security Manager: role changed");
4616 
4617     /* If this role switch was started by peer do not need to do anything */
4618     if (p_dev_rec->sec_state != BTM_SEC_STATE_SWITCHING_ROLE)
4619         return;
4620 
4621     /* If serurity required was to FORCE switch and it failed, notify the waiting layer */
4622     if (((p_dev_rec->security_required & BTM_SEC_FORCE_MASTER) && !p_dev_rec->role_master)
4623         || ((p_dev_rec->security_required & BTM_SEC_FORCE_SLAVE)  &&  p_dev_rec->role_master))
4624     {
4625         btm_sec_dev_rec_cback_event (p_dev_rec, BTM_ERR_PROCESSING, FALSE);
4626         return;
4627     }
4628 
4629     p_dev_rec->sec_flags |= BTM_SEC_ROLE_SWITCHED;
4630 
4631     p_dev_rec->security_required &= ~(BTM_SEC_FORCE_MASTER | BTM_SEC_ATTEMPT_MASTER |
4632                                       BTM_SEC_FORCE_SLAVE  | BTM_SEC_ATTEMPT_SLAVE);
4633 
4634     p_dev_rec->sec_state = BTM_SEC_STATE_IDLE;
4635 
4636     if ((res = (UINT8)btm_sec_execute_procedure (p_dev_rec)) != BTM_CMD_STARTED)
4637     {
4638         btm_sec_dev_rec_cback_event (p_dev_rec, res, FALSE);
4639     }
4640 }
4641 
4642 /*******************************************************************************
4643 **
4644 ** Function         btm_sec_disconnect
4645 **
4646 ** Description      This function is called to disconnect HCI link
4647 **
4648 ** Returns          btm status
4649 **
4650 *******************************************************************************/
btm_sec_disconnect(UINT16 handle,UINT8 reason)4651 tBTM_STATUS btm_sec_disconnect (UINT16 handle, UINT8 reason)
4652 {
4653     tBTM_SEC_DEV_REC  *p_dev_rec = btm_find_dev_by_handle (handle);
4654 
4655     /* In some weird race condition we may not have a record */
4656     if (!p_dev_rec)
4657     {
4658         btsnd_hcic_disconnect (handle, reason);
4659         return(BTM_SUCCESS);
4660     }
4661 
4662     /* If we are in the process of bonding we need to tell client that auth failed */
4663     if ( (btm_cb.pairing_state != BTM_PAIR_STATE_IDLE)
4664          &&  (memcmp (btm_cb.pairing_bda, p_dev_rec->bd_addr, BD_ADDR_LEN) == 0)
4665          &&  (btm_cb.pairing_flags & BTM_PAIR_FLAGS_WE_STARTED_DD) )
4666     {
4667         /* we are currently doing bonding.  Link will be disconnected when done */
4668         btm_cb.pairing_flags |= BTM_PAIR_FLAGS_DISC_WHEN_DONE;
4669         return(BTM_BUSY);
4670     }
4671 
4672     return(btm_sec_send_hci_disconnect(p_dev_rec, reason, handle));
4673 }
4674 
4675 /*******************************************************************************
4676 **
4677 ** Function         btm_sec_disconnected
4678 **
4679 ** Description      This function is when a connection to the peer device is
4680 **                  dropped
4681 **
4682 ** Returns          void
4683 **
4684 *******************************************************************************/
btm_sec_disconnected(UINT16 handle,UINT8 reason)4685 void btm_sec_disconnected (UINT16 handle, UINT8 reason)
4686 {
4687     tBTM_SEC_DEV_REC  *p_dev_rec = btm_find_dev_by_handle (handle);
4688     UINT8             old_pairing_flags = btm_cb.pairing_flags;
4689     int               result = HCI_ERR_AUTH_FAILURE;
4690     tBTM_SEC_CALLBACK   *p_callback = NULL;
4691     tBT_TRANSPORT      transport = BT_TRANSPORT_BR_EDR;
4692 
4693     /* If page was delayed for disc complete, can do it now */
4694     btm_cb.discing = FALSE;
4695 
4696     btm_acl_resubmit_page();
4697 
4698     if (!p_dev_rec)
4699         return;
4700 
4701     transport  = (handle == p_dev_rec->hci_handle) ? BT_TRANSPORT_BR_EDR: BT_TRANSPORT_LE;
4702 
4703     p_dev_rec->rs_disc_pending = BTM_SEC_RS_NOT_PENDING;     /* reset flag */
4704 
4705 #if BTM_DISC_DURING_RS == TRUE
4706     BTM_TRACE_ERROR("btm_sec_disconnected - Clearing Pending flag");
4707     p_dev_rec->rs_disc_pending = BTM_SEC_RS_NOT_PENDING;     /* reset flag */
4708 #endif
4709 
4710     /* clear unused flags */
4711     p_dev_rec->sm4 &= BTM_SM4_TRUE;
4712 
4713     BTM_TRACE_EVENT("btm_sec_disconnected() sec_req:x%x  State: %s   reason:%d bda:%04x%08x RName:%s",
4714                      p_dev_rec->security_required, btm_pair_state_descr(btm_cb.pairing_state), reason,  (p_dev_rec->bd_addr[0]<<8)+p_dev_rec->bd_addr[1],
4715                      (p_dev_rec->bd_addr[2]<<24)+(p_dev_rec->bd_addr[3]<<16)+(p_dev_rec->bd_addr[4]<<8)+p_dev_rec->bd_addr[5], p_dev_rec->sec_bd_name);
4716 
4717     BTM_TRACE_EVENT("before Update sec_flags=0x%x", p_dev_rec->sec_flags);
4718 
4719     /* If we are in the process of bonding we need to tell client that auth failed */
4720     if ( (btm_cb.pairing_state != BTM_PAIR_STATE_IDLE)
4721          && (memcmp (btm_cb.pairing_bda, p_dev_rec->bd_addr, BD_ADDR_LEN) == 0))
4722     {
4723         btm_sec_change_pairing_state (BTM_PAIR_STATE_IDLE);
4724         p_dev_rec->sec_flags &= ~BTM_SEC_LINK_KEY_KNOWN;
4725         if (btm_cb.api.p_auth_complete_callback)
4726         {
4727             /* If the disconnection reason is REPEATED_ATTEMPTS,
4728                send this error message to complete callback function
4729                to display the error message of Repeated attempts.
4730                All others, send HCI_ERR_AUTH_FAILURE. */
4731             if (reason == HCI_ERR_REPEATED_ATTEMPTS)
4732             {
4733                 result = HCI_ERR_REPEATED_ATTEMPTS;
4734             }
4735             else if (old_pairing_flags & BTM_PAIR_FLAGS_WE_STARTED_DD)
4736             {
4737                 result = HCI_ERR_HOST_REJECT_SECURITY;
4738             }
4739             (*btm_cb.api.p_auth_complete_callback) (p_dev_rec->bd_addr,     p_dev_rec->dev_class,
4740                                                     p_dev_rec->sec_bd_name, result);
4741         }
4742     }
4743 
4744 #if BLE_INCLUDED == TRUE && SMP_INCLUDED == TRUE
4745     p_dev_rec->enc_key_size = 0;
4746     btm_ble_update_mode_operation(HCI_ROLE_UNKNOWN, p_dev_rec->bd_addr, HCI_SUCCESS);
4747     /* see sec_flags processing in btm_acl_removed */
4748 
4749     if (transport == BT_TRANSPORT_LE)
4750     {
4751         p_dev_rec->ble_hci_handle = BTM_SEC_INVALID_HANDLE;
4752         p_dev_rec->sec_flags &= ~(BTM_SEC_LE_AUTHENTICATED|BTM_SEC_LE_ENCRYPTED);
4753     }
4754     else
4755 #endif
4756     {
4757         p_dev_rec->hci_handle = BTM_SEC_INVALID_HANDLE;
4758         p_dev_rec->sec_flags &= ~(BTM_SEC_AUTHORIZED | BTM_SEC_AUTHENTICATED | BTM_SEC_ENCRYPTED | BTM_SEC_ROLE_SWITCHED);
4759     }
4760 
4761     p_dev_rec->sec_state  = BTM_SEC_STATE_IDLE;
4762     p_dev_rec->security_required = BTM_SEC_NONE;
4763 
4764     p_callback = p_dev_rec->p_callback;
4765 
4766     /* if security is pending, send callback to clean up the security state */
4767     if(p_callback)
4768     {
4769         p_dev_rec->p_callback = NULL; /* when the peer device time out the authentication before
4770                                          we do, this call back must be reset here */
4771         (*p_callback) (p_dev_rec->bd_addr, transport, p_dev_rec->p_ref_data, BTM_ERR_PROCESSING);
4772     }
4773 
4774     BTM_TRACE_EVENT("after Update sec_flags=0x%x", p_dev_rec->sec_flags);
4775 }
4776 
4777 /*******************************************************************************
4778 **
4779 ** Function         btm_sec_link_key_notification
4780 **
4781 ** Description      This function is called when a new connection link key is
4782 **                  generated
4783 **
4784 ** Returns          Pointer to the record or NULL
4785 **
4786 *******************************************************************************/
btm_sec_link_key_notification(UINT8 * p_bda,UINT8 * p_link_key,UINT8 key_type)4787 void btm_sec_link_key_notification (UINT8 *p_bda, UINT8 *p_link_key, UINT8 key_type)
4788 {
4789     tBTM_SEC_DEV_REC *p_dev_rec = btm_find_or_alloc_dev (p_bda);
4790     BOOLEAN          we_are_bonding = FALSE;
4791 
4792     BTM_TRACE_EVENT ("btm_sec_link_key_notification()  BDA:%04x%08x, TYPE: %d",
4793                       (p_bda[0]<<8)+p_bda[1], (p_bda[2]<<24)+(p_bda[3]<<16)+(p_bda[4]<<8)+p_bda[5],
4794                       key_type);
4795 
4796     /* If connection was made to do bonding restore link security if changed */
4797     btm_restore_mode();
4798 
4799     /* Override the key type if version is pre-1.1 */
4800     if (btm_cb.devcb.local_version.hci_version < HCI_VERSION_1_1)
4801         p_dev_rec->link_key_type = BTM_LKEY_TYPE_IGNORE;
4802     if (key_type != BTM_LKEY_TYPE_CHANGED_COMB)
4803         p_dev_rec->link_key_type = key_type;
4804 
4805     p_dev_rec->sec_flags |= BTM_SEC_LINK_KEY_KNOWN;
4806 #if (BLE_INCLUDED == TRUE)
4807     /* BR/EDR connection, update the encryption key size to be 16 as always */
4808     p_dev_rec->enc_key_size = 16;
4809 #endif
4810     memcpy (p_dev_rec->link_key, p_link_key, LINK_KEY_LEN);
4811 
4812     if ( (btm_cb.pairing_state != BTM_PAIR_STATE_IDLE)
4813          && (memcmp (btm_cb.pairing_bda, p_bda, BD_ADDR_LEN) == 0) )
4814     {
4815         if (btm_cb.pairing_flags & BTM_PAIR_FLAGS_WE_STARTED_DD)
4816             we_are_bonding = TRUE;
4817         else
4818             btm_sec_change_pairing_state (BTM_PAIR_STATE_IDLE);
4819     }
4820 
4821     /* If name is not known at this point delay calling callback until the name is   */
4822     /* resolved. Unless it is a HID Device and we really need to send all link keys. */
4823     if ((!(p_dev_rec->sec_flags & BTM_SEC_NAME_KNOWN)
4824         &&  ((p_dev_rec->dev_class[1] & BTM_COD_MAJOR_CLASS_MASK) != BTM_COD_MAJOR_PERIPHERAL)) )
4825     {
4826         BTM_TRACE_EVENT ("btm_sec_link_key_notification()  Delayed BDA: %08x%04x Type:%d",
4827                           (p_bda[0]<<24) + (p_bda[1]<<16) + (p_bda[2]<<8) + p_bda[3], (p_bda[4] << 8) + p_bda[5], key_type);
4828 
4829         p_dev_rec->link_key_not_sent = TRUE;
4830 
4831         /* If it is for bonding nothing else will follow, so we need to start name resolution */
4832         if (we_are_bonding)
4833         {
4834             if (!(btsnd_hcic_rmt_name_req (p_bda, HCI_PAGE_SCAN_REP_MODE_R1, HCI_MANDATARY_PAGE_SCAN_MODE, 0)))
4835                 btm_inq_rmt_name_failed();
4836         }
4837 
4838         BTM_TRACE_EVENT ("rmt_io_caps:%d, sec_flags:x%x, dev_class[1]:x%02x", p_dev_rec->rmt_io_caps, p_dev_rec->sec_flags, p_dev_rec->dev_class[1])
4839         return;
4840     }
4841 
4842     /* If its not us who perform authentication, we should tell stackserver */
4843     /* that some authentication has been completed                          */
4844     /* This is required when different entities receive link notification and auth complete */
4845     if (!(p_dev_rec->security_required & BTM_SEC_OUT_AUTHENTICATE))
4846     {
4847         if (btm_cb.api.p_auth_complete_callback)
4848             (*btm_cb.api.p_auth_complete_callback) (p_dev_rec->bd_addr, p_dev_rec->dev_class,
4849                                                     p_dev_rec->sec_bd_name, HCI_SUCCESS);
4850     }
4851 
4852     /* We will save link key only if the user authorized it - BTE report link key in all cases */
4853 #ifdef BRCM_NONE_BTE
4854     if (p_dev_rec->sec_flags & BTM_SEC_LINK_KEY_AUTHED)
4855 #endif
4856     {
4857         if (btm_cb.api.p_link_key_callback)
4858         {
4859             (*btm_cb.api.p_link_key_callback) (p_bda, p_dev_rec->dev_class,  p_dev_rec->sec_bd_name,
4860                                                p_link_key, p_dev_rec->link_key_type);
4861         }
4862     }
4863 }
4864 
4865 /*******************************************************************************
4866 **
4867 ** Function         btm_sec_link_key_request
4868 **
4869 ** Description      This function is called when controller requests link key
4870 **
4871 ** Returns          Pointer to the record or NULL
4872 **
4873 *******************************************************************************/
btm_sec_link_key_request(UINT8 * p_bda)4874 void btm_sec_link_key_request (UINT8 *p_bda)
4875 {
4876     tBTM_SEC_DEV_REC *p_dev_rec = btm_find_or_alloc_dev (p_bda);
4877 
4878     BTM_TRACE_EVENT ("btm_sec_link_key_request()  BDA: %02x:%02x:%02x:%02x:%02x:%02x",
4879                       p_bda[0], p_bda[1], p_bda[2], p_bda[3], p_bda[4], p_bda[5]);
4880 
4881     if( (btm_cb.pairing_state == BTM_PAIR_STATE_WAIT_PIN_REQ) &&
4882         (btm_cb.collision_start_time != 0) &&
4883         (memcmp (btm_cb.p_collided_dev_rec->bd_addr, p_bda, BD_ADDR_LEN) == 0) )
4884     {
4885         BTM_TRACE_EVENT ("btm_sec_link_key_request() rejecting link key req "
4886             "State: %d START_TIMEOUT : %d",
4887              btm_cb.pairing_state, btm_cb.collision_start_time);
4888         btsnd_hcic_link_key_neg_reply (p_bda);
4889         return;
4890     }
4891     if (p_dev_rec->sec_flags & BTM_SEC_LINK_KEY_KNOWN)
4892     {
4893         btsnd_hcic_link_key_req_reply (p_bda, p_dev_rec->link_key);
4894         return;
4895     }
4896 
4897     /* Notify L2CAP to increase timeout */
4898     l2c_pin_code_request (p_bda);
4899 
4900     /* Only ask the host for a key if this guy is not already bonding */
4901     if ( (btm_cb.pairing_state == BTM_PAIR_STATE_IDLE)
4902          || (memcmp (p_bda, btm_cb.pairing_bda, BD_ADDR_LEN) != 0) )
4903     {
4904         if (btm_cb.api.p_link_key_req_callback)
4905         {
4906             if ((*btm_cb.api.p_link_key_req_callback)(p_bda, p_dev_rec->link_key) == BTM_SUCCESS)
4907             {
4908                 btsnd_hcic_link_key_req_reply (p_bda, p_dev_rec->link_key);
4909                 return;
4910             }
4911         }
4912     }
4913 
4914     /* The link key is not in the database and it is not known to the manager */
4915     btsnd_hcic_link_key_neg_reply (p_bda);
4916 }
4917 
4918 /*******************************************************************************
4919 **
4920 ** Function         btm_sec_pairing_timeout
4921 **
4922 ** Description      This function is called when host does not provide PIN
4923 **                  within requested time
4924 **
4925 ** Returns          Pointer to the TLE struct
4926 **
4927 *******************************************************************************/
btm_sec_pairing_timeout(TIMER_LIST_ENT * p_tle)4928 static void btm_sec_pairing_timeout (TIMER_LIST_ENT *p_tle)
4929 {
4930     tBTM_CB *p_cb = &btm_cb;
4931     tBTM_SEC_DEV_REC *p_dev_rec;
4932 #if BTM_OOB_INCLUDED == TRUE
4933 #if (BTM_LOCAL_IO_CAPS == BTM_IO_CAP_NONE)
4934     tBTM_AUTH_REQ   auth_req = BTM_AUTH_AP_NO;
4935 #else
4936     tBTM_AUTH_REQ   auth_req = BTM_AUTH_AP_YES;
4937 #endif
4938 #endif
4939     UINT8   name[2];
4940     UNUSED(p_tle);
4941 
4942     p_cb->pairing_tle.param = 0;
4943 /* Coverity: FALSE-POSITIVE error from Coverity tool. Please do NOT remove following comment. */
4944 /* coverity[UNUSED_VALUE] pointer p_dev_rec is actually used several times... This is a Coverity false-positive, i.e. a fake issue.
4945 */
4946     p_dev_rec = btm_find_dev (p_cb->pairing_bda);
4947 
4948     BTM_TRACE_EVENT ("btm_sec_pairing_timeout()  State: %s   Flags: %u",
4949                       btm_pair_state_descr(p_cb->pairing_state), p_cb->pairing_flags);
4950 
4951     switch (p_cb->pairing_state)
4952     {
4953         case BTM_PAIR_STATE_WAIT_PIN_REQ:
4954             btm_sec_bond_cancel_complete();
4955             break;
4956 
4957         case BTM_PAIR_STATE_WAIT_LOCAL_PIN:
4958             if ( (btm_cb.pairing_flags & BTM_PAIR_FLAGS_PRE_FETCH_PIN) == 0)
4959                 btsnd_hcic_pin_code_neg_reply (p_cb->pairing_bda);
4960             btm_sec_change_pairing_state (BTM_PAIR_STATE_IDLE);
4961             /* We need to notify the UI that no longer need the PIN */
4962             if (btm_cb.api.p_auth_complete_callback)
4963             {
4964                 if (p_dev_rec == NULL)
4965                 {
4966                     name[0] = 0;
4967                     (*btm_cb.api.p_auth_complete_callback) (p_cb->pairing_bda,
4968                                                             NULL,
4969                                                             name, HCI_ERR_CONNECTION_TOUT);
4970                 }
4971                 else
4972                     (*btm_cb.api.p_auth_complete_callback) (p_dev_rec->bd_addr,
4973                                                             p_dev_rec->dev_class,
4974                                                             p_dev_rec->sec_bd_name, HCI_ERR_CONNECTION_TOUT);
4975             }
4976             break;
4977 
4978         case BTM_PAIR_STATE_WAIT_NUMERIC_CONFIRM:
4979             btsnd_hcic_user_conf_reply (p_cb->pairing_bda, FALSE);
4980             /* btm_sec_change_pairing_state (BTM_PAIR_STATE_IDLE); */
4981             break;
4982 
4983 #if (BTM_LOCAL_IO_CAPS != BTM_IO_CAP_NONE)
4984         case BTM_PAIR_STATE_KEY_ENTRY:
4985             btsnd_hcic_user_passkey_neg_reply(p_cb->pairing_bda);
4986             /* btm_sec_change_pairing_state (BTM_PAIR_STATE_IDLE); */
4987             break;
4988 #endif /* !BTM_IO_CAP_NONE */
4989 
4990 #if BTM_OOB_INCLUDED == TRUE
4991         case BTM_PAIR_STATE_WAIT_LOCAL_IOCAPS:
4992             if (btm_cb.pairing_flags & BTM_PAIR_FLAGS_WE_STARTED_DD)
4993                 auth_req |= BTM_AUTH_DD_BOND;
4994 
4995             btsnd_hcic_io_cap_req_reply (p_cb->pairing_bda, btm_cb.devcb.loc_io_caps,
4996                                          BTM_OOB_NONE, auth_req);
4997             btm_sec_change_pairing_state (BTM_PAIR_STATE_IDLE);
4998             break;
4999 
5000         case BTM_PAIR_STATE_WAIT_LOCAL_OOB_RSP:
5001             btsnd_hcic_rem_oob_neg_reply (p_cb->pairing_bda);
5002             btm_sec_change_pairing_state (BTM_PAIR_STATE_IDLE);
5003             break;
5004 #endif /* BTM_OOB_INCLUDED */
5005 
5006         case BTM_PAIR_STATE_WAIT_DISCONNECT:
5007             /* simple pairing failed. Started a 1-sec timer at simple pairing complete.
5008              * now it's time to tear down the ACL link*/
5009             if (p_dev_rec == NULL)
5010             {
5011                 BTM_TRACE_ERROR ("btm_sec_pairing_timeout() BTM_PAIR_STATE_WAIT_DISCONNECT unknown BDA: %08x%04x",
5012                                   (p_cb->pairing_bda[0]<<24) + (p_cb->pairing_bda[1]<<16) + (p_cb->pairing_bda[2]<<8) + p_cb->pairing_bda[3],
5013                                   (p_cb->pairing_bda[4] << 8) + p_cb->pairing_bda[5]);
5014                 break;
5015             }
5016             btm_sec_send_hci_disconnect (p_dev_rec, HCI_ERR_AUTH_FAILURE, p_dev_rec->hci_handle);
5017             btm_sec_change_pairing_state (BTM_PAIR_STATE_IDLE);
5018             break;
5019 
5020         case BTM_PAIR_STATE_WAIT_AUTH_COMPLETE:
5021             /* We need to notify the UI that timeout has happened while waiting for authentication*/
5022             btm_sec_change_pairing_state (BTM_PAIR_STATE_IDLE);
5023             if (btm_cb.api.p_auth_complete_callback)
5024             {
5025                 if (p_dev_rec == NULL)
5026                 {
5027                     name[0] = 0;
5028                     (*btm_cb.api.p_auth_complete_callback) (p_cb->pairing_bda,
5029                                                             NULL,
5030                                                             name, HCI_ERR_CONNECTION_TOUT);
5031                 }
5032                 else
5033                     (*btm_cb.api.p_auth_complete_callback) (p_dev_rec->bd_addr,
5034                                                             p_dev_rec->dev_class,
5035                                                             p_dev_rec->sec_bd_name, HCI_ERR_CONNECTION_TOUT);
5036             }
5037             break;
5038 
5039         default:
5040             BTM_TRACE_WARNING ("btm_sec_pairing_timeout() not processed state: %s", btm_pair_state_descr(btm_cb.pairing_state));
5041             btm_sec_change_pairing_state (BTM_PAIR_STATE_IDLE);
5042             break;
5043     }
5044 }
5045 
5046 /*******************************************************************************
5047 **
5048 ** Function         btm_sec_pin_code_request
5049 **
5050 ** Description      This function is called when controller requests PIN code
5051 **
5052 ** Returns          Pointer to the record or NULL
5053 **
5054 *******************************************************************************/
btm_sec_pin_code_request(UINT8 * p_bda)5055 void btm_sec_pin_code_request (UINT8 *p_bda)
5056 {
5057     tBTM_SEC_DEV_REC *p_dev_rec;
5058     tBTM_CB          *p_cb = &btm_cb;
5059 
5060 #ifdef PORCHE_PAIRING_CONFLICT
5061     UINT8 default_pin_code_len = 4;
5062     PIN_CODE default_pin_code = {0x30, 0x30, 0x30, 0x30};
5063 #endif
5064     BTM_TRACE_EVENT ("btm_sec_pin_code_request()  State: %s, BDA:%04x%08x",
5065                       btm_pair_state_descr(btm_cb.pairing_state),
5066                       (p_bda[0]<<8)+p_bda[1], (p_bda[2]<<24)+(p_bda[3]<<16)+(p_bda[4]<<8)+p_bda[5] );
5067 
5068     if (btm_cb.pairing_state != BTM_PAIR_STATE_IDLE)
5069     {
5070         if ( (memcmp (p_bda, btm_cb.pairing_bda, BD_ADDR_LEN) == 0)  &&
5071              (btm_cb.pairing_state == BTM_PAIR_STATE_WAIT_AUTH_COMPLETE) )
5072         {
5073              /* fake this out - porshe carkit issue - */
5074 //            btm_cb.pairing_state = BTM_PAIR_STATE_IDLE;
5075              if(! btm_cb.pin_code_len_saved)
5076              {
5077                  btsnd_hcic_pin_code_neg_reply (p_bda);
5078                  return;
5079              }
5080              else
5081              {
5082                  btsnd_hcic_pin_code_req_reply (p_bda, btm_cb.pin_code_len_saved, p_cb->pin_code);
5083       	         return;
5084              }
5085         }
5086         else if ((btm_cb.pairing_state != BTM_PAIR_STATE_WAIT_PIN_REQ)
5087                  || memcmp (p_bda, btm_cb.pairing_bda, BD_ADDR_LEN) != 0)
5088         {
5089             BTM_TRACE_WARNING ("btm_sec_pin_code_request() rejected - state: %s",
5090                                 btm_pair_state_descr(btm_cb.pairing_state));
5091 
5092 #ifdef PORCHE_PAIRING_CONFLICT
5093             /* reply pin code again due to counter in_rand when local initiates pairing */
5094             BTM_TRACE_EVENT ("btm_sec_pin_code_request from remote dev. for local initiated pairing");
5095             if(! btm_cb.pin_code_len_saved)
5096             {
5097                 btm_sec_change_pairing_state (BTM_PAIR_STATE_WAIT_AUTH_COMPLETE);
5098                 btsnd_hcic_pin_code_req_reply (p_bda, default_pin_code_len, default_pin_code);
5099             }
5100             else
5101             {
5102                 btm_sec_change_pairing_state (BTM_PAIR_STATE_WAIT_AUTH_COMPLETE);
5103                 btsnd_hcic_pin_code_req_reply (p_bda, btm_cb.pin_code_len_saved, p_cb->pin_code);
5104             }
5105 #else
5106             btsnd_hcic_pin_code_neg_reply (p_bda);
5107 #endif
5108             return;
5109         }
5110     }
5111 
5112     p_dev_rec = btm_find_or_alloc_dev (p_bda);
5113     /* received PIN code request. must be non-sm4 */
5114     p_dev_rec->sm4 = BTM_SM4_KNOWN;
5115 
5116     if (btm_cb.pairing_state == BTM_PAIR_STATE_IDLE)
5117     {
5118         memcpy (btm_cb.pairing_bda, p_bda, BD_ADDR_LEN);
5119 
5120         btm_cb.pairing_flags = BTM_PAIR_FLAGS_PEER_STARTED_DD;
5121         /* Make sure we reset the trusted mask to help against attacks */
5122         BTM_SEC_CLR_TRUSTED_DEVICE(p_dev_rec->trusted_mask);
5123     }
5124 
5125     if (!p_cb->pairing_disabled && (p_cb->cfg.pin_type == HCI_PIN_TYPE_FIXED))
5126     {
5127         BTM_TRACE_EVENT ("btm_sec_pin_code_request fixed pin replying");
5128         btm_sec_change_pairing_state (BTM_PAIR_STATE_WAIT_AUTH_COMPLETE);
5129         btsnd_hcic_pin_code_req_reply (p_bda, p_cb->cfg.pin_code_len, p_cb->cfg.pin_code);
5130         return;
5131     }
5132 
5133     /* Use the connecting device's CoD for the connection */
5134     if ( (!memcmp (p_bda, p_cb->connecting_bda, BD_ADDR_LEN))
5135          &&  (p_cb->connecting_dc[0] || p_cb->connecting_dc[1] || p_cb->connecting_dc[2]) )
5136         memcpy (p_dev_rec->dev_class, p_cb->connecting_dc, DEV_CLASS_LEN);
5137 
5138     /* We could have started connection after asking user for the PIN code */
5139     if (btm_cb.pin_code_len != 0)
5140     {
5141         BTM_TRACE_EVENT ("btm_sec_pin_code_request bonding sending reply");
5142         btsnd_hcic_pin_code_req_reply (p_bda, btm_cb.pin_code_len, p_cb->pin_code);
5143 
5144 #ifdef PORCHE_PAIRING_CONFLICT
5145         btm_cb.pin_code_len_saved = btm_cb.pin_code_len;
5146 #endif
5147 
5148         /* Mark that we forwarded received from the user PIN code */
5149         btm_cb.pin_code_len = 0;
5150 
5151         /* We can change mode back right away, that other connection being established */
5152         /* is not forced to be secure - found a FW issue, so we can not do this
5153         btm_restore_mode(); */
5154 
5155         btm_sec_change_pairing_state (BTM_PAIR_STATE_WAIT_AUTH_COMPLETE);
5156     }
5157 
5158     /* If pairing disabled OR (no PIN callback and not bonding) */
5159     /* OR we could not allocate entry in the database reject pairing request */
5160     else if (p_cb->pairing_disabled
5161              || (p_cb->api.p_pin_callback == NULL)
5162 
5163              /* OR Microsoft keyboard can for some reason try to establish connection */
5164              /*  the only thing we can do here is to shut it up.  Normally we will be originator */
5165              /*  for keyboard bonding */
5166              || (!p_dev_rec->is_originator
5167                  && ((p_dev_rec->dev_class[1] & BTM_COD_MAJOR_CLASS_MASK) == BTM_COD_MAJOR_PERIPHERAL)
5168                  &&  (p_dev_rec->dev_class[2] & BTM_COD_MINOR_KEYBOARD)) )
5169     {
5170         BTM_TRACE_WARNING("btm_sec_pin_code_request(): Pairing disabled:%d; PIN callback:%x, Dev Rec:%x!",
5171                            p_cb->pairing_disabled, p_cb->api.p_pin_callback, p_dev_rec);
5172 
5173         btsnd_hcic_pin_code_neg_reply (p_bda);
5174     }
5175     /* Notify upper layer of PIN request and start expiration timer */
5176     else
5177     {
5178         btm_cb.pin_code_len_saved = 0;
5179         btm_sec_change_pairing_state (BTM_PAIR_STATE_WAIT_LOCAL_PIN);
5180         /* Pin code request can not come at the same time as connection request */
5181         memcpy (p_cb->connecting_bda, p_bda, BD_ADDR_LEN);
5182         memcpy (p_cb->connecting_dc,  p_dev_rec->dev_class, DEV_CLASS_LEN);
5183 
5184         /* Check if the name is known */
5185         /* Even if name is not known we might not be able to get one */
5186         /* this is the case when we are already getting something from the */
5187         /* device, so HCI level is flow controlled */
5188         /* Also cannot send remote name request while paging, i.e. connection is not completed */
5189         if (p_dev_rec->sec_flags & BTM_SEC_NAME_KNOWN)
5190         {
5191             BTM_TRACE_EVENT ("btm_sec_pin_code_request going for callback");
5192 
5193             btm_cb.pairing_flags |= BTM_PAIR_FLAGS_PIN_REQD;
5194             if (p_cb->api.p_pin_callback)
5195                 (*p_cb->api.p_pin_callback) (p_bda, p_dev_rec->dev_class, p_dev_rec->sec_bd_name);
5196         }
5197         else
5198         {
5199             BTM_TRACE_EVENT ("btm_sec_pin_code_request going for remote name");
5200 
5201             /* We received PIN code request for the device with unknown name */
5202             /* it is not user friendly just to ask for the PIN without name */
5203             /* try to get name at first */
5204             if (!btsnd_hcic_rmt_name_req (p_dev_rec->bd_addr,
5205                                           HCI_PAGE_SCAN_REP_MODE_R1,
5206                                           HCI_MANDATARY_PAGE_SCAN_MODE, 0))
5207             {
5208                 p_dev_rec->sec_flags |= BTM_SEC_NAME_KNOWN;
5209                 p_dev_rec->sec_bd_name[0] = 'f';
5210                 p_dev_rec->sec_bd_name[1] = '0';
5211                 BTM_TRACE_ERROR ("can not send rmt_name_req?? fake a name and call callback");
5212 
5213                 btm_cb.pairing_flags |= BTM_PAIR_FLAGS_PIN_REQD;
5214                 if (p_cb->api.p_pin_callback)
5215                     (*p_cb->api.p_pin_callback) (p_bda, p_dev_rec->dev_class, p_dev_rec->sec_bd_name);
5216             }
5217         }
5218     }
5219 
5220     return;
5221 }
5222 
5223 /*******************************************************************************
5224 **
5225 ** Function         btm_sec_update_clock_offset
5226 **
5227 ** Description      This function is called to update clock offset
5228 **
5229 ** Returns          void
5230 **
5231 *******************************************************************************/
btm_sec_update_clock_offset(UINT16 handle,UINT16 clock_offset)5232 void btm_sec_update_clock_offset (UINT16 handle, UINT16 clock_offset)
5233 {
5234     tBTM_SEC_DEV_REC  *p_dev_rec;
5235     tBTM_INQ_INFO     *p_inq_info;
5236 
5237     if ((p_dev_rec = btm_find_dev_by_handle (handle)) == NULL)
5238         return;
5239 
5240     p_dev_rec->clock_offset = clock_offset | BTM_CLOCK_OFFSET_VALID;
5241 
5242     if ((p_inq_info = BTM_InqDbRead(p_dev_rec->bd_addr)) == NULL)
5243         return;
5244 
5245     p_inq_info->results.clock_offset = clock_offset | BTM_CLOCK_OFFSET_VALID;
5246 }
5247 
5248 
5249 /******************************************************************
5250 ** S T A T I C     F U N C T I O N S
5251 *******************************************************************/
5252 
5253 /*******************************************************************************
5254 **
5255 ** Function         btm_sec_execute_procedure
5256 **
5257 ** Description      This function is called to start required security
5258 **                  procedure.  There is a case when multiplexing protocol
5259 **                  calls this function on the originating side, connection to
5260 **                  the peer will not be established.  This function in this
5261 **                  case performs only authorization.
5262 **
5263 ** Returns          BTM_SUCCESS     - permission is granted
5264 **                  BTM_CMD_STARTED - in process
5265 **                  BTM_NO_RESOURCES  - permission declined
5266 **
5267 *******************************************************************************/
btm_sec_execute_procedure(tBTM_SEC_DEV_REC * p_dev_rec)5268 static tBTM_STATUS btm_sec_execute_procedure (tBTM_SEC_DEV_REC *p_dev_rec)
5269 {
5270     BTM_TRACE_EVENT ("btm_sec_execute_procedure: Required:0x%x Flags:0x%x State:%d",
5271                       p_dev_rec->security_required, p_dev_rec->sec_flags, p_dev_rec->sec_state);
5272 
5273     /* There is a chance that we are getting name.  Wait until done. */
5274     if (p_dev_rec->sec_state != 0)
5275         return(BTM_CMD_STARTED);
5276 
5277     /* If any security is required, get the name first */
5278     if (!(p_dev_rec->sec_flags & BTM_SEC_NAME_KNOWN)
5279         && (p_dev_rec->hci_handle != BTM_SEC_INVALID_HANDLE))
5280     {
5281         BTM_TRACE_EVENT ("Security Manager: Start get name");
5282         if (!btm_sec_start_get_name (p_dev_rec))
5283         {
5284             return(BTM_NO_RESOURCES);
5285         }
5286         return(BTM_CMD_STARTED);
5287     }
5288 
5289     /* If connection is not authenticated and authentication is required */
5290     /* start authentication and return PENDING to the caller */
5291     if ((!(p_dev_rec->sec_flags & BTM_SEC_AUTHENTICATED))
5292         && (( p_dev_rec->is_originator && (p_dev_rec->security_required & BTM_SEC_OUT_AUTHENTICATE))
5293             || (!p_dev_rec->is_originator && (p_dev_rec->security_required & BTM_SEC_IN_AUTHENTICATE)))
5294         && (p_dev_rec->hci_handle != BTM_SEC_INVALID_HANDLE))
5295     {
5296 #if (L2CAP_UCD_INCLUDED == TRUE)
5297         /* if incoming UCD packet, discard it */
5298         if ( !p_dev_rec->is_originator && (p_dev_rec->is_ucd == TRUE ))
5299             return(BTM_FAILED_ON_SECURITY);
5300 #endif
5301 
5302         BTM_TRACE_EVENT ("Security Manager: Start authentication");
5303 
5304         if (!btm_sec_start_authentication (p_dev_rec))
5305         {
5306             return(BTM_NO_RESOURCES);
5307         }
5308         return(BTM_CMD_STARTED);
5309     }
5310 
5311     /* If connection is not encrypted and encryption is required */
5312     /* start encryption and return PENDING to the caller */
5313     if (!(p_dev_rec->sec_flags & BTM_SEC_ENCRYPTED)
5314         && (( p_dev_rec->is_originator && (p_dev_rec->security_required & BTM_SEC_OUT_ENCRYPT))
5315             || (!p_dev_rec->is_originator && (p_dev_rec->security_required & BTM_SEC_IN_ENCRYPT)))
5316         && (p_dev_rec->hci_handle != BTM_SEC_INVALID_HANDLE))
5317     {
5318 #if (L2CAP_UCD_INCLUDED == TRUE)
5319         /* if incoming UCD packet, discard it */
5320         if ( !p_dev_rec->is_originator && (p_dev_rec->is_ucd == TRUE ))
5321             return(BTM_FAILED_ON_SECURITY);
5322 #endif
5323 
5324         BTM_TRACE_EVENT ("Security Manager: Start encryption");
5325 
5326         if (!btm_sec_start_encryption (p_dev_rec))
5327         {
5328             return(BTM_NO_RESOURCES);
5329         }
5330         return(BTM_CMD_STARTED);
5331     }
5332 
5333     /* If connection is not authorized and authorization is required */
5334     /* start authorization and return PENDING to the caller */
5335     if (!(p_dev_rec->sec_flags & BTM_SEC_AUTHORIZED)
5336         && (( p_dev_rec->is_originator && (p_dev_rec->security_required & BTM_SEC_OUT_AUTHORIZE))
5337             || (!p_dev_rec->is_originator && (p_dev_rec->security_required & BTM_SEC_IN_AUTHORIZE))))
5338     {
5339         BTM_TRACE_EVENT ("service id:%d, is trusted:%d",
5340                           p_dev_rec->p_cur_service->service_id,
5341                           (BTM_SEC_IS_SERVICE_TRUSTED(p_dev_rec->trusted_mask,
5342                                                       p_dev_rec->p_cur_service->service_id)));
5343         if ((btm_sec_are_all_trusted(p_dev_rec->trusted_mask) == FALSE) &&
5344             (p_dev_rec->p_cur_service->service_id < BTM_SEC_MAX_SERVICES) &&
5345             (BTM_SEC_IS_SERVICE_TRUSTED(p_dev_rec->trusted_mask,
5346                                         p_dev_rec->p_cur_service->service_id) == FALSE))
5347         {
5348             BTM_TRACE_EVENT ("Security Manager: Start authorization");
5349             return(btm_sec_start_authorization (p_dev_rec));
5350         }
5351     }
5352 
5353     /* All required  security procedures already established */
5354     p_dev_rec->security_required &= ~(BTM_SEC_OUT_AUTHORIZE | BTM_SEC_IN_AUTHORIZE |
5355                                       BTM_SEC_OUT_AUTHENTICATE | BTM_SEC_IN_AUTHENTICATE |
5356                                       BTM_SEC_OUT_ENCRYPT | BTM_SEC_IN_ENCRYPT |
5357                                       BTM_SEC_FORCE_MASTER | BTM_SEC_ATTEMPT_MASTER |
5358                                       BTM_SEC_FORCE_SLAVE | BTM_SEC_ATTEMPT_SLAVE);
5359 
5360     BTM_TRACE_EVENT ("Security Manager: trusted:0x%04x%04x", p_dev_rec->trusted_mask[1], p_dev_rec->trusted_mask[0]);
5361     BTM_TRACE_EVENT ("Security Manager: access granted");
5362 
5363     return(BTM_SUCCESS);
5364 }
5365 
5366 
5367 /*******************************************************************************
5368 **
5369 ** Function         btm_sec_start_get_name
5370 **
5371 ** Description      This function is called to start get name procedure
5372 **
5373 ** Returns          TRUE if started
5374 **
5375 *******************************************************************************/
btm_sec_start_get_name(tBTM_SEC_DEV_REC * p_dev_rec)5376 static BOOLEAN btm_sec_start_get_name (tBTM_SEC_DEV_REC *p_dev_rec)
5377 {
5378     UINT8 tempstate = p_dev_rec->sec_state;
5379 
5380     p_dev_rec->sec_state = BTM_SEC_STATE_GETTING_NAME;
5381 
5382     /* Device should be connected, no need to provide correct page params */
5383     /* 0 and NULL are as timeout and callback params because they are not used in security get name case */
5384     if ((btm_initiate_rem_name (p_dev_rec->bd_addr, NULL, BTM_RMT_NAME_SEC,
5385                                 0, NULL)) != BTM_CMD_STARTED)
5386     {
5387         p_dev_rec->sec_state = tempstate;
5388         return(FALSE);
5389     }
5390 
5391     return(TRUE);
5392 }
5393 
5394 /*******************************************************************************
5395 **
5396 ** Function         btm_sec_start_authentication
5397 **
5398 ** Description      This function is called to start authentication
5399 **
5400 ** Returns          TRUE if started
5401 **
5402 *******************************************************************************/
btm_sec_start_authentication(tBTM_SEC_DEV_REC * p_dev_rec)5403 static BOOLEAN btm_sec_start_authentication (tBTM_SEC_DEV_REC *p_dev_rec)
5404 {
5405     p_dev_rec->sec_state = BTM_SEC_STATE_AUTHENTICATING;
5406 
5407     return(btsnd_hcic_auth_request (p_dev_rec->hci_handle));
5408 }
5409 
5410 /*******************************************************************************
5411 **
5412 ** Function         btm_sec_start_encryption
5413 **
5414 ** Description      This function is called to start encryption
5415 **
5416 ** Returns          TRUE if started
5417 **
5418 *******************************************************************************/
btm_sec_start_encryption(tBTM_SEC_DEV_REC * p_dev_rec)5419 static BOOLEAN btm_sec_start_encryption (tBTM_SEC_DEV_REC *p_dev_rec)
5420 {
5421     if (!btsnd_hcic_set_conn_encrypt (p_dev_rec->hci_handle, TRUE))
5422         return(FALSE);
5423 
5424     p_dev_rec->sec_state = BTM_SEC_STATE_ENCRYPTING;
5425     return(TRUE);
5426 }
5427 
5428 
5429 /*******************************************************************************
5430 **
5431 ** Function         btm_sec_start_authorization
5432 **
5433 ** Description      This function is called to start authorization
5434 **
5435 ** Returns          TRUE if started
5436 **
5437 *******************************************************************************/
btm_sec_start_authorization(tBTM_SEC_DEV_REC * p_dev_rec)5438 static UINT8 btm_sec_start_authorization (tBTM_SEC_DEV_REC *p_dev_rec)
5439 {
5440     UINT8    result;
5441     UINT8   *p_service_name = NULL;
5442     UINT8    service_id;
5443 
5444     if ((p_dev_rec->sec_flags & BTM_SEC_NAME_KNOWN)
5445         || (p_dev_rec->hci_handle == BTM_SEC_INVALID_HANDLE))
5446     {
5447         if (!btm_cb.api.p_authorize_callback)
5448             return(BTM_MODE_UNSUPPORTED);
5449 
5450         if (p_dev_rec->p_cur_service)
5451         {
5452 #if BTM_SEC_SERVICE_NAME_LEN > 0
5453             if (p_dev_rec->is_originator)
5454                 p_service_name = p_dev_rec->p_cur_service->orig_service_name;
5455             else
5456                 p_service_name = p_dev_rec->p_cur_service->term_service_name;
5457 #endif
5458             service_id = p_dev_rec->p_cur_service->service_id;
5459         }
5460         else
5461             service_id = 0;
5462 
5463         /* Send authorization request if not already sent during this service connection */
5464         if (p_dev_rec->last_author_service_id == BTM_SEC_NO_LAST_SERVICE_ID
5465             || p_dev_rec->last_author_service_id != service_id)
5466         {
5467             p_dev_rec->sec_state = BTM_SEC_STATE_AUTHORIZING;
5468             result = (*btm_cb.api.p_authorize_callback) (p_dev_rec->bd_addr,
5469                                                      p_dev_rec->dev_class,
5470                                                      p_dev_rec->sec_bd_name,
5471                                                      p_service_name,
5472                                                      service_id,
5473                                                      p_dev_rec->is_originator);
5474         }
5475 
5476         else    /* Already authorized once for this L2CAP bringup */
5477         {
5478             BTM_TRACE_DEBUG ("btm_sec_start_authorization: (Ignoring extra Authorization prompt for service %d)", service_id);
5479             return (BTM_SUCCESS);
5480         }
5481 
5482         if (result == BTM_SUCCESS)
5483         {
5484             p_dev_rec->sec_flags |= BTM_SEC_AUTHORIZED;
5485 
5486             /* Save the currently authorized service in case we are asked again by another multiplexer layer */
5487             if (!p_dev_rec->is_originator)
5488                 p_dev_rec->last_author_service_id = service_id;
5489 
5490             p_dev_rec->sec_state = BTM_SEC_STATE_IDLE;
5491         }
5492         return(result);
5493     }
5494     btm_sec_start_get_name (p_dev_rec);
5495     return(BTM_CMD_STARTED);
5496 }
5497 
5498 /*******************************************************************************
5499 **
5500 ** Function         btm_sec_are_all_trusted
5501 **
5502 ** Description      This function is called check if all services are trusted
5503 **
5504 ** Returns          TRUE if all are trusted, otherwise FALSE
5505 **
5506 *******************************************************************************/
btm_sec_are_all_trusted(UINT32 p_mask[])5507 BOOLEAN btm_sec_are_all_trusted(UINT32 p_mask[])
5508 {
5509     UINT32 trusted_inx;
5510     for (trusted_inx = 0; trusted_inx < BTM_SEC_SERVICE_ARRAY_SIZE; trusted_inx++)
5511     {
5512         if (p_mask[trusted_inx] != BTM_SEC_TRUST_ALL)
5513             return(FALSE);
5514     }
5515 
5516     return(TRUE);
5517 }
5518 
5519 /*******************************************************************************
5520 **
5521 ** Function         btm_sec_find_first_serv
5522 **
5523 ** Description      Look for the first record in the service database
5524 **                  with specified PSM
5525 **
5526 ** Returns          Pointer to the record or NULL
5527 **
5528 *******************************************************************************/
btm_sec_find_first_serv(CONNECTION_TYPE conn_type,UINT16 psm)5529 static tBTM_SEC_SERV_REC *btm_sec_find_first_serv (CONNECTION_TYPE conn_type, UINT16 psm)
5530 {
5531     tBTM_SEC_SERV_REC *p_serv_rec = &btm_cb.sec_serv_rec[0];
5532     int i;
5533     BOOLEAN is_originator;
5534 
5535 #if (L2CAP_UCD_INCLUDED == TRUE)
5536 
5537     if ( conn_type & CONNECTION_TYPE_ORIG_MASK )
5538         is_originator = TRUE;
5539     else
5540         is_originator = FALSE;
5541 #else
5542     is_originator = conn_type;
5543 #endif
5544 
5545     if (is_originator && btm_cb.p_out_serv && btm_cb.p_out_serv->psm == psm)
5546     {
5547         /* If this is outgoing connection and the PSM matches p_out_serv,
5548          * use it as the current service */
5549         return btm_cb.p_out_serv;
5550     }
5551 
5552     /* otherwise, just find the first record with the specified PSM */
5553     for (i = 0; i < BTM_SEC_MAX_SERVICE_RECORDS; i++, p_serv_rec++)
5554     {
5555         if ( (p_serv_rec->security_flags & BTM_SEC_IN_USE) && (p_serv_rec->psm == psm) )
5556             return(p_serv_rec);
5557     }
5558     return(NULL);
5559 }
5560 
5561 
5562 /*******************************************************************************
5563 **
5564 ** Function         btm_sec_find_next_serv
5565 **
5566 ** Description      Look for the next record in the service database
5567 **                  with specified PSM
5568 **
5569 ** Returns          Pointer to the record or NULL
5570 **
5571 *******************************************************************************/
btm_sec_find_next_serv(tBTM_SEC_SERV_REC * p_cur)5572 static tBTM_SEC_SERV_REC *btm_sec_find_next_serv (tBTM_SEC_SERV_REC *p_cur)
5573 {
5574     tBTM_SEC_SERV_REC *p_serv_rec   = &btm_cb.sec_serv_rec[0];
5575     int               i;
5576 
5577     for (i = 0; i < BTM_SEC_MAX_SERVICE_RECORDS; i++, p_serv_rec++)
5578     {
5579         if ((p_serv_rec->security_flags & BTM_SEC_IN_USE)
5580             && (p_serv_rec->psm == p_cur->psm) )
5581         {
5582             if (p_cur != p_serv_rec)
5583             {
5584                 return(p_serv_rec);
5585             }
5586         }
5587     }
5588     return(NULL);
5589 }
5590 
5591 
5592 /*******************************************************************************
5593 **
5594 ** Function         btm_sec_find_mx_serv
5595 **
5596 ** Description      Look for the record in the service database with specified
5597 **                  PSM and multiplexor channel information
5598 **
5599 ** Returns          Pointer to the record or NULL
5600 **
5601 *******************************************************************************/
btm_sec_find_mx_serv(UINT8 is_originator,UINT16 psm,UINT32 mx_proto_id,UINT32 mx_chan_id)5602 static tBTM_SEC_SERV_REC *btm_sec_find_mx_serv (UINT8 is_originator, UINT16 psm,
5603                                                 UINT32 mx_proto_id, UINT32 mx_chan_id)
5604 {
5605     tBTM_SEC_SERV_REC *p_out_serv = btm_cb.p_out_serv;
5606     tBTM_SEC_SERV_REC *p_serv_rec = &btm_cb.sec_serv_rec[0];
5607     int i;
5608 
5609     BTM_TRACE_DEBUG ("btm_sec_find_mx_serv");
5610     if (is_originator && p_out_serv && p_out_serv->psm == psm
5611         && p_out_serv->mx_proto_id == mx_proto_id
5612         && p_out_serv->orig_mx_chan_id == mx_chan_id)
5613     {
5614         /* If this is outgoing connection and the parameters match p_out_serv,
5615          * use it as the current service */
5616         return btm_cb.p_out_serv;
5617     }
5618 
5619     /* otherwise, the old way */
5620     for (i = 0; i < BTM_SEC_MAX_SERVICE_RECORDS; i++, p_serv_rec++)
5621     {
5622         if ((p_serv_rec->security_flags & BTM_SEC_IN_USE)
5623             && (p_serv_rec->psm == psm)
5624             && (p_serv_rec->mx_proto_id == mx_proto_id)
5625             && (( is_originator && (p_serv_rec->orig_mx_chan_id  == mx_chan_id))
5626                 || (!is_originator && (p_serv_rec->term_mx_chan_id  == mx_chan_id))))
5627         {
5628             return(p_serv_rec);
5629         }
5630     }
5631     return(NULL);
5632 }
5633 
5634 
5635 /*******************************************************************************
5636 **
5637 ** Function         btm_sec_collision_timeout
5638 **
5639 ** Description      Encryption could not start because of the collision
5640 **                  try to do it again
5641 **
5642 ** Returns          Pointer to the TLE struct
5643 **
5644 *******************************************************************************/
btm_sec_collision_timeout(TIMER_LIST_ENT * p_tle)5645 static void btm_sec_collision_timeout (TIMER_LIST_ENT *p_tle)
5646 {
5647     tBTM_STATUS status;
5648     UNUSED(p_tle);
5649 
5650     BTM_TRACE_EVENT ("btm_sec_collision_timeout()");
5651     btm_cb.sec_collision_tle.param = 0;
5652 
5653     status = btm_sec_execute_procedure (btm_cb.p_collided_dev_rec);
5654 
5655     /* If result is pending reply from the user or from the device is pending */
5656     if (status != BTM_CMD_STARTED)
5657     {
5658         /* There is no next procedure or start of procedure failed, notify the waiting layer */
5659         btm_sec_dev_rec_cback_event (btm_cb.p_collided_dev_rec, status, FALSE);
5660     }
5661 }
5662 
5663 /*******************************************************************************
5664 **
5665 ** Function         btm_sec_link_key_request
5666 **
5667 ** Description      This function is called when controller requests link key
5668 **
5669 ** Returns          Pointer to the record or NULL
5670 **
5671 *******************************************************************************/
btm_send_link_key_notif(tBTM_SEC_DEV_REC * p_dev_rec)5672 static void btm_send_link_key_notif (tBTM_SEC_DEV_REC *p_dev_rec)
5673 {
5674     if (btm_cb.api.p_link_key_callback)
5675         (*btm_cb.api.p_link_key_callback) (p_dev_rec->bd_addr, p_dev_rec->dev_class,
5676                                            p_dev_rec->sec_bd_name, p_dev_rec->link_key,
5677                                            p_dev_rec->link_key_type);
5678 }
5679 
5680 /*******************************************************************************
5681 **
5682 ** Function         BTM_ReadTrustedMask
5683 **
5684 ** Description      Get trusted mask for the peer device
5685 **
5686 ** Parameters:      bd_addr   - Address of the device
5687 **
5688 ** Returns          NULL, if the device record is not found.
5689 **                  otherwise, the trusted mask
5690 **
5691 *******************************************************************************/
BTM_ReadTrustedMask(BD_ADDR bd_addr)5692 UINT32 * BTM_ReadTrustedMask (BD_ADDR bd_addr)
5693 {
5694     tBTM_SEC_DEV_REC *p_dev_rec;
5695 
5696     if ((p_dev_rec = btm_find_dev (bd_addr)) != NULL)
5697     {
5698         return(p_dev_rec->trusted_mask);
5699     }
5700     else
5701     {
5702         return NULL;
5703     }
5704 }
5705 
5706 /*******************************************************************************
5707 **
5708 ** Function         btm_restore_mode
5709 **
5710 ** Description      This function returns the security mode to previous setting
5711 **                  if it was changed during bonding.
5712 **
5713 **
5714 ** Parameters:      void
5715 **
5716 *******************************************************************************/
btm_restore_mode(void)5717 static void btm_restore_mode(void)
5718 {
5719     if (btm_cb.security_mode_changed)
5720     {
5721         btm_cb.security_mode_changed = FALSE;
5722         BTM_TRACE_DEBUG("btm_restore_mode: Authen Enable -> %d", (btm_cb.security_mode == BTM_SEC_MODE_LINK));
5723         btsnd_hcic_write_auth_enable ((UINT8)(btm_cb.security_mode == BTM_SEC_MODE_LINK));
5724     }
5725 
5726     if (btm_cb.pin_type_changed)
5727     {
5728         btm_cb.pin_type_changed = FALSE;
5729         btsnd_hcic_write_pin_type (btm_cb.cfg.pin_type);
5730     }
5731 }
5732 
5733 
5734 /*******************************************************************************
5735 **
5736 ** Function         btm_sec_find_dev_by_sec_state
5737 **
5738 ** Description      Look for the record in the device database for the device
5739 **                  which is being authenticated or encrypted
5740 **
5741 ** Returns          Pointer to the record or NULL
5742 **
5743 *******************************************************************************/
btm_sec_find_dev_by_sec_state(UINT8 state)5744 tBTM_SEC_DEV_REC *btm_sec_find_dev_by_sec_state (UINT8 state)
5745 {
5746     tBTM_SEC_DEV_REC *p_dev_rec = &btm_cb.sec_dev_rec[0];
5747     int i;
5748 
5749     for (i = 0; i < BTM_SEC_MAX_DEVICE_RECORDS; i++, p_dev_rec++)
5750     {
5751         if ((p_dev_rec->sec_flags & BTM_SEC_IN_USE)
5752             && (p_dev_rec->sec_state == state))
5753             return(p_dev_rec);
5754     }
5755     return(NULL);
5756 }
5757 
5758 /*******************************************************************************
5759 **
5760 ** Function         BTM_snd_conn_encrypt
5761 **
5762 ** Description      This function is called to start/stop encryption
5763 **                  Used by JSR-82
5764 **
5765 ** Returns          TRUE if request started
5766 **
5767 *******************************************************************************/
BTM_snd_conn_encrypt(UINT16 handle,BOOLEAN enable)5768 BOOLEAN BTM_snd_conn_encrypt (UINT16  handle, BOOLEAN enable)
5769 {
5770     tBTM_SEC_DEV_REC  *p_dev_rec = btm_find_dev_by_handle (handle);
5771 
5772     BTM_TRACE_EVENT ("BTM_snd_conn_encrypt Security Manager: encrypt_change p_dev_rec : 0x%x, enable = %s", p_dev_rec, (enable == TRUE) ? "TRUE" : "FALSE");
5773 
5774     if (!p_dev_rec)
5775     {
5776         BTM_TRACE_EVENT ("BTM_snd_conn_encrypt Error no  p_dev_rec : 0x%x\n", p_dev_rec);
5777         return(FALSE);
5778     }
5779 
5780     if ( p_dev_rec->sec_state == BTM_SEC_STATE_IDLE)
5781     {
5782         if (!btsnd_hcic_set_conn_encrypt (handle, enable))
5783             return(FALSE);
5784 
5785         p_dev_rec->sec_state = BTM_SEC_STATE_ENCRYPTING;
5786 
5787         return(TRUE);
5788     }
5789     else
5790         return(FALSE);
5791 }
5792 
5793 /*******************************************************************************
5794 **
5795 ** Function         btm_sec_change_pairing_state
5796 **
5797 ** Description      This function is called to change pairing state
5798 **
5799 *******************************************************************************/
btm_sec_change_pairing_state(tBTM_PAIRING_STATE new_state)5800 static void btm_sec_change_pairing_state (tBTM_PAIRING_STATE new_state)
5801 {
5802     tBTM_PAIRING_STATE  old_state = btm_cb.pairing_state;
5803 
5804     BTM_TRACE_EVENT ("btm_sec_change_pairing_state  Old: %s",  btm_pair_state_descr(btm_cb.pairing_state));
5805     BTM_TRACE_EVENT ("btm_sec_change_pairing_state  New: %s pairing_flags:0x%x",btm_pair_state_descr(new_state), btm_cb.pairing_flags);
5806 
5807     btm_cb.pairing_state = new_state;
5808 
5809     if (new_state == BTM_PAIR_STATE_IDLE)
5810     {
5811         btu_stop_timer (&btm_cb.pairing_tle);
5812 
5813         btm_cb.pairing_flags = 0;
5814         btm_cb.pin_code_len  = 0;
5815 
5816         /* Make sure the the lcb shows we are not bonding */
5817         l2cu_update_lcb_4_bonding (btm_cb.pairing_bda, FALSE);
5818 
5819         btm_restore_mode();
5820         btm_sec_check_pending_reqs();
5821         btm_inq_clear_ssp();
5822 
5823         memset (btm_cb.pairing_bda, 0xFF, BD_ADDR_LEN);
5824     }
5825     else
5826     {
5827         /* If transitionng out of idle, mark the lcb as bonding */
5828         if (old_state == BTM_PAIR_STATE_IDLE)
5829             l2cu_update_lcb_4_bonding (btm_cb.pairing_bda, TRUE);
5830 
5831         btm_cb.pairing_tle.param = (TIMER_PARAM_TYPE)btm_sec_pairing_timeout;
5832 
5833         btu_start_timer (&btm_cb.pairing_tle, BTU_TTYPE_USER_FUNC, BTM_SEC_TIMEOUT_VALUE);
5834     }
5835 }
5836 
5837 
5838 /*******************************************************************************
5839 **
5840 ** Function         btm_pair_state_descr
5841 **
5842 ** Description      Return state description for tracing
5843 **
5844 *******************************************************************************/
5845 #if (BT_USE_TRACES == TRUE)
btm_pair_state_descr(tBTM_PAIRING_STATE state)5846 static char *btm_pair_state_descr (tBTM_PAIRING_STATE state)
5847 {
5848 #if (BT_TRACE_VERBOSE == TRUE)
5849     switch (state)
5850     {
5851         case BTM_PAIR_STATE_IDLE:                   return("IDLE");
5852         case BTM_PAIR_STATE_GET_REM_NAME:           return("GET_REM_NAME");
5853         case BTM_PAIR_STATE_WAIT_PIN_REQ:           return("WAIT_PIN_REQ");
5854         case BTM_PAIR_STATE_WAIT_LOCAL_PIN:         return("WAIT_LOCAL_PIN");
5855         case BTM_PAIR_STATE_WAIT_NUMERIC_CONFIRM:   return("WAIT_NUM_CONFIRM");
5856         case BTM_PAIR_STATE_KEY_ENTRY:              return("KEY_ENTRY");
5857         case BTM_PAIR_STATE_WAIT_LOCAL_OOB_RSP:     return("WAIT_LOCAL_OOB_RSP");
5858         case BTM_PAIR_STATE_WAIT_LOCAL_IOCAPS:      return("WAIT_LOCAL_IOCAPS");
5859         case BTM_PAIR_STATE_INCOMING_SSP:           return("INCOMING_SSP");
5860         case BTM_PAIR_STATE_WAIT_AUTH_COMPLETE:     return("WAIT_AUTH_COMPLETE");
5861         case BTM_PAIR_STATE_WAIT_DISCONNECT:        return("WAIT_DISCONNECT");
5862     }
5863 
5864     return("???");
5865 #else
5866     sprintf(btm_cb.state_temp_buffer,"%hu",state);
5867 
5868     return(btm_cb.state_temp_buffer);
5869 #endif
5870 }
5871 #endif
5872 
5873 
5874 /*******************************************************************************
5875 **
5876 ** Function         btm_sec_dev_rec_cback_event
5877 **
5878 ** Description      This function calls the callback function with the given
5879 **                  result and clear the callback function.
5880 **
5881 ** Parameters:      void
5882 **
5883 *******************************************************************************/
btm_sec_dev_rec_cback_event(tBTM_SEC_DEV_REC * p_dev_rec,UINT8 res,BOOLEAN is_le_transport)5884 void btm_sec_dev_rec_cback_event (tBTM_SEC_DEV_REC *p_dev_rec, UINT8 res, BOOLEAN is_le_transport)
5885 {
5886     tBTM_SEC_CALLBACK   *p_callback = p_dev_rec->p_callback;
5887     tBT_TRANSPORT transport = is_le_transport ? BT_TRANSPORT_LE : BT_TRANSPORT_BR_EDR;
5888 
5889     if (p_dev_rec->p_callback)
5890     {
5891         p_dev_rec->p_callback = NULL;
5892 
5893         (*p_callback) (p_dev_rec->bd_addr, transport, p_dev_rec->p_ref_data, res);
5894 
5895     }
5896     btm_sec_check_pending_reqs();
5897 }
5898 
5899 /*******************************************************************************
5900 **
5901 ** Function         btm_sec_queue_mx_request
5902 **
5903 ** Description      Return state description for tracing
5904 **
5905 *******************************************************************************/
btm_sec_queue_mx_request(BD_ADDR bd_addr,UINT16 psm,BOOLEAN is_orig,UINT32 mx_proto_id,UINT32 mx_chan_id,tBTM_SEC_CALLBACK * p_callback,void * p_ref_data)5906 static BOOLEAN btm_sec_queue_mx_request (BD_ADDR bd_addr,  UINT16 psm,  BOOLEAN is_orig,
5907                                          UINT32 mx_proto_id, UINT32 mx_chan_id,
5908                                          tBTM_SEC_CALLBACK *p_callback, void *p_ref_data)
5909 {
5910     tBTM_SEC_QUEUE_ENTRY    *p_e;
5911 
5912     p_e = (tBTM_SEC_QUEUE_ENTRY *)GKI_getbuf (sizeof(tBTM_SEC_QUEUE_ENTRY));
5913 
5914     if (p_e)
5915     {
5916         p_e->psm            = psm;
5917         p_e->is_orig        = is_orig;
5918         p_e->p_callback     = p_callback;
5919         p_e->p_ref_data     = p_ref_data;
5920         p_e->mx_proto_id    = mx_proto_id;
5921         p_e->mx_chan_id     = mx_chan_id;
5922 
5923         memcpy (p_e->bd_addr, bd_addr, BD_ADDR_LEN);
5924 
5925         BTM_TRACE_EVENT ("btm_sec_queue_mx_request() PSM: 0x%04x  Is_Orig: %u  mx_proto_id: %u  mx_chan_id: %u",
5926                           psm, is_orig, mx_proto_id, mx_chan_id);
5927 
5928         GKI_enqueue (&btm_cb.sec_pending_q, p_e);
5929 
5930         return(TRUE);
5931     }
5932 
5933     return(FALSE);
5934 }
5935 
btm_sec_check_prefetch_pin(tBTM_SEC_DEV_REC * p_dev_rec)5936 static BOOLEAN btm_sec_check_prefetch_pin (tBTM_SEC_DEV_REC  *p_dev_rec)
5937 {
5938     UINT8 major = (UINT8)(p_dev_rec->dev_class[1] & BTM_COD_MAJOR_CLASS_MASK);
5939     UINT8 minor = (UINT8)(p_dev_rec->dev_class[2] & BTM_COD_MINOR_CLASS_MASK);
5940     BOOLEAN rv = FALSE;
5941 
5942     if ((major == BTM_COD_MAJOR_AUDIO)
5943         &&  ((minor == BTM_COD_MINOR_CONFM_HANDSFREE) || (minor == BTM_COD_MINOR_CAR_AUDIO)) )
5944     {
5945         BTM_TRACE_EVENT ("btm_sec_check_prefetch_pin: Skipping pre-fetch PIN for carkit COD Major: 0x%02x Minor: 0x%02x", major, minor);
5946 
5947         if (btm_cb.security_mode_changed == FALSE)
5948         {
5949             btm_cb.security_mode_changed = TRUE;
5950 #ifdef APPL_AUTH_WRITE_EXCEPTION
5951             if(!(APPL_AUTH_WRITE_EXCEPTION)(p_dev_rec->bd_addr))
5952 #endif
5953                 btsnd_hcic_write_auth_enable (TRUE);
5954         }
5955     }
5956     else
5957     {
5958         btm_sec_change_pairing_state (BTM_PAIR_STATE_WAIT_LOCAL_PIN);
5959 
5960         /* If we got a PIN, use that, else try to get one */
5961         if (btm_cb.pin_code_len)
5962         {
5963             BTM_PINCodeReply (p_dev_rec->bd_addr, BTM_SUCCESS, btm_cb.pin_code_len, btm_cb.pin_code, p_dev_rec->trusted_mask);
5964         }
5965         else
5966         {
5967             /* pin was not supplied - pre-fetch pin code now */
5968             if (btm_cb.api.p_pin_callback && ((btm_cb.pairing_flags & BTM_PAIR_FLAGS_PIN_REQD) == 0))
5969             {
5970                 BTM_TRACE_DEBUG("btm_sec_check_prefetch_pin: PIN code callback called");
5971                 if (btm_bda_to_acl(p_dev_rec->bd_addr, BT_TRANSPORT_BR_EDR) == NULL)
5972                 btm_cb.pairing_flags |= BTM_PAIR_FLAGS_PIN_REQD;
5973                 (btm_cb.api.p_pin_callback) (p_dev_rec->bd_addr, p_dev_rec->dev_class, p_dev_rec->sec_bd_name);
5974             }
5975         }
5976 
5977         rv = TRUE;
5978     }
5979 
5980     return rv;
5981 }
5982 
5983 #if (BLE_INCLUDED == TRUE)
5984 /*******************************************************************************
5985 **
5986 ** Function         btm_sec_clear_ble_keys
5987 **
5988 ** Description      This function is called to clear out the BLE keys.
5989 **                  Typically when devices are removed in BTM_SecDeleteDevice,
5990 **                  or when a new BT Link key is generated.
5991 **
5992 ** Returns          void
5993 **
5994 *******************************************************************************/
btm_sec_clear_ble_keys(tBTM_SEC_DEV_REC * p_dev_rec)5995 void btm_sec_clear_ble_keys (tBTM_SEC_DEV_REC  *p_dev_rec)
5996 {
5997 
5998     BTM_TRACE_DEBUG ("btm_sec_clear_ble_keys: Clearing BLE Keys");
5999 #if (SMP_INCLUDED== TRUE)
6000     p_dev_rec->ble.key_type = 0;
6001     memset (&p_dev_rec->ble.keys, 0, sizeof(tBTM_SEC_BLE_KEYS));
6002 #endif
6003     gatt_delete_dev_from_srv_chg_clt_list(p_dev_rec->bd_addr);
6004 }
6005 
6006 
6007 /*******************************************************************************
6008 **
6009 ** Function         btm_sec_is_a_bonded_dev
6010 **
6011 ** Description       Is the specified device is a bonded device
6012 **
6013 ** Returns          TRUE - dev is bonded
6014 **
6015 *******************************************************************************/
btm_sec_is_a_bonded_dev(BD_ADDR bda)6016 BOOLEAN btm_sec_is_a_bonded_dev (BD_ADDR bda)
6017 {
6018 
6019     tBTM_SEC_DEV_REC *p_dev_rec= btm_find_dev (bda);
6020     BOOLEAN is_bonded= FALSE;
6021 
6022     if (p_dev_rec &&
6023 #if (SMP_INCLUDED== TRUE)
6024         ((p_dev_rec->ble.key_type && (p_dev_rec->sec_flags & BTM_SEC_LE_LINK_KEY_KNOWN))||
6025 #endif
6026          (p_dev_rec->sec_flags & BTM_SEC_LINK_KEY_KNOWN)))
6027     {
6028         is_bonded = TRUE;
6029     }
6030     BTM_TRACE_DEBUG ("btm_sec_is_a_bonded_dev is_bonded=%d", is_bonded);
6031     return(is_bonded);
6032 }
6033 
6034 /*******************************************************************************
6035 **
6036 ** Function         btm_sec_is_le_capable_dev
6037 **
6038 ** Description       Is the specified device is dual mode or LE only device
6039 **
6040 ** Returns          TRUE - dev is a dual mode
6041 **
6042 *******************************************************************************/
btm_sec_is_le_capable_dev(BD_ADDR bda)6043 BOOLEAN btm_sec_is_le_capable_dev (BD_ADDR bda)
6044 {
6045     tBTM_SEC_DEV_REC *p_dev_rec= btm_find_dev (bda);
6046     BOOLEAN le_capable = FALSE;
6047 
6048 #if (BLE_INCLUDED== TRUE)
6049     if (p_dev_rec && ((p_dev_rec->device_type == BT_DEVICE_TYPE_DUMO) ||
6050          (p_dev_rec->device_type == BT_DEVICE_TYPE_BLE) ) )
6051     {
6052         le_capable  = TRUE;
6053     }
6054 #endif
6055     return le_capable;
6056 }
6057 
6058 /*******************************************************************************
6059 **
6060 ** Function         btm_sec_find_bonded_dev
6061 **
6062 ** Description      Find a bonded device starting from the specified index
6063 **
6064 ** Returns          TRUE - found a bonded device
6065 **
6066 *******************************************************************************/
btm_sec_find_bonded_dev(UINT8 start_idx,UINT8 * p_found_idx,tBTM_SEC_DEV_REC ** p_rec)6067 BOOLEAN btm_sec_find_bonded_dev (UINT8 start_idx, UINT8 *p_found_idx, tBTM_SEC_DEV_REC **p_rec)
6068 {
6069     BOOLEAN found= FALSE;
6070 
6071 #if (SMP_INCLUDED== TRUE)
6072     tBTM_SEC_DEV_REC *p_dev_rec;
6073     int i;
6074     if (start_idx >= BTM_SEC_MAX_DEVICE_RECORDS)
6075     {
6076         BTM_TRACE_DEBUG ("LE bonded device not found");
6077         return found;
6078     }
6079 
6080     p_dev_rec = &btm_cb.sec_dev_rec[start_idx];
6081     for (i = start_idx; i < BTM_SEC_MAX_DEVICE_RECORDS; i++, p_dev_rec++)
6082     {
6083         if (p_dev_rec->ble.key_type || (p_dev_rec->sec_flags & BTM_SEC_LINK_KEY_KNOWN))
6084         {
6085             *p_found_idx = i;
6086             *p_rec = p_dev_rec;
6087             break;
6088         }
6089     }
6090     BTM_TRACE_DEBUG ("btm_sec_find_bonded_dev=%d", found);
6091 #endif
6092     return(found);
6093 }
6094 #endif /* BLE_INCLUDED */
6095 
6096