1 /******************************************************************************
2 *
3 * Copyright (C) 1999-2012 Broadcom Corporation
4 *
5 * Licensed under the Apache License, Version 2.0 (the "License");
6 * you may not use this file except in compliance with the License.
7 * You may obtain a copy of the License at:
8 *
9 * http://www.apache.org/licenses/LICENSE-2.0
10 *
11 * Unless required by applicable law or agreed to in writing, software
12 * distributed under the License is distributed on an "AS IS" BASIS,
13 * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
14 * See the License for the specific language governing permissions and
15 * limitations under the License.
16 *
17 ******************************************************************************/
18
19 /******************************************************************************
20 *
21 * This file contains functions for the Bluetooth Security Manager
22 *
23 ******************************************************************************/
24
25 #include <string.h>
26 #include "bt_types.h"
27 #include "hcimsgs.h"
28 #include "btu.h"
29 #include "btm_int.h"
30 #include "l2c_int.h"
31 #include "bt_utils.h"
32
33 #if (BT_USE_TRACES == TRUE && BT_TRACE_VERBOSE == FALSE)
34 /* needed for sprintf() */
35 #include <stdio.h>
36 #endif
37
38 #if BLE_INCLUDED == TRUE
39 #include "gatt_int.h"
40 #endif
41
42 #define BTM_SEC_MAX_COLLISION_DELAY (GKI_SECS_TO_TICKS(5))
43
44 #ifdef APPL_AUTH_WRITE_EXCEPTION
45 BOOLEAN (APPL_AUTH_WRITE_EXCEPTION)(BD_ADDR bd_addr);
46 #endif
47
48
49 /********************************************************************************
50 ** L O C A L F U N C T I O N P R O T O T Y P E S *
51 *********************************************************************************/
52 static tBTM_SEC_SERV_REC *btm_sec_find_first_serv (BOOLEAN is_originator, UINT16 psm);
53 static tBTM_SEC_SERV_REC *btm_sec_find_next_serv (tBTM_SEC_SERV_REC *p_cur);
54 static tBTM_SEC_SERV_REC *btm_sec_find_mx_serv (UINT8 is_originator, UINT16 psm,
55 UINT32 mx_proto_id,
56 UINT32 mx_chan_id);
57
58 static tBTM_STATUS btm_sec_execute_procedure (tBTM_SEC_DEV_REC *p_dev_rec);
59 static BOOLEAN btm_sec_start_get_name (tBTM_SEC_DEV_REC *p_dev_rec);
60 static BOOLEAN btm_sec_start_authentication (tBTM_SEC_DEV_REC *p_dev_rec);
61 static BOOLEAN btm_sec_start_encryption (tBTM_SEC_DEV_REC *p_dev_rec);
62 static void btm_sec_collision_timeout (TIMER_LIST_ENT *p_tle);
63 static void btm_restore_mode(void);
64 static void btm_sec_pairing_timeout (TIMER_LIST_ENT *p_tle);
65 static tBTM_STATUS btm_sec_dd_create_conn (tBTM_SEC_DEV_REC *p_dev_rec);
66 static void btm_sec_change_pairing_state (tBTM_PAIRING_STATE new_state);
67
68 #if (BT_USE_TRACES == TRUE)
69 static char *btm_pair_state_descr (tBTM_PAIRING_STATE state);
70 #endif
71
72 static void btm_sec_check_pending_reqs(void);
73 static BOOLEAN btm_sec_queue_mx_request (BD_ADDR bd_addr, UINT16 psm, BOOLEAN is_orig,
74 UINT32 mx_proto_id, UINT32 mx_chan_id,
75 tBTM_SEC_CALLBACK *p_callback, void *p_ref_data);
76 static void btm_sec_bond_cancel_complete (void);
77 static void btm_send_link_key_notif (tBTM_SEC_DEV_REC *p_dev_rec);
78 static BOOLEAN btm_sec_check_prefetch_pin (tBTM_SEC_DEV_REC *p_dev_rec);
79
80 static UINT8 btm_sec_start_authorization (tBTM_SEC_DEV_REC *p_dev_rec);
81 BOOLEAN btm_sec_are_all_trusted(UINT32 p_mask[]);
82
83 static tBTM_STATUS btm_sec_send_hci_disconnect (tBTM_SEC_DEV_REC *p_dev_rec, UINT8 reason, UINT16 conn_handle);
84 UINT8 btm_sec_start_role_switch (tBTM_SEC_DEV_REC *p_dev_rec);
85 tBTM_SEC_DEV_REC *btm_sec_find_dev_by_sec_state (UINT8 state);
86
87 static BOOLEAN btm_sec_set_security_level ( CONNECTION_TYPE conn_type, char *p_name, UINT8 service_id,
88 UINT16 sec_level, UINT16 psm, UINT32 mx_proto_id,
89 UINT32 mx_chan_id);
90
91 static BOOLEAN btm_dev_authenticated(tBTM_SEC_DEV_REC *p_dev_rec);
92 static BOOLEAN btm_dev_encrypted(tBTM_SEC_DEV_REC *p_dev_rec);
93 static BOOLEAN btm_dev_authorized(tBTM_SEC_DEV_REC *p_dev_rec);
94 static BOOLEAN btm_serv_trusted(tBTM_SEC_DEV_REC *p_dev_rec, tBTM_SEC_SERV_REC *p_serv_rec);
95
96 /* TRUE - authenticated link key is possible */
97 static const BOOLEAN btm_sec_io_map [BTM_IO_CAP_MAX][BTM_IO_CAP_MAX] =
98 {
99 /* OUT, IO, IN, NONE */
100 /* OUT */ {FALSE, FALSE, TRUE, FALSE},
101 /* IO */ {FALSE, TRUE, TRUE, FALSE},
102 /* IN */ {TRUE, TRUE, TRUE, FALSE},
103 /* NONE */ {FALSE, FALSE, FALSE, FALSE}
104 };
105 /* BTM_IO_CAP_OUT 0 DisplayOnly */
106 /* BTM_IO_CAP_IO 1 DisplayYesNo */
107 /* BTM_IO_CAP_IN 2 KeyboardOnly */
108 /* BTM_IO_CAP_NONE 3 NoInputNoOutput */
109
110 /*******************************************************************************
111 **
112 ** Function btm_dev_authenticated
113 **
114 ** Description check device is authenticated
115 **
116 ** Returns BOOLEAN TRUE or FALSE
117 **
118 *******************************************************************************/
btm_dev_authenticated(tBTM_SEC_DEV_REC * p_dev_rec)119 static BOOLEAN btm_dev_authenticated (tBTM_SEC_DEV_REC *p_dev_rec)
120 {
121 if(p_dev_rec->sec_flags & BTM_SEC_AUTHENTICATED)
122 {
123 return(TRUE);
124 }
125 return(FALSE);
126 }
127
128 /*******************************************************************************
129 **
130 ** Function btm_dev_encrypted
131 **
132 ** Description check device is encrypted
133 **
134 ** Returns BOOLEAN TRUE or FALSE
135 **
136 *******************************************************************************/
btm_dev_encrypted(tBTM_SEC_DEV_REC * p_dev_rec)137 static BOOLEAN btm_dev_encrypted (tBTM_SEC_DEV_REC *p_dev_rec)
138 {
139 if(p_dev_rec->sec_flags & BTM_SEC_ENCRYPTED)
140 {
141 return(TRUE);
142 }
143 return(FALSE);
144 }
145
146 /*******************************************************************************
147 **
148 ** Function btm_dev_authorized
149 **
150 ** Description check device is authorized
151 **
152 ** Returns BOOLEAN TRUE or FALSE
153 **
154 *******************************************************************************/
btm_dev_authorized(tBTM_SEC_DEV_REC * p_dev_rec)155 static BOOLEAN btm_dev_authorized (tBTM_SEC_DEV_REC *p_dev_rec)
156 {
157 if(p_dev_rec->sec_flags & BTM_SEC_AUTHORIZED)
158 {
159 return(TRUE);
160 }
161 return(FALSE);
162 }
163
164 /*******************************************************************************
165 **
166 ** Function btm_serv_trusted
167 **
168 ** Description check service is trusted
169 **
170 ** Returns BOOLEAN TRUE or FALSE
171 **
172 *******************************************************************************/
btm_serv_trusted(tBTM_SEC_DEV_REC * p_dev_rec,tBTM_SEC_SERV_REC * p_serv_rec)173 static BOOLEAN btm_serv_trusted(tBTM_SEC_DEV_REC *p_dev_rec, tBTM_SEC_SERV_REC *p_serv_rec)
174 {
175 if(BTM_SEC_IS_SERVICE_TRUSTED(p_dev_rec->trusted_mask, p_serv_rec->service_id))
176 {
177 return(TRUE);
178 }
179 return(FALSE);
180 }
181
182 /*******************************************************************************
183 **
184 ** Function BTM_SecRegister
185 **
186 ** Description Application manager calls this function to register for
187 ** security services. There can be one and only one application
188 ** saving link keys. BTM allows only first registration.
189 **
190 ** Returns TRUE if registered OK, else FALSE
191 **
192 *******************************************************************************/
BTM_SecRegister(tBTM_APPL_INFO * p_cb_info)193 BOOLEAN BTM_SecRegister (tBTM_APPL_INFO *p_cb_info)
194 {
195 #if BLE_INCLUDED == TRUE
196 BT_OCTET16 temp_value = {0};
197 #endif
198
199 BTM_TRACE_EVENT ("BTM_Sec: application registered");
200
201 #if BLE_INCLUDED == TRUE && SMP_INCLUDED == TRUE
202 if (p_cb_info->p_le_callback)
203 {
204 BTM_TRACE_ERROR ("BTM_SecRegister:p_cb_info->p_le_callback == 0x%x ", p_cb_info->p_le_callback);
205
206 if (p_cb_info->p_le_callback)
207 {
208 #if SMP_INCLUDED == TRUE
209 BTM_TRACE_EVENT ("BTM_Sec: SMP_Register( btm_proc_smp_cback )");
210 SMP_Register(btm_proc_smp_cback);
211 #endif
212 /* if no IR is loaded, need to regenerate all the keys */
213 if (memcmp(btm_cb.devcb.id_keys.ir, &temp_value, sizeof(BT_OCTET16)) == 0)
214 {
215 btm_ble_reset_id();
216 }
217 }
218 else
219 {
220 BTM_TRACE_ERROR ("BTM_SecRegister:p_cb_info->p_le_callback == NULL ");
221 }
222 }
223 #endif
224
225 btm_cb.api = *p_cb_info;
226 #if BLE_INCLUDED == TRUE && SMP_INCLUDED == TRUE
227 BTM_TRACE_ERROR ("BTM_SecRegister: btm_cb.api.p_le_callback = 0x%x ", btm_cb.api.p_le_callback);
228 #endif
229 BTM_TRACE_EVENT ("BTM_Sec: application registered");
230 return(TRUE);
231 }
232
233
234 /*******************************************************************************
235 **
236 ** Function BTM_SecRegisterLinkKeyNotificationCallback
237 **
238 ** Description Application manager calls this function to register for
239 ** link key notification. When there is nobody registered
240 ** we should avoid changing link key
241 **
242 ** Returns TRUE if registered OK, else FALSE
243 **
244 *******************************************************************************/
BTM_SecRegisterLinkKeyNotificationCallback(tBTM_LINK_KEY_CALLBACK * p_callback)245 BOOLEAN BTM_SecRegisterLinkKeyNotificationCallback (tBTM_LINK_KEY_CALLBACK *p_callback)
246 {
247 btm_cb.api.p_link_key_callback = p_callback;
248 return(TRUE);
249 }
250
251
252 /*******************************************************************************
253 **
254 ** Function BTM_SecAddRmtNameNotifyCallback
255 **
256 ** Description Any profile can register to be notified when name of the
257 ** remote device is resolved.
258 **
259 ** Returns TRUE if registered OK, else FALSE
260 **
261 *******************************************************************************/
BTM_SecAddRmtNameNotifyCallback(tBTM_RMT_NAME_CALLBACK * p_callback)262 BOOLEAN BTM_SecAddRmtNameNotifyCallback (tBTM_RMT_NAME_CALLBACK *p_callback)
263 {
264 int i;
265
266 for (i = 0; i < BTM_SEC_MAX_RMT_NAME_CALLBACKS; i++)
267 {
268 if (btm_cb.p_rmt_name_callback[i] == NULL)
269 {
270 btm_cb.p_rmt_name_callback[i] = p_callback;
271 return(TRUE);
272 }
273 }
274
275 return(FALSE);
276 }
277
278
279 /*******************************************************************************
280 **
281 ** Function BTM_SecDeleteRmtNameNotifyCallback
282 **
283 ** Description Any profile can deregister notification when a new Link Key
284 ** is generated per connection.
285 **
286 ** Returns TRUE if OK, else FALSE
287 **
288 *******************************************************************************/
BTM_SecDeleteRmtNameNotifyCallback(tBTM_RMT_NAME_CALLBACK * p_callback)289 BOOLEAN BTM_SecDeleteRmtNameNotifyCallback (tBTM_RMT_NAME_CALLBACK *p_callback)
290 {
291 int i;
292
293 for (i = 0; i < BTM_SEC_MAX_RMT_NAME_CALLBACKS; i++)
294 {
295 if (btm_cb.p_rmt_name_callback[i] == p_callback)
296 {
297 btm_cb.p_rmt_name_callback[i] = NULL;
298 return(TRUE);
299 }
300 }
301
302 return(FALSE);
303 }
304
305
306 /*******************************************************************************
307 **
308 ** Function BTM_SecSetConnectFilterCallback
309 **
310 ** Description Host can register to be asked whenever a HCI connection
311 ** request is received. In the registered function host
312 ** suppose to check connectibility filters. Yes/No result
313 ** should be returned syncronously
314 **
315 ** Returns void
316 **
317 *******************************************************************************/
BTM_SecSetConnectFilterCallback(tBTM_FILTER_CB * p_callback)318 void BTM_SecSetConnectFilterCallback (tBTM_FILTER_CB *p_callback)
319 {
320 btm_cb.p_conn_filter_cb = p_callback;
321 }
322
323 /*******************************************************************************
324 **
325 ** Function BTM_GetSecurityMode
326 **
327 ** Description Get security mode for the device
328 **
329 ** Returns void
330 **
331 *******************************************************************************/
BTM_GetSecurityMode(void)332 UINT8 BTM_GetSecurityMode (void)
333 {
334 return(btm_cb.security_mode);
335 }
336
337 /*******************************************************************************
338 **
339 ** Function BTM_GetSecurityFlags
340 **
341 ** Description Get security flags for the device
342 **
343 ** Returns BOOLEAN TRUE or FALSE is device found
344 **
345 *******************************************************************************/
BTM_GetSecurityFlags(BD_ADDR bd_addr,UINT8 * p_sec_flags)346 BOOLEAN BTM_GetSecurityFlags (BD_ADDR bd_addr, UINT8 * p_sec_flags)
347 {
348 tBTM_SEC_DEV_REC *p_dev_rec;
349
350 if ((p_dev_rec = btm_find_dev (bd_addr)) != NULL)
351 {
352 *p_sec_flags = (UINT8) p_dev_rec->sec_flags;
353 return(TRUE);
354 }
355 BTM_TRACE_ERROR ("BTM_GetSecurityFlags false");
356 return(FALSE);
357 }
358
359 /*******************************************************************************
360 **
361 ** Function BTM_GetSecurityFlagsByTransport
362 **
363 ** Description Get security flags for the device on a particular transport
364 **
365 ** Returns BOOLEAN TRUE or FALSE is device found
366 **
367 *******************************************************************************/
BTM_GetSecurityFlagsByTransport(BD_ADDR bd_addr,UINT8 * p_sec_flags,tBT_TRANSPORT transport)368 BOOLEAN BTM_GetSecurityFlagsByTransport (BD_ADDR bd_addr, UINT8 * p_sec_flags,
369 tBT_TRANSPORT transport)
370 {
371 tBTM_SEC_DEV_REC *p_dev_rec;
372
373 if ((p_dev_rec = btm_find_dev (bd_addr)) != NULL)
374 {
375 if (transport == BT_TRANSPORT_BR_EDR)
376 *p_sec_flags = (UINT8) p_dev_rec->sec_flags;
377 else
378 *p_sec_flags = (UINT8) (p_dev_rec->sec_flags >> 8);
379
380 return(TRUE);
381 }
382 BTM_TRACE_ERROR ("BTM_GetSecurityFlags false");
383 return(FALSE);
384 }
385
386 /*******************************************************************************
387 **
388 ** Function BTM_SetSecurityMode
389 **
390 ** Description Set security mode for the device
391 **
392 ** Returns void
393 **
394 *******************************************************************************/
BTM_SetSecurityMode(UINT8 security_mode)395 void BTM_SetSecurityMode (UINT8 security_mode)
396 {
397 UINT8 old_mode = btm_cb.security_mode;
398
399 UINT8 sp_mode = HCI_SP_MODE_ENABLED;
400 UINT8 sp_debug_mode = HCI_SPD_MODE_DISABLED;
401
402 switch (security_mode)
403 {
404 #if (BTM_PRE_LISBON_INCLUDED == TRUE)
405 case BTM_SEC_MODE_NONE:
406 case BTM_SEC_MODE_SERVICE:
407 case BTM_SEC_MODE_LINK:
408 break;
409 #endif
410
411 case BTM_SEC_MODE_SP_DEBUG:
412 sp_debug_mode = HCI_SPD_MODE_ENABLED;
413 break;
414 case BTM_SEC_MODE_SP:
415 /* the default is enabled */
416 break;
417 default:
418 BTM_TRACE_ERROR ("BTM_SetSecurityMode: unknown mode:%d", security_mode);
419 return;
420 }
421 btm_cb.security_mode = security_mode;
422
423 if (HCI_SIMPLE_PAIRING_SUPPORTED(btm_cb.devcb.local_lmp_features[HCI_EXT_FEATURES_PAGE_0]))
424 {
425 /* Lisbon devices and only use BTM_SEC_MODE_SP */
426 btm_cb.security_mode = BTM_SEC_MODE_SP;
427 BTM_TRACE_DEBUG("BTM_SetSecurityMode: SP:%d, debug:%d", sp_mode, sp_debug_mode);
428 btsnd_hcic_write_simple_pairing_mode(sp_mode);
429 btsnd_hcic_write_simp_pair_debug_mode(sp_debug_mode);
430 return;
431 }
432
433 /* must be a pre-Lisbon device */
434 #if (BTM_PRE_LISBON_INCLUDED == TRUE)
435 /* If previously security mode was Link Level and now lesser notify */
436 /* controller not to perform authentication, encryption on startup */
437 if ((old_mode == BTM_SEC_MODE_LINK)
438 && ( security_mode != BTM_SEC_MODE_LINK))
439 {
440 BTM_TRACE_DEBUG("BTM_SetSecurityMode: Authen Enable -> FALSE");
441 btsnd_hcic_write_auth_enable (FALSE);
442 btsnd_hcic_write_encr_mode (HCI_ENCRYPT_MODE_DISABLED);
443 }
444
445 /* If previously security is increased to Link Level notify */
446 /* controller to perform authentication, encryption on startup */
447 if ((old_mode != BTM_SEC_MODE_LINK)
448 && ( security_mode == BTM_SEC_MODE_LINK))
449 {
450 BTM_TRACE_DEBUG("BTM_SetSecurityMode: Authen Enable -> TRUE");
451 btsnd_hcic_write_auth_enable (TRUE);
452 btsnd_hcic_write_encr_mode (HCI_ENCRYPT_MODE_POINT_TO_POINT);
453 }
454 #endif /* BTM_PRE_LISBON_INCLUDED == TRUE */
455 }
456
457 /*******************************************************************************
458 **
459 ** Function BTM_SetPinType
460 **
461 ** Description Set PIN type for the device.
462 **
463 ** Returns void
464 **
465 *******************************************************************************/
BTM_SetPinType(UINT8 pin_type,PIN_CODE pin_code,UINT8 pin_code_len)466 void BTM_SetPinType (UINT8 pin_type, PIN_CODE pin_code, UINT8 pin_code_len)
467 {
468 BTM_TRACE_API ("BTM_SetPinType: pin type %d [variable-0, fixed-1], code %s, length %d",
469 pin_type, (char *) pin_code, pin_code_len);
470
471 /* If device is not up security mode will be set as a part of startup */
472 if ( (btm_cb.cfg.pin_type != pin_type)
473 && (btm_cb.devcb.state > BTM_DEV_STATE_WAIT_AFTER_RESET) )
474 {
475 btsnd_hcic_write_pin_type (pin_type);
476 }
477
478 btm_cb.cfg.pin_type = pin_type;
479 btm_cb.cfg.pin_code_len = pin_code_len;
480 memcpy (btm_cb.cfg.pin_code, pin_code, pin_code_len);
481 }
482
483 /*******************************************************************************
484 **
485 ** Function BTM_SetPairableMode
486 **
487 ** Description Enable or disable pairing
488 **
489 ** Parameters allow_pairing - (TRUE or FALSE) whether or not the device
490 ** allows pairing.
491 ** connect_only_paired - (TRUE or FALSE) whether or not to
492 ** only allow paired devices to connect.
493 **
494 ** Returns void
495 **
496 *******************************************************************************/
BTM_SetPairableMode(BOOLEAN allow_pairing,BOOLEAN connect_only_paired)497 void BTM_SetPairableMode (BOOLEAN allow_pairing, BOOLEAN connect_only_paired)
498 {
499 BTM_TRACE_API ("BTM_SetPairableMode() allow_pairing: %u connect_only_paired: %u", allow_pairing, connect_only_paired);
500
501 btm_cb.pairing_disabled = !allow_pairing;
502 btm_cb.connect_only_paired = connect_only_paired;
503 }
504
505
506 #define BTM_NO_AVAIL_SEC_SERVICES ((UINT16) 0xffff)
507
508 /*******************************************************************************
509 **
510 ** Function BTM_SetUCDSecurityLevel
511 **
512 ** Description Register UCD service security level with Security Manager
513 **
514 ** Parameters: is_originator - TRUE if originating the connection, FALSE if not
515 ** p_name - Name of the service relevant only if
516 ** authorization will show this name to user. ignored
517 ** if BTM_SEC_SERVICE_NAME_LEN is 0.
518 ** service_id - service ID for the service passed to authorization callback
519 ** sec_level - bit mask of the security features
520 ** psm - L2CAP PSM
521 ** mx_proto_id - protocol ID of multiplexing proto below
522 ** mx_chan_id - channel ID of multiplexing proto below
523 **
524 ** Returns TRUE if registered OK, else FALSE
525 **
526 *******************************************************************************/
BTM_SetUCDSecurityLevel(BOOLEAN is_originator,char * p_name,UINT8 service_id,UINT16 sec_level,UINT16 psm,UINT32 mx_proto_id,UINT32 mx_chan_id)527 BOOLEAN BTM_SetUCDSecurityLevel (BOOLEAN is_originator, char *p_name, UINT8 service_id,
528 UINT16 sec_level, UINT16 psm, UINT32 mx_proto_id,
529 UINT32 mx_chan_id)
530 {
531 #if (L2CAP_UCD_INCLUDED == TRUE)
532 CONNECTION_TYPE conn_type;
533
534 if (is_originator)
535 conn_type = CONNLESS_ORIG;
536 else
537 conn_type = CONNLESS_TERM;
538
539 return(btm_sec_set_security_level (conn_type, p_name, service_id,
540 sec_level, psm, mx_proto_id, mx_chan_id));
541 #else
542 UNUSED(is_originator);
543 UNUSED(p_name);
544 UNUSED(service_id);
545 UNUSED(sec_level);
546 UNUSED(psm);
547 UNUSED(mx_proto_id);
548 UNUSED(mx_chan_id);
549 return FALSE;
550 #endif
551 }
552
553 /*******************************************************************************
554 **
555 ** Function BTM_SetSecurityLevel
556 **
557 ** Description Register service security level with Security Manager
558 **
559 ** Parameters: is_originator - TRUE if originating the connection, FALSE if not
560 ** p_name - Name of the service relevant only if
561 ** authorization will show this name to user. ignored
562 ** if BTM_SEC_SERVICE_NAME_LEN is 0.
563 ** service_id - service ID for the service passed to authorization callback
564 ** sec_level - bit mask of the security features
565 ** psm - L2CAP PSM
566 ** mx_proto_id - protocol ID of multiplexing proto below
567 ** mx_chan_id - channel ID of multiplexing proto below
568 **
569 ** Returns TRUE if registered OK, else FALSE
570 **
571 *******************************************************************************/
BTM_SetSecurityLevel(BOOLEAN is_originator,char * p_name,UINT8 service_id,UINT16 sec_level,UINT16 psm,UINT32 mx_proto_id,UINT32 mx_chan_id)572 BOOLEAN BTM_SetSecurityLevel (BOOLEAN is_originator, char *p_name, UINT8 service_id,
573 UINT16 sec_level, UINT16 psm, UINT32 mx_proto_id,
574 UINT32 mx_chan_id)
575 {
576 #if (L2CAP_UCD_INCLUDED == TRUE)
577 CONNECTION_TYPE conn_type;
578
579 if (is_originator)
580 conn_type = CONN_ORIENT_ORIG;
581 else
582 conn_type = CONN_ORIENT_TERM;
583
584 return(btm_sec_set_security_level (conn_type, p_name, service_id,
585 sec_level, psm, mx_proto_id, mx_chan_id));
586 #else
587 return(btm_sec_set_security_level (is_originator, p_name, service_id,
588 sec_level, psm, mx_proto_id, mx_chan_id));
589 #endif
590 }
591
592 /*******************************************************************************
593 **
594 ** Function btm_sec_set_security_level
595 **
596 ** Description Register service security level with Security Manager
597 **
598 ** Parameters: conn_type - TRUE if originating the connection, FALSE if not
599 ** p_name - Name of the service relevant only if
600 ** authorization will show this name to user. ignored
601 ** if BTM_SEC_SERVICE_NAME_LEN is 0.
602 ** service_id - service ID for the service passed to authorization callback
603 ** sec_level - bit mask of the security features
604 ** psm - L2CAP PSM
605 ** mx_proto_id - protocol ID of multiplexing proto below
606 ** mx_chan_id - channel ID of multiplexing proto below
607 **
608 ** Returns TRUE if registered OK, else FALSE
609 **
610 *******************************************************************************/
btm_sec_set_security_level(CONNECTION_TYPE conn_type,char * p_name,UINT8 service_id,UINT16 sec_level,UINT16 psm,UINT32 mx_proto_id,UINT32 mx_chan_id)611 static BOOLEAN btm_sec_set_security_level (CONNECTION_TYPE conn_type, char *p_name, UINT8 service_id,
612 UINT16 sec_level, UINT16 psm, UINT32 mx_proto_id,
613 UINT32 mx_chan_id)
614 {
615 tBTM_SEC_SERV_REC *p_srec;
616 UINT16 index;
617 UINT16 first_unused_record = BTM_NO_AVAIL_SEC_SERVICES;
618 BOOLEAN record_allocated = FALSE;
619 BOOLEAN is_originator;
620 #if (L2CAP_UCD_INCLUDED == TRUE)
621 BOOLEAN is_ucd;
622
623 if (conn_type & CONNECTION_TYPE_ORIG_MASK)
624 is_originator = TRUE;
625 else
626 is_originator = FALSE;
627
628 if (conn_type & CONNECTION_TYPE_CONNLESS_MASK )
629 {
630 is_ucd = TRUE;
631 }
632 else
633 {
634 is_ucd = FALSE;
635 }
636 #else
637 is_originator = conn_type;
638 #endif
639
640 /* See if the record can be reused (same service name, psm, mx_proto_id,
641 service_id, and mx_chan_id), or obtain the next unused record */
642
643 p_srec = &btm_cb.sec_serv_rec[0];
644
645
646 for (index = 0; index < BTM_SEC_MAX_SERVICE_RECORDS; index++, p_srec++)
647 {
648 /* Check if there is already a record for this service */
649 if (p_srec->security_flags & BTM_SEC_IN_USE)
650 {
651 #if BTM_SEC_SERVICE_NAME_LEN > 0
652 if (p_srec->psm == psm &&
653 p_srec->mx_proto_id == mx_proto_id &&
654 service_id == p_srec->service_id &&
655 (!strncmp (p_name, (char *) p_srec->orig_service_name,
656 BTM_SEC_SERVICE_NAME_LEN) ||
657 !strncmp (p_name, (char *) p_srec->term_service_name,
658 BTM_SEC_SERVICE_NAME_LEN)))
659 #else
660 if (p_srec->psm == psm &&
661 p_srec->mx_proto_id == mx_proto_id &&
662 service_id == p_srec->service_id)
663 #endif
664 {
665 record_allocated = TRUE;
666 break;
667 }
668 }
669 /* Mark the first available service record */
670 else if (!record_allocated)
671 {
672 memset (p_srec, 0, sizeof(tBTM_SEC_SERV_REC));
673 record_allocated = TRUE;
674 first_unused_record = index;
675 }
676 }
677
678 if (!record_allocated)
679 {
680 BTM_TRACE_WARNING("BTM_SEC_REG: Out of Service Records (%d)", BTM_SEC_MAX_SERVICE_RECORDS);
681 return(record_allocated);
682 }
683
684 /* Process the request if service record is valid */
685 /* If a duplicate service wasn't found, use the first available */
686 if (index >= BTM_SEC_MAX_SERVICE_RECORDS)
687 {
688 index = first_unused_record;
689 p_srec = &btm_cb.sec_serv_rec[index];
690 }
691
692 p_srec->psm = psm;
693 p_srec->service_id = service_id;
694 p_srec->mx_proto_id = mx_proto_id;
695
696 if (is_originator)
697 {
698 p_srec->orig_mx_chan_id = mx_chan_id;
699 #if BTM_SEC_SERVICE_NAME_LEN > 0
700 BCM_STRNCPY_S ((char *)p_srec->orig_service_name, sizeof(p_srec->orig_service_name), p_name, BTM_SEC_SERVICE_NAME_LEN);
701 #endif
702 /* clear out the old setting, just in case it exists */
703 #if (L2CAP_UCD_INCLUDED == TRUE)
704 if ( is_ucd )
705 {
706 p_srec->ucd_security_flags &=
707 ~(BTM_SEC_OUT_AUTHORIZE | BTM_SEC_OUT_ENCRYPT | BTM_SEC_OUT_AUTHENTICATE | BTM_SEC_OUT_MITM |
708 BTM_SEC_FORCE_MASTER | BTM_SEC_ATTEMPT_MASTER | BTM_SEC_FORCE_SLAVE | BTM_SEC_ATTEMPT_SLAVE);
709 }
710 else
711 #endif
712 {
713 p_srec->security_flags &=
714 ~(BTM_SEC_OUT_AUTHORIZE | BTM_SEC_OUT_ENCRYPT | BTM_SEC_OUT_AUTHENTICATE | BTM_SEC_OUT_MITM |
715 BTM_SEC_FORCE_MASTER | BTM_SEC_ATTEMPT_MASTER | BTM_SEC_FORCE_SLAVE | BTM_SEC_ATTEMPT_SLAVE);
716 }
717
718 /* Parameter validation. Originator should not set requirements for incoming connections */
719 sec_level &= ~(BTM_SEC_IN_AUTHORIZE | BTM_SEC_IN_ENCRYPT | BTM_SEC_IN_AUTHENTICATE | BTM_SEC_IN_MITM);
720
721 if (btm_cb.security_mode == BTM_SEC_MODE_SP)
722 {
723 if (sec_level & BTM_SEC_OUT_AUTHENTICATE)
724 sec_level |= BTM_SEC_OUT_MITM;
725 }
726
727 /* Make sure the authenticate bit is set, when encrypt bit is set */
728 if (sec_level & BTM_SEC_OUT_ENCRYPT)
729 sec_level |= BTM_SEC_OUT_AUTHENTICATE;
730
731 /* outgoing connections usually set the security level right before
732 * the connection is initiated.
733 * set it to be the outgoing service */
734 #if (L2CAP_UCD_INCLUDED == TRUE)
735 if ( is_ucd == FALSE )
736 #endif
737 {
738 btm_cb.p_out_serv = p_srec;
739 }
740 }
741 else
742 {
743 p_srec->term_mx_chan_id = mx_chan_id;
744 #if BTM_SEC_SERVICE_NAME_LEN > 0
745 BCM_STRNCPY_S ((char *)p_srec->term_service_name, sizeof(p_srec->term_service_name), p_name, BTM_SEC_SERVICE_NAME_LEN);
746 #endif
747 /* clear out the old setting, just in case it exists */
748 #if (L2CAP_UCD_INCLUDED == TRUE)
749 if ( is_ucd )
750 {
751 p_srec->ucd_security_flags &=
752 ~(BTM_SEC_IN_AUTHORIZE | BTM_SEC_IN_ENCRYPT | BTM_SEC_IN_AUTHENTICATE | BTM_SEC_IN_MITM |
753 BTM_SEC_FORCE_MASTER | BTM_SEC_ATTEMPT_MASTER | BTM_SEC_FORCE_SLAVE | BTM_SEC_ATTEMPT_SLAVE);
754 }
755 else
756 #endif
757 {
758 p_srec->security_flags &=
759 ~(BTM_SEC_IN_AUTHORIZE | BTM_SEC_IN_ENCRYPT | BTM_SEC_IN_AUTHENTICATE | BTM_SEC_IN_MITM |
760 BTM_SEC_FORCE_MASTER | BTM_SEC_ATTEMPT_MASTER | BTM_SEC_FORCE_SLAVE | BTM_SEC_ATTEMPT_SLAVE);
761 }
762
763 /* Parameter validation. Acceptor should not set requirements for outgoing connections */
764 sec_level &= ~(BTM_SEC_OUT_AUTHORIZE | BTM_SEC_OUT_ENCRYPT | BTM_SEC_OUT_AUTHENTICATE | BTM_SEC_OUT_MITM);
765
766 if (btm_cb.security_mode == BTM_SEC_MODE_SP)
767 {
768 if (sec_level & BTM_SEC_IN_AUTHENTICATE)
769 sec_level |= BTM_SEC_IN_MITM;
770 }
771
772 /* Make sure the authenticate bit is set, when encrypt bit is set */
773 if (sec_level & BTM_SEC_IN_ENCRYPT)
774 sec_level |= BTM_SEC_IN_AUTHENTICATE;
775 }
776
777 #if (L2CAP_UCD_INCLUDED == TRUE)
778 if ( is_ucd )
779 {
780 p_srec->security_flags |= (UINT16)(BTM_SEC_IN_USE);
781 p_srec->ucd_security_flags |= (UINT16)(sec_level | BTM_SEC_IN_USE);
782 }
783 else
784 {
785 p_srec->security_flags |= (UINT16)(sec_level | BTM_SEC_IN_USE);
786 }
787
788 BTM_TRACE_API("BTM_SEC_REG[%d]: id %d, conn_type 0x%x, psm 0x%04x, proto_id %d, chan_id %d",
789 index, service_id, conn_type, psm, mx_proto_id, mx_chan_id);
790
791 BTM_TRACE_API(" : security_flags: 0x%04x, ucd_security_flags: 0x%04x",
792 p_srec->security_flags, p_srec->ucd_security_flags);
793
794 #if BTM_SEC_SERVICE_NAME_LEN > 0
795 BTM_TRACE_API(" : service name [%s] (up to %d chars saved)",
796 p_name, BTM_SEC_SERVICE_NAME_LEN);
797 #endif
798 #else
799 p_srec->security_flags |= (UINT16)(sec_level | BTM_SEC_IN_USE);
800
801 BTM_TRACE_API("BTM_SEC_REG[%d]: id %d, is_orig %d, psm 0x%04x, proto_id %d, chan_id %d",
802 index, service_id, is_originator, psm, mx_proto_id, mx_chan_id);
803
804 #if BTM_SEC_SERVICE_NAME_LEN > 0
805 BTM_TRACE_API(" : sec: 0x%x, service name [%s] (up to %d chars saved)",
806 p_srec->security_flags, p_name, BTM_SEC_SERVICE_NAME_LEN);
807 #endif
808 #endif
809
810
811 return(record_allocated);
812 }
813
814 /*******************************************************************************
815 **
816 ** Function BTM_SecClrService
817 **
818 ** Description Removes specified service record(s) from the security database.
819 ** All service records with the specified name are removed.
820 ** Typically used only by devices with limited RAM so that it can
821 ** reuse an old security service record.
822 **
823 ** Note: Unpredictable results may occur if a service is cleared
824 ** that is still in use by an application/profile.
825 **
826 ** Parameters Service ID - Id of the service to remove. ('0' removes all service
827 ** records (except SDP).
828 **
829 ** Returns Number of records that were freed.
830 **
831 *******************************************************************************/
BTM_SecClrService(UINT8 service_id)832 UINT8 BTM_SecClrService (UINT8 service_id)
833 {
834 tBTM_SEC_SERV_REC *p_srec = &btm_cb.sec_serv_rec[0];
835 UINT8 num_freed = 0;
836 int i;
837
838 for (i = 0; i < BTM_SEC_MAX_SERVICE_RECORDS; i++, p_srec++)
839 {
840 /* Delete services with specified name (if in use and not SDP) */
841 if ((p_srec->security_flags & BTM_SEC_IN_USE) && (p_srec->psm != BT_PSM_SDP) &&
842 (!service_id || (service_id == p_srec->service_id)))
843 {
844 BTM_TRACE_API("BTM_SEC_CLR[%d]: id %d", i, service_id);
845 p_srec->security_flags = 0;
846 #if (L2CAP_UCD_INCLUDED == TRUE)
847 p_srec->ucd_security_flags = 0;
848 #endif
849 num_freed++;
850 }
851 }
852
853 return(num_freed);
854 }
855
856 /*******************************************************************************
857 **
858 ** Function btm_sec_clr_service_by_psm
859 **
860 ** Description Removes specified service record from the security database.
861 ** All service records with the specified psm are removed.
862 ** Typically used by L2CAP to free up the service record used
863 ** by dynamic PSM clients when the channel is closed.
864 ** The given psm must be a virtual psm.
865 **
866 ** Parameters Service ID - Id of the service to remove. ('0' removes all service
867 ** records (except SDP).
868 **
869 ** Returns Number of records that were freed.
870 **
871 *******************************************************************************/
btm_sec_clr_service_by_psm(UINT16 psm)872 UINT8 btm_sec_clr_service_by_psm (UINT16 psm)
873 {
874 tBTM_SEC_SERV_REC *p_srec = &btm_cb.sec_serv_rec[0];
875 UINT8 num_freed = 0;
876 int i;
877
878 for (i = 0; i < BTM_SEC_MAX_SERVICE_RECORDS; i++, p_srec++)
879 {
880 /* Delete services with specified name (if in use and not SDP) */
881 if ((p_srec->security_flags & BTM_SEC_IN_USE) && (p_srec->psm == psm) )
882 {
883 BTM_TRACE_API("BTM_SEC_CLR[%d]: id %d ", i, p_srec->service_id);
884 p_srec->security_flags = 0;
885 num_freed++;
886 }
887 }
888 BTM_TRACE_API("btm_sec_clr_service_by_psm psm:0x%x num_freed:%d", psm, num_freed);
889
890 return(num_freed);
891 }
892
893 /*******************************************************************************
894 **
895 ** Function btm_sec_clr_temp_auth_service
896 **
897 ** Description Removes specified device record's temporary authorization
898 ** flag from the security database.
899 **
900 ** Parameters Device address to be cleared
901 **
902 ** Returns void.
903 **
904 *******************************************************************************/
btm_sec_clr_temp_auth_service(BD_ADDR bda)905 void btm_sec_clr_temp_auth_service (BD_ADDR bda)
906 {
907 tBTM_SEC_DEV_REC *p_dev_rec;
908
909 if ((p_dev_rec = btm_find_dev (bda)) == NULL)
910 {
911 BTM_TRACE_WARNING ("btm_sec_clr_temp_auth_service() - no dev CB");
912 return;
913 }
914
915 /* Reset the temporary authorized flag so that next time (untrusted) service is accessed autorization will take place */
916 if (p_dev_rec->last_author_service_id != BTM_SEC_NO_LAST_SERVICE_ID && p_dev_rec->p_cur_service)
917 {
918 BTM_TRACE_DEBUG ("btm_sec_clr_auth_service_by_psm [clearing device: %02x:%02x:%02x:%02x:%02x:%02x]",
919 bda[0], bda[1], bda[2], bda[3], bda[4], bda[5]);
920
921 p_dev_rec->last_author_service_id = BTM_SEC_NO_LAST_SERVICE_ID;
922 }
923 }
924
925 /*******************************************************************************
926 **
927 **
928 ** Function BTM_SecClrUCDService
929 **
930 ** Description
931 **
932 ** Parameters Service ID - Id of the service to remove.
933 ** ('0' removes all service records )
934 **
935 ** Returns Number of records that were cleared.
936 **
937 *******************************************************************************/
BTM_SecClrUCDService(UINT8 service_id)938 UINT8 BTM_SecClrUCDService (UINT8 service_id)
939 {
940 #if (L2CAP_UCD_INCLUDED == TRUE)
941 tBTM_SEC_SERV_REC *p_srec = &btm_cb.sec_serv_rec[0];
942 UINT8 num_cleared = 0;
943 int i;
944
945 for (i = 0; i < BTM_SEC_MAX_SERVICE_RECORDS; i++, p_srec++)
946 {
947 /* Delete services with specified name (if in use and not SDP) */
948 if ((p_srec->security_flags & BTM_SEC_IN_USE) &&
949 (!service_id || (service_id == (UINT32)p_srec->service_id)))
950 {
951 BTM_TRACE_API("BTM_UCD_SEC_CLR[%d]: id %d", i, service_id);
952 p_srec->ucd_security_flags = 0;
953 num_cleared++;
954 }
955 }
956
957 return(num_cleared);
958 #else
959 UNUSED(service_id);
960 return(0);
961 #endif
962 }
963
964 /*******************************************************************************
965 **
966 ** Function BTM_PINCodeReply
967 **
968 ** Description This function is called after Security Manager submitted
969 ** PIN code request to the UI.
970 **
971 ** Parameters: bd_addr - Address of the device for which PIN was requested
972 ** res - result of the operation BTM_SUCCESS if success
973 ** pin_len - length in bytes of the PIN Code
974 ** p_pin - pointer to array with the PIN Code
975 ** trusted_mask - bitwise OR of trusted services (array of UINT32)
976 **
977 *******************************************************************************/
BTM_PINCodeReply(BD_ADDR bd_addr,UINT8 res,UINT8 pin_len,UINT8 * p_pin,UINT32 trusted_mask[])978 void BTM_PINCodeReply (BD_ADDR bd_addr, UINT8 res, UINT8 pin_len, UINT8 *p_pin, UINT32 trusted_mask[])
979 {
980 tBTM_SEC_DEV_REC *p_dev_rec;
981
982 BTM_TRACE_API ("BTM_PINCodeReply(): PairState: %s PairFlags: 0x%02x PinLen:%d Result:%d",
983 btm_pair_state_descr(btm_cb.pairing_state), btm_cb.pairing_flags, pin_len, res);
984
985 /* If timeout already expired or has been canceled, ignore the reply */
986 if (btm_cb.pairing_state != BTM_PAIR_STATE_WAIT_LOCAL_PIN)
987 {
988 BTM_TRACE_WARNING ("BTM_PINCodeReply() - Wrong State: %d", btm_cb.pairing_state);
989 return;
990 }
991
992 if (memcmp (bd_addr, btm_cb.pairing_bda, BD_ADDR_LEN) != 0)
993 {
994 BTM_TRACE_ERROR ("BTM_PINCodeReply() - Wrong BD Addr");
995 return;
996 }
997
998 if ((p_dev_rec = btm_find_dev (bd_addr)) == NULL)
999 {
1000 BTM_TRACE_ERROR ("BTM_PINCodeReply() - no dev CB");
1001 return;
1002 }
1003
1004 if ( (pin_len > PIN_CODE_LEN) || (pin_len == 0) || (p_pin == NULL) )
1005 res = BTM_ILLEGAL_VALUE;
1006
1007 if (res != BTM_SUCCESS)
1008 {
1009 /* if peer started dd OR we started dd and pre-fetch pin was not used send negative reply */
1010 if ((btm_cb.pairing_flags & BTM_PAIR_FLAGS_PEER_STARTED_DD) ||
1011 ((btm_cb.pairing_flags & BTM_PAIR_FLAGS_WE_STARTED_DD) &&
1012 (btm_cb.pairing_flags & BTM_PAIR_FLAGS_DISC_WHEN_DONE)) )
1013 {
1014 /* use BTM_PAIR_STATE_WAIT_AUTH_COMPLETE to report authentication failed event */
1015 btm_sec_change_pairing_state (BTM_PAIR_STATE_WAIT_AUTH_COMPLETE);
1016 btm_cb.acl_disc_reason = HCI_ERR_HOST_REJECT_SECURITY;
1017
1018 btsnd_hcic_pin_code_neg_reply (bd_addr);
1019 }
1020 else
1021 {
1022 p_dev_rec->security_required = BTM_SEC_NONE;
1023 btm_sec_change_pairing_state (BTM_PAIR_STATE_IDLE);
1024 }
1025 return;
1026 }
1027 if (trusted_mask)
1028 BTM_SEC_COPY_TRUSTED_DEVICE(trusted_mask, p_dev_rec->trusted_mask);
1029 p_dev_rec->sec_flags |= BTM_SEC_LINK_KEY_AUTHED;
1030
1031 if ( (btm_cb.pairing_flags & BTM_PAIR_FLAGS_WE_STARTED_DD)
1032 && (p_dev_rec->hci_handle == BTM_SEC_INVALID_HANDLE)
1033 && (btm_cb.security_mode_changed == FALSE) )
1034 {
1035 /* This is start of the dedicated bonding if local device is 2.0 */
1036 btm_cb.pin_code_len = pin_len;
1037 memcpy (btm_cb.pin_code, p_pin, pin_len);
1038
1039 btm_cb.security_mode_changed = TRUE;
1040 #ifdef APPL_AUTH_WRITE_EXCEPTION
1041 if(!(APPL_AUTH_WRITE_EXCEPTION)(p_dev_rec->bd_addr))
1042 #endif
1043 btsnd_hcic_write_auth_enable (TRUE);
1044
1045 btm_cb.acl_disc_reason = 0xff ;
1046
1047 /* if we rejected incoming connection request, we have to wait HCI_Connection_Complete event */
1048 /* before originating */
1049 if (btm_cb.pairing_flags & BTM_PAIR_FLAGS_REJECTED_CONNECT)
1050 {
1051 BTM_TRACE_WARNING ("BTM_PINCodeReply(): waiting HCI_Connection_Complete after rejected incoming connection");
1052 /* we change state little bit early so btm_sec_connected() will originate connection */
1053 /* when existing ACL link is down completely */
1054 btm_sec_change_pairing_state (BTM_PAIR_STATE_WAIT_PIN_REQ);
1055 }
1056 /* if we already accepted incoming connection from pairing device */
1057 else if (p_dev_rec->sm4 & BTM_SM4_CONN_PEND)
1058 {
1059 BTM_TRACE_WARNING ("BTM_PINCodeReply(): link is connecting so wait pin code request from peer");
1060 btm_sec_change_pairing_state (BTM_PAIR_STATE_WAIT_PIN_REQ);
1061 }
1062 else if (btm_sec_dd_create_conn(p_dev_rec) != BTM_CMD_STARTED)
1063 {
1064 btm_sec_change_pairing_state (BTM_PAIR_STATE_IDLE);
1065 p_dev_rec->sec_flags &= ~BTM_SEC_LINK_KEY_AUTHED;
1066
1067 if (btm_cb.api.p_auth_complete_callback)
1068 (*btm_cb.api.p_auth_complete_callback) (p_dev_rec->bd_addr, p_dev_rec->dev_class,
1069 p_dev_rec->sec_bd_name, HCI_ERR_AUTH_FAILURE);
1070 }
1071 return;
1072 }
1073
1074 btm_sec_change_pairing_state (BTM_PAIR_STATE_WAIT_AUTH_COMPLETE);
1075 btm_cb.acl_disc_reason = HCI_SUCCESS;
1076
1077 #ifdef PORCHE_PAIRING_CONFLICT
1078 BTM_TRACE_EVENT("BTM_PINCodeReply(): Saving pin_len: %d btm_cb.pin_code_len: %d", pin_len, btm_cb.pin_code_len);
1079 /* if this was not pre-fetched, save the PIN */
1080 if (btm_cb.pin_code_len == 0)
1081 memcpy (btm_cb.pin_code, p_pin, pin_len);
1082 btm_cb.pin_code_len_saved = pin_len;
1083 #endif
1084 btsnd_hcic_pin_code_req_reply (bd_addr, pin_len, p_pin);
1085 }
1086
1087
1088 /*******************************************************************************
1089 **
1090 ** Function BTM_DeviceAuthorized
1091 **
1092 ** Description This function is called after Security Manager submitted
1093 ** authorization request to the UI.
1094 **
1095 ** Parameters: bd_addr - Address of the device for which PIN was requested
1096 ** res - result of the operation BTM_SUCCESS if success
1097 **
1098 *******************************************************************************/
BTM_DeviceAuthorized(BD_ADDR bd_addr,UINT8 res,UINT32 trusted_mask[])1099 void BTM_DeviceAuthorized (BD_ADDR bd_addr, UINT8 res, UINT32 trusted_mask[])
1100 {
1101 tBTM_SEC_DEV_REC *p_dev_rec;
1102
1103 if ((p_dev_rec = btm_find_dev (bd_addr)) == NULL)
1104 {
1105 BTM_TRACE_WARNING ("Security Manager: Attempting Authorization of Unknown Device Address [%02x%02x%02x%02x%02x%02x]",
1106 bd_addr[0], bd_addr[1], bd_addr[2], bd_addr[3], bd_addr[4], bd_addr[5]);
1107 return;
1108 }
1109
1110 BTM_TRACE_EVENT ("Security Manager: authorized status:%d State:%d Trusted:%08x %08x",
1111 res, (p_dev_rec) ? p_dev_rec->sec_state : 0, trusted_mask[0], trusted_mask[1]);
1112
1113 if (res == BTM_SUCCESS)
1114 {
1115 p_dev_rec->sec_flags |= BTM_SEC_AUTHORIZED;
1116 if (trusted_mask)
1117 {
1118 BTM_SEC_COPY_TRUSTED_DEVICE(trusted_mask, p_dev_rec->trusted_mask);
1119 }
1120
1121 /* Save the currently authorized service in case we are asked again
1122 by another multiplexer layer */
1123 if (!p_dev_rec->is_originator)
1124 {
1125 BTM_TRACE_DEBUG("BTM_DeviceAuthorized: Setting last_author_service_id to %d",
1126 p_dev_rec->p_cur_service->service_id);
1127 p_dev_rec->last_author_service_id = p_dev_rec->p_cur_service->service_id;
1128 }
1129 }
1130
1131 if (p_dev_rec->sec_state != BTM_SEC_STATE_AUTHORIZING)
1132 return;
1133
1134 p_dev_rec->sec_state = BTM_SEC_STATE_IDLE;
1135
1136 if (res != BTM_SUCCESS)
1137 {
1138 btm_sec_dev_rec_cback_event (p_dev_rec, res, FALSE);
1139 return;
1140 }
1141
1142 if ((res = (UINT8)btm_sec_execute_procedure (p_dev_rec)) != BTM_CMD_STARTED)
1143 {
1144 btm_sec_dev_rec_cback_event (p_dev_rec, res, FALSE);
1145 }
1146 }
1147
1148 /*******************************************************************************
1149 **
1150 ** Function btm_sec_bond_by_transport
1151 **
1152 ** Description this is the bond function that will start either SSP or SMP.
1153 **
1154 ** Parameters: bd_addr - Address of the device to bond
1155 ** pin_len - length in bytes of the PIN Code
1156 ** p_pin - pointer to array with the PIN Code
1157 ** trusted_mask - bitwise OR of trusted services (array of UINT32)
1158 **
1159 ** Note: After 2.1 parameters are not used and preserved here not to change API
1160 *******************************************************************************/
btm_sec_bond_by_transport(BD_ADDR bd_addr,tBT_TRANSPORT transport,UINT8 pin_len,UINT8 * p_pin,UINT32 trusted_mask[])1161 tBTM_STATUS btm_sec_bond_by_transport (BD_ADDR bd_addr, tBT_TRANSPORT transport,
1162 UINT8 pin_len, UINT8 *p_pin, UINT32 trusted_mask[])
1163 {
1164 tBTM_SEC_DEV_REC *p_dev_rec;
1165 tBTM_STATUS status;
1166 UINT8 *p_features;
1167 UINT8 ii;
1168 tACL_CONN *p= btm_bda_to_acl(bd_addr, transport);
1169 BTM_TRACE_API ("btm_sec_bond_by_transport BDA: %02x:%02x:%02x:%02x:%02x:%02x",
1170 bd_addr[0], bd_addr[1], bd_addr[2], bd_addr[3], bd_addr[4], bd_addr[5]);
1171
1172 BTM_TRACE_DEBUG("btm_sec_bond_by_transport: Transport used %d" , transport);
1173
1174
1175 /* Other security process is in progress */
1176 if (btm_cb.pairing_state != BTM_PAIR_STATE_IDLE)
1177 {
1178 BTM_TRACE_ERROR ("BTM_SecBond: already busy in state: %s", btm_pair_state_descr(btm_cb.pairing_state));
1179 return(BTM_WRONG_MODE);
1180 }
1181
1182 if ((p_dev_rec = btm_find_or_alloc_dev (bd_addr)) == NULL)
1183 {
1184 return(BTM_NO_RESOURCES);
1185 }
1186
1187 BTM_TRACE_DEBUG ("before update sec_flags=0x%x", p_dev_rec->sec_flags);
1188
1189 /* Finished if connection is active and already paired */
1190 if ( ((p_dev_rec->hci_handle != BTM_SEC_INVALID_HANDLE) && transport == BT_TRANSPORT_BR_EDR
1191 && (p_dev_rec->sec_flags & BTM_SEC_AUTHENTICATED))
1192 #if (BLE_INCLUDED == TRUE)
1193 ||((p_dev_rec->ble_hci_handle != BTM_SEC_INVALID_HANDLE) && transport == BT_TRANSPORT_LE
1194 && (p_dev_rec->sec_flags & BTM_SEC_LE_AUTHENTICATED))
1195 #endif
1196
1197 )
1198 {
1199 BTM_TRACE_WARNING("BTM_SecBond -> Already Paired");
1200 return(BTM_SUCCESS);
1201 }
1202
1203 /* Tell controller to get rid of the link key if it has one stored */
1204 if ((BTM_DeleteStoredLinkKey (bd_addr, NULL)) != BTM_SUCCESS)
1205 return(BTM_NO_RESOURCES);
1206
1207 /* Save the PIN code if we got a valid one */
1208 if (p_pin && (pin_len <= PIN_CODE_LEN) && (pin_len != 0))
1209 {
1210 btm_cb.pin_code_len = pin_len;
1211 memcpy (btm_cb.pin_code, p_pin, PIN_CODE_LEN);
1212 }
1213
1214 memcpy (btm_cb.pairing_bda, bd_addr, BD_ADDR_LEN);
1215
1216 btm_cb.pairing_flags = BTM_PAIR_FLAGS_WE_STARTED_DD;
1217
1218 p_dev_rec->security_required = BTM_SEC_OUT_AUTHENTICATE;
1219 p_dev_rec->is_originator = TRUE;
1220 if (trusted_mask)
1221 BTM_SEC_COPY_TRUSTED_DEVICE(trusted_mask, p_dev_rec->trusted_mask);
1222
1223 #if BLE_INCLUDED == TRUE && SMP_INCLUDED == TRUE
1224 if (transport == BT_TRANSPORT_LE)
1225 {
1226 p_dev_rec->sec_flags &= ~ BTM_SEC_LE_MASK;
1227
1228 if (SMP_Pair(bd_addr) == SMP_STARTED)
1229 {
1230 btm_cb.pairing_flags |= BTM_PAIR_FLAGS_LE_ACTIVE;
1231 p_dev_rec->sec_state = BTM_SEC_STATE_AUTHENTICATING;
1232 btm_sec_change_pairing_state (BTM_PAIR_STATE_WAIT_AUTH_COMPLETE);
1233 return BTM_CMD_STARTED;
1234 }
1235
1236 btm_cb.pairing_flags = 0;
1237 return(BTM_NO_RESOURCES);
1238 }
1239 #endif
1240
1241 p_dev_rec->sec_flags &= ~(BTM_SEC_LINK_KEY_KNOWN | BTM_SEC_AUTHENTICATED | BTM_SEC_ENCRYPTED
1242 | BTM_SEC_ROLE_SWITCHED | BTM_SEC_LINK_KEY_AUTHED);
1243
1244
1245 BTM_TRACE_DEBUG ("after update sec_flags=0x%x", p_dev_rec->sec_flags);
1246 if (!HCI_SIMPLE_PAIRING_SUPPORTED(btm_cb.devcb.local_lmp_features[HCI_EXT_FEATURES_PAGE_0]))
1247 {
1248 /* The special case when we authenticate keyboard. Set pin type to fixed */
1249 /* It would be probably better to do it from the application, but it is */
1250 /* complicated */
1251 if (((p_dev_rec->dev_class[1] & BTM_COD_MAJOR_CLASS_MASK) == BTM_COD_MAJOR_PERIPHERAL)
1252 && (p_dev_rec->dev_class[2] & BTM_COD_MINOR_KEYBOARD)
1253 && (btm_cb.cfg.pin_type != HCI_PIN_TYPE_FIXED))
1254 {
1255 btm_cb.pin_type_changed = TRUE;
1256 btsnd_hcic_write_pin_type (HCI_PIN_TYPE_FIXED);
1257 }
1258 }
1259
1260 for (ii = 0; ii <= HCI_EXT_FEATURES_PAGE_MAX; ii++)
1261 {
1262 p_features = p_dev_rec->features[ii];
1263 BTM_TRACE_EVENT(" remote_features page[%1d] = %02x-%02x-%02x-%02x",
1264 ii, p_features[0], p_features[1], p_features[2], p_features[3]);
1265 BTM_TRACE_EVENT(" %02x-%02x-%02x-%02x",
1266 p_features[4], p_features[5], p_features[6], p_features[7]);
1267 }
1268
1269 BTM_TRACE_EVENT ("BTM_SecBond: Remote sm4: 0x%x HCI Handle: 0x%04x", p_dev_rec->sm4, p_dev_rec->hci_handle);
1270
1271 #if BTM_SEC_FORCE_RNR_FOR_DBOND == TRUE
1272 p_dev_rec->sec_flags &= ~BTM_SEC_NAME_KNOWN;
1273 #endif
1274
1275 /* If connection already exists... */
1276 if (p && p->hci_handle != BTM_SEC_INVALID_HANDLE)
1277 {
1278 if (!btm_sec_start_authentication (p_dev_rec))
1279 return(BTM_NO_RESOURCES);
1280
1281 btm_sec_change_pairing_state (BTM_PAIR_STATE_WAIT_PIN_REQ);
1282
1283 /* Mark lcb as bonding */
1284 l2cu_update_lcb_4_bonding (bd_addr, TRUE);
1285 return(BTM_CMD_STARTED);
1286 }
1287
1288 BTM_TRACE_DEBUG ("sec mode: %d sm4:x%x", btm_cb.security_mode, p_dev_rec->sm4);
1289 if (!HCI_SIMPLE_PAIRING_SUPPORTED(btm_cb.devcb.local_lmp_features[HCI_EXT_FEATURES_PAGE_0])
1290 || (p_dev_rec->sm4 == BTM_SM4_KNOWN))
1291 {
1292 if ( btm_sec_check_prefetch_pin (p_dev_rec) )
1293 return(BTM_CMD_STARTED);
1294 }
1295 if (BTM_SEC_MODE_SP == btm_cb.security_mode && BTM_SEC_IS_SM4_UNKNOWN(p_dev_rec->sm4))
1296 {
1297 /* local is 2.1 and peer is unknown */
1298 if ((p_dev_rec->sm4 & BTM_SM4_CONN_PEND) == 0)
1299 {
1300 /* we are not accepting connection request from peer
1301 * -> RNR (to learn if peer is 2.1)
1302 * RNR when no ACL causes HCI_RMT_HOST_SUP_FEAT_NOTIFY_EVT */
1303 btm_sec_change_pairing_state (BTM_PAIR_STATE_GET_REM_NAME);
1304 BTM_ReadRemoteDeviceName(bd_addr, NULL, BT_TRANSPORT_BR_EDR);
1305 }
1306 else
1307 {
1308 /* We are accepting connection request from peer */
1309 btm_sec_change_pairing_state (BTM_PAIR_STATE_WAIT_PIN_REQ);
1310 }
1311 BTM_TRACE_DEBUG ("State:%s sm4: 0x%x sec_state:%d",
1312 btm_pair_state_descr (btm_cb.pairing_state), p_dev_rec->sm4, p_dev_rec->sec_state);
1313 return BTM_CMD_STARTED;
1314 }
1315
1316 /* both local and peer are 2.1 */
1317 status = btm_sec_dd_create_conn(p_dev_rec);
1318
1319 if (status != BTM_CMD_STARTED)
1320 {
1321 btm_sec_change_pairing_state (BTM_PAIR_STATE_IDLE);
1322 }
1323
1324 return status;
1325 }
1326
1327 /*******************************************************************************
1328 **
1329 ** Function BTM_SecBondByTransport
1330 **
1331 ** Description This function is called to perform bonding with peer device.
1332 ** If the connection is already up, but not secure, pairing
1333 ** is attempted. If already paired BTM_SUCCESS is returned.
1334 **
1335 ** Parameters: bd_addr - Address of the device to bond
1336 ** transport - doing SSP over BR/EDR or SMP over LE
1337 ** pin_len - length in bytes of the PIN Code
1338 ** p_pin - pointer to array with the PIN Code
1339 ** trusted_mask - bitwise OR of trusted services (array of UINT32)
1340 **
1341 ** Note: After 2.1 parameters are not used and preserved here not to change API
1342 *******************************************************************************/
BTM_SecBondByTransport(BD_ADDR bd_addr,tBT_TRANSPORT transport,UINT8 pin_len,UINT8 * p_pin,UINT32 trusted_mask[])1343 tBTM_STATUS BTM_SecBondByTransport (BD_ADDR bd_addr, tBT_TRANSPORT transport,
1344 UINT8 pin_len, UINT8 *p_pin, UINT32 trusted_mask[])
1345 {
1346 #if SMP_INCLUDED == TRUE
1347 tBT_DEVICE_TYPE dev_type;
1348 tBLE_ADDR_TYPE addr_type;
1349
1350 BTM_ReadDevInfo(bd_addr, &dev_type, &addr_type);
1351 /* LE device, do SMP pairing */
1352 if ((transport == BT_TRANSPORT_LE && (dev_type & BT_DEVICE_TYPE_BLE) == 0) ||
1353 (transport == BT_TRANSPORT_BR_EDR && (dev_type & BT_DEVICE_TYPE_BREDR) == 0))
1354 {
1355 return BTM_ILLEGAL_ACTION;
1356 }
1357 #endif
1358 return btm_sec_bond_by_transport(bd_addr, transport, pin_len, p_pin, trusted_mask);
1359 }
1360
1361 /*******************************************************************************
1362 **
1363 ** Function BTM_SecBond
1364 **
1365 ** Description This function is called to perform bonding with peer device.
1366 ** If the connection is already up, but not secure, pairing
1367 ** is attempted. If already paired BTM_SUCCESS is returned.
1368 **
1369 ** Parameters: bd_addr - Address of the device to bond
1370 ** pin_len - length in bytes of the PIN Code
1371 ** p_pin - pointer to array with the PIN Code
1372 ** trusted_mask - bitwise OR of trusted services (array of UINT32)
1373 **
1374 ** Note: After 2.1 parameters are not used and preserved here not to change API
1375 *******************************************************************************/
BTM_SecBond(BD_ADDR bd_addr,UINT8 pin_len,UINT8 * p_pin,UINT32 trusted_mask[])1376 tBTM_STATUS BTM_SecBond (BD_ADDR bd_addr, UINT8 pin_len, UINT8 *p_pin, UINT32 trusted_mask[])
1377 {
1378 tBT_TRANSPORT transport = BT_TRANSPORT_BR_EDR;
1379 #if BLE_INCLUDED == TRUE
1380 if (BTM_UseLeLink(bd_addr))
1381 transport = BT_TRANSPORT_LE;
1382 #endif
1383 return btm_sec_bond_by_transport(bd_addr, transport, pin_len, p_pin, trusted_mask);
1384 }
1385 /*******************************************************************************
1386 **
1387 ** Function BTM_SecBondCancel
1388 **
1389 ** Description This function is called to cancel ongoing bonding process
1390 ** with peer device.
1391 **
1392 ** Parameters: bd_addr - Address of the peer device
1393 ** transport - FALSE for BR/EDR link; TRUE for LE link
1394 **
1395 *******************************************************************************/
BTM_SecBondCancel(BD_ADDR bd_addr)1396 tBTM_STATUS BTM_SecBondCancel (BD_ADDR bd_addr)
1397 {
1398 tBTM_SEC_DEV_REC *p_dev_rec;
1399
1400 BTM_TRACE_API ("BTM_SecBondCancel() State: %s flags:0x%x",
1401 btm_pair_state_descr (btm_cb.pairing_state), btm_cb.pairing_flags);
1402
1403 if (((p_dev_rec = btm_find_dev (bd_addr)) == NULL)
1404 || (memcmp (btm_cb.pairing_bda, bd_addr, BD_ADDR_LEN) != 0) )
1405 return BTM_UNKNOWN_ADDR;
1406
1407 #if SMP_INCLUDED == TRUE
1408 if (btm_cb.pairing_flags & BTM_PAIR_FLAGS_LE_ACTIVE)
1409 {
1410 if (p_dev_rec->sec_state == BTM_SEC_STATE_AUTHENTICATING)
1411 {
1412 BTM_TRACE_DEBUG ("Cancel LE pairing");
1413 if (SMP_PairCancel(bd_addr))
1414 {
1415 return BTM_CMD_STARTED;
1416 }
1417 }
1418 return BTM_WRONG_MODE;
1419 }
1420
1421 #endif
1422 BTM_TRACE_DEBUG ("hci_handle:0x%x sec_state:%d", p_dev_rec->hci_handle, p_dev_rec->sec_state );
1423 if (BTM_PAIR_STATE_WAIT_LOCAL_PIN == btm_cb.pairing_state &&
1424 BTM_PAIR_FLAGS_WE_STARTED_DD & btm_cb.pairing_flags)
1425 {
1426 /* pre-fetching pin for dedicated bonding */
1427 btm_sec_bond_cancel_complete();
1428 return BTM_SUCCESS;
1429 }
1430
1431 /* If this BDA is in a bonding procedure */
1432 if ( (btm_cb.pairing_state != BTM_PAIR_STATE_IDLE)
1433 && (btm_cb.pairing_flags & BTM_PAIR_FLAGS_WE_STARTED_DD))
1434 {
1435 /* If the HCI link is up */
1436 if (p_dev_rec->hci_handle != BTM_SEC_INVALID_HANDLE)
1437 {
1438 /* If some other thread disconnecting, we do not send second command */
1439 if (p_dev_rec->sec_state == BTM_SEC_STATE_DISCONNECTING)
1440 return(BTM_CMD_STARTED);
1441
1442 /* If the HCI link was set up by Bonding process */
1443 if (btm_cb.pairing_flags & BTM_PAIR_FLAGS_DISC_WHEN_DONE)
1444 return btm_sec_send_hci_disconnect(p_dev_rec, HCI_ERR_PEER_USER, p_dev_rec->hci_handle);
1445 else
1446 l2cu_update_lcb_4_bonding(bd_addr, FALSE);
1447
1448 return BTM_NOT_AUTHORIZED;
1449 }
1450 else /*HCI link is not up */
1451 {
1452 /* If the HCI link creation was started by Bonding process */
1453 if (btm_cb.pairing_flags & BTM_PAIR_FLAGS_DISC_WHEN_DONE)
1454 {
1455 if (btsnd_hcic_create_conn_cancel(bd_addr))
1456 return BTM_CMD_STARTED;
1457
1458 return BTM_NO_RESOURCES;
1459 }
1460 if (btm_cb.pairing_state == BTM_PAIR_STATE_GET_REM_NAME)
1461 {
1462 BTM_CancelRemoteDeviceName();
1463 btm_cb.pairing_flags |= BTM_PAIR_FLAGS_WE_CANCEL_DD;
1464 return BTM_CMD_STARTED;
1465 }
1466 return BTM_NOT_AUTHORIZED;
1467 }
1468 }
1469
1470 return BTM_WRONG_MODE;
1471 }
1472
1473 /*******************************************************************************
1474 **
1475 ** Function BTM_SecUseMasterLinkKey
1476 **
1477 ** Description This function is called to tell master of the piconet to
1478 ** switch to master link key
1479 **
1480 ** Parameters: use_master_key - If true Master Link Key shoul be used
1481 **
1482 *******************************************************************************/
BTM_SecUseMasterLinkKey(BOOLEAN use_master_key)1483 tBTM_STATUS BTM_SecUseMasterLinkKey (BOOLEAN use_master_key)
1484 {
1485 return(btsnd_hcic_master_link_key (use_master_key) ? BTM_SUCCESS :
1486 BTM_NO_RESOURCES);
1487 }
1488
1489 /*******************************************************************************
1490 **
1491 ** Function BTM_SetMasterKeyCompCback
1492 **
1493 ** Description This function is called to register for the master key complete
1494 ** status event.
1495 **
1496 ** Parameters: mkey_cback - callback registered with the security manager
1497 **
1498 *******************************************************************************/
BTM_SetMasterKeyCompCback(tBTM_MKEY_CALLBACK * mkey_cback)1499 void BTM_SetMasterKeyCompCback( tBTM_MKEY_CALLBACK *mkey_cback )
1500 {
1501 btm_cb.mkey_cback = mkey_cback;
1502 }
1503
1504 /*******************************************************************************
1505 **
1506 ** Function BTM_SecGetDeviceLinkKey
1507 **
1508 ** Description This function is called to obtain link key for the device
1509 ** it returns BTM_SUCCESS if link key is available, or
1510 ** BTM_UNKNOWN_ADDR if Security Manager does not know about
1511 ** the device or device record does not contain link key info
1512 **
1513 ** Parameters: bd_addr - Address of the device
1514 ** link_key - Link Key is copied into this array
1515 **
1516 *******************************************************************************/
BTM_SecGetDeviceLinkKey(BD_ADDR bd_addr,LINK_KEY link_key)1517 tBTM_STATUS BTM_SecGetDeviceLinkKey (BD_ADDR bd_addr, LINK_KEY link_key)
1518 {
1519 tBTM_SEC_DEV_REC *p_dev_rec;
1520
1521 if (((p_dev_rec = btm_find_dev (bd_addr)) != NULL)
1522 && (p_dev_rec->sec_flags & BTM_SEC_LINK_KEY_KNOWN))
1523 {
1524 memcpy (link_key, p_dev_rec->link_key, LINK_KEY_LEN);
1525 return(BTM_SUCCESS);
1526 }
1527 return(BTM_UNKNOWN_ADDR);
1528 }
1529
1530
1531 /*******************************************************************************
1532 **
1533 ** Function BTM_SetEncryption
1534 **
1535 ** Description This function is called to ensure that connection is
1536 ** encrypted. Should be called only on an open connection.
1537 ** Typically only needed for connections that first want to
1538 ** bring up unencrypted links, then later encrypt them.
1539 **
1540 ** Parameters: bd_addr - Address of the peer device
1541 ** p_callback - Pointer to callback function called if
1542 ** this function returns PENDING after required
1543 ** procedures are completed. Can be set to NULL
1544 ** if status is not desired.
1545 ** p_ref_data - pointer to any data the caller wishes to receive
1546 ** in the callback function upon completion.
1547 * can be set to NULL if not used.
1548 ** transport - TRUE to encryption the link over LE trasnport
1549 ** or FALSE for BR/EDR trasnport
1550 **
1551 ** Returns BTM_SUCCESS - already encrypted
1552 ** BTM_PENDING - command will be returned in the callback
1553 ** BTM_WRONG_MODE- connection not up.
1554 ** BTM_BUSY - security procedures are currently active
1555 ** BTM_MODE_UNSUPPORTED - if security manager not linked in.
1556 **
1557 *******************************************************************************/
BTM_SetEncryption(BD_ADDR bd_addr,tBT_TRANSPORT transport,tBTM_SEC_CBACK * p_callback,void * p_ref_data)1558 tBTM_STATUS BTM_SetEncryption (BD_ADDR bd_addr, tBT_TRANSPORT transport, tBTM_SEC_CBACK *p_callback,
1559 void *p_ref_data)
1560 {
1561 tBTM_SEC_DEV_REC *p_dev_rec;
1562 tBTM_STATUS rc;
1563 #if BLE_INCLUDED == TRUE
1564 tACL_CONN *p = btm_bda_to_acl(bd_addr, transport);
1565 #endif
1566
1567 p_dev_rec = btm_find_dev (bd_addr);
1568
1569 if (!p_dev_rec ||
1570 (transport == BT_TRANSPORT_BR_EDR && p_dev_rec->hci_handle == BTM_SEC_INVALID_HANDLE)
1571 #if BLE_INCLUDED == TRUE
1572 || (transport == BT_TRANSPORT_LE && p_dev_rec->ble_hci_handle == BTM_SEC_INVALID_HANDLE)
1573 #endif
1574 )
1575 {
1576 /* Connection should be up and runnning */
1577 BTM_TRACE_WARNING ("Security Manager: BTM_SetEncryption not connected");
1578
1579 if (p_callback)
1580 (*p_callback) (bd_addr, transport, p_ref_data, BTM_WRONG_MODE);
1581
1582 return(BTM_WRONG_MODE);
1583 }
1584
1585 if ((transport == BT_TRANSPORT_BR_EDR &&
1586 (p_dev_rec->sec_flags & BTM_SEC_ENCRYPTED))
1587 #if BLE_INCLUDED == TRUE && SMP_INCLUDED == TRUE
1588 || (transport == BT_TRANSPORT_LE &&
1589 (p_dev_rec->sec_flags & BTM_SEC_LE_ENCRYPTED))
1590 #endif
1591 )
1592 {
1593 BTM_TRACE_EVENT ("Security Manager: BTM_SetEncryption already encrypted");
1594
1595 if (p_callback)
1596 (*p_callback) (bd_addr, transport, p_ref_data, BTM_SUCCESS);
1597
1598 return(BTM_SUCCESS);
1599 }
1600
1601 if (p_dev_rec->p_callback)
1602 {
1603 /* Connection should be up and runnning */
1604 BTM_TRACE_WARNING ("Security Manager: BTM_SetEncryption busy");
1605
1606 if (p_callback)
1607 (*p_callback) (bd_addr, transport, p_ref_data, BTM_BUSY);
1608
1609 return(BTM_BUSY);
1610 }
1611
1612 p_dev_rec->p_callback = p_callback;
1613 p_dev_rec->p_ref_data = p_ref_data;
1614 p_dev_rec->security_required |= (BTM_SEC_IN_AUTHENTICATE | BTM_SEC_IN_ENCRYPT);
1615 p_dev_rec->is_originator = FALSE;
1616
1617 BTM_TRACE_API ("Security Manager: BTM_SetEncryption Handle:%d State:%d Flags:0x%x Required:0x%x",
1618 p_dev_rec->hci_handle, p_dev_rec->sec_state, p_dev_rec->sec_flags,
1619 p_dev_rec->security_required);
1620
1621 #if BLE_INCLUDED == TRUE && SMP_INCLUDED == TRUE
1622 if (transport == BT_TRANSPORT_LE)
1623 {
1624 rc = btm_ble_set_encryption(bd_addr, p_ref_data, p->link_role);
1625 }
1626 else
1627 #endif
1628
1629 rc = btm_sec_execute_procedure (p_dev_rec);
1630
1631 if (rc != BTM_CMD_STARTED && rc != BTM_BUSY)
1632 {
1633 if (p_callback)
1634 {
1635 p_dev_rec->p_callback = NULL;
1636 (*p_callback) (bd_addr, transport, p_dev_rec->p_ref_data, rc);
1637 }
1638 }
1639 return(rc);
1640 }
1641
1642 /*******************************************************************************
1643 * disconnect the ACL link, if it's not done yet.
1644 *******************************************************************************/
btm_sec_send_hci_disconnect(tBTM_SEC_DEV_REC * p_dev_rec,UINT8 reason,UINT16 conn_handle)1645 static tBTM_STATUS btm_sec_send_hci_disconnect (tBTM_SEC_DEV_REC *p_dev_rec, UINT8 reason, UINT16 conn_handle)
1646 {
1647 UINT8 old_state = p_dev_rec->sec_state;
1648 tBTM_STATUS status = BTM_CMD_STARTED;
1649
1650 BTM_TRACE_EVENT ("btm_sec_send_hci_disconnect: handle:0x%x, reason=0x%x",
1651 conn_handle, reason);
1652
1653 /* if some other thread disconnecting, we do not send second command */
1654 if (BTM_SEC_STATE_DISCONNECTING != old_state)
1655 {
1656 p_dev_rec->sec_state = BTM_SEC_STATE_DISCONNECTING;
1657
1658 #if BTM_DISC_DURING_RS == TRUE
1659 /* If a Role Switch is in progress, delay the HCI Disconnect to avoid controller problem (4329B1) */
1660 if (p_dev_rec->rs_disc_pending == BTM_SEC_RS_PENDING &&
1661 p_dev_rec->hci_handle == conn_handle)
1662
1663 {
1664 BTM_TRACE_DEBUG("RS in progress - Set DISC Pending flag in btm_sec_send_hci_disconnect to delay disconnect");
1665 p_dev_rec->rs_disc_pending = BTM_SEC_DISC_PENDING;
1666 status = BTM_SUCCESS;
1667 }
1668 else
1669 #endif
1670 /* Tear down the HCI link */
1671 if (!btsnd_hcic_disconnect (conn_handle, reason))
1672 {
1673 /* could not send disconnect. restore old state */
1674 p_dev_rec->sec_state = old_state;
1675 status = BTM_NO_RESOURCES;
1676 }
1677 }
1678 return (status);
1679 }
1680
1681 /*******************************************************************************
1682 **
1683 ** Function BTM_ConfirmReqReply
1684 **
1685 ** Description This function is called to confirm the numeric value for
1686 ** Simple Pairing in response to BTM_SP_CFM_REQ_EVT
1687 **
1688 ** Parameters: res - result of the operation BTM_SUCCESS if success
1689 ** bd_addr - Address of the peer device
1690 **
1691 *******************************************************************************/
BTM_ConfirmReqReply(tBTM_STATUS res,BD_ADDR bd_addr)1692 void BTM_ConfirmReqReply(tBTM_STATUS res, BD_ADDR bd_addr)
1693 {
1694 tBTM_SEC_DEV_REC *p_dev_rec;
1695
1696 BTM_TRACE_EVENT ("BTM_ConfirmReqReply() State: %s Res: %u",
1697 btm_pair_state_descr(btm_cb.pairing_state), res);
1698
1699 /* If timeout already expired or has been canceled, ignore the reply */
1700 if ( (btm_cb.pairing_state != BTM_PAIR_STATE_WAIT_NUMERIC_CONFIRM)
1701 || (memcmp (btm_cb.pairing_bda, bd_addr, BD_ADDR_LEN) != 0) )
1702 return;
1703
1704 btm_sec_change_pairing_state (BTM_PAIR_STATE_WAIT_AUTH_COMPLETE);
1705
1706 if ( (res == BTM_SUCCESS) || (res == BTM_SUCCESS_NO_SECURITY) )
1707 {
1708 btm_cb.acl_disc_reason = HCI_SUCCESS;
1709
1710 if (res == BTM_SUCCESS)
1711 {
1712 if ((p_dev_rec = btm_find_dev (bd_addr)) != NULL)
1713 p_dev_rec->sec_flags |= BTM_SEC_LINK_KEY_AUTHED;
1714 }
1715
1716 btsnd_hcic_user_conf_reply (bd_addr, TRUE);
1717 }
1718 else
1719 {
1720 /* Report authentication failed event from state BTM_PAIR_STATE_WAIT_AUTH_COMPLETE */
1721 btm_cb.acl_disc_reason = HCI_ERR_HOST_REJECT_SECURITY;
1722 btsnd_hcic_user_conf_reply (bd_addr, FALSE);
1723 }
1724 }
1725
1726 /*******************************************************************************
1727 **
1728 ** Function BTM_PasskeyReqReply
1729 **
1730 ** Description This function is called to provide the passkey for
1731 ** Simple Pairing in response to BTM_SP_KEY_REQ_EVT
1732 **
1733 ** Parameters: res - result of the operation BTM_SUCCESS if success
1734 ** bd_addr - Address of the peer device
1735 ** passkey - numeric value in the range of
1736 ** BTM_MIN_PASSKEY_VAL(0) - BTM_MAX_PASSKEY_VAL(999999(0xF423F)).
1737 **
1738 *******************************************************************************/
1739 #if (BTM_LOCAL_IO_CAPS != BTM_IO_CAP_NONE)
BTM_PasskeyReqReply(tBTM_STATUS res,BD_ADDR bd_addr,UINT32 passkey)1740 void BTM_PasskeyReqReply(tBTM_STATUS res, BD_ADDR bd_addr, UINT32 passkey)
1741 {
1742 tBTM_SEC_DEV_REC *p_dev_rec;
1743
1744 BTM_TRACE_API ("BTM_PasskeyReqReply: State: %s res:%d",
1745 btm_pair_state_descr(btm_cb.pairing_state), res);
1746
1747 if ( (btm_cb.pairing_state == BTM_PAIR_STATE_IDLE)
1748 || (memcmp (btm_cb.pairing_bda, bd_addr, BD_ADDR_LEN) != 0) )
1749 {
1750 return;
1751 }
1752
1753 /* If timeout already expired or has been canceled, ignore the reply */
1754 if ( (btm_cb.pairing_state == BTM_PAIR_STATE_WAIT_AUTH_COMPLETE) && (res != BTM_SUCCESS) )
1755 {
1756 if ((p_dev_rec = btm_find_dev (bd_addr)) != NULL)
1757 {
1758 btm_cb.acl_disc_reason = HCI_ERR_HOST_REJECT_SECURITY;
1759
1760 if (p_dev_rec->hci_handle != BTM_SEC_INVALID_HANDLE)
1761 btm_sec_send_hci_disconnect (p_dev_rec, HCI_ERR_AUTH_FAILURE, p_dev_rec->hci_handle);
1762 else
1763 BTM_SecBondCancel(bd_addr);
1764
1765 p_dev_rec->sec_flags &= ~(BTM_SEC_LINK_KEY_AUTHED | BTM_SEC_LINK_KEY_KNOWN);
1766
1767 btm_sec_change_pairing_state (BTM_PAIR_STATE_IDLE);
1768 return;
1769 }
1770 }
1771 else if (btm_cb.pairing_state != BTM_PAIR_STATE_KEY_ENTRY)
1772 return;
1773
1774 if (passkey > BTM_MAX_PASSKEY_VAL)
1775 res = BTM_ILLEGAL_VALUE;
1776
1777 btm_sec_change_pairing_state (BTM_PAIR_STATE_WAIT_AUTH_COMPLETE);
1778
1779 if (res != BTM_SUCCESS)
1780 {
1781 /* use BTM_PAIR_STATE_WAIT_AUTH_COMPLETE to report authentication failed event */
1782 btm_cb.acl_disc_reason = HCI_ERR_HOST_REJECT_SECURITY;
1783 btsnd_hcic_user_passkey_neg_reply (bd_addr);
1784 }
1785 else
1786 {
1787 btm_cb.acl_disc_reason = HCI_SUCCESS;
1788 btsnd_hcic_user_passkey_reply (bd_addr, passkey);
1789 }
1790 }
1791 #endif
1792
1793 /*******************************************************************************
1794 **
1795 ** Function BTM_SendKeypressNotif
1796 **
1797 ** Description This function is used during the passkey entry model
1798 ** by a device with KeyboardOnly IO capabilities
1799 ** (very likely to be a HID Device).
1800 ** It is called by a HID Device to inform the remote device when
1801 ** a key has been entered or erased.
1802 **
1803 ** Parameters: bd_addr - Address of the peer device
1804 ** type - notification type
1805 **
1806 *******************************************************************************/
1807 #if (BTM_LOCAL_IO_CAPS != BTM_IO_CAP_NONE)
BTM_SendKeypressNotif(BD_ADDR bd_addr,tBTM_SP_KEY_TYPE type)1808 void BTM_SendKeypressNotif(BD_ADDR bd_addr, tBTM_SP_KEY_TYPE type)
1809 {
1810 /* This API only make sense between PASSKEY_REQ and SP complete */
1811 if (btm_cb.pairing_state == BTM_PAIR_STATE_KEY_ENTRY)
1812 btsnd_hcic_send_keypress_notif (bd_addr, type);
1813 }
1814 #endif
1815
1816 #if BTM_OOB_INCLUDED == TRUE
1817 /*******************************************************************************
1818 **
1819 ** Function BTM_IoCapRsp
1820 **
1821 ** Description This function is called in response to BTM_SP_IO_REQ_EVT
1822 ** When the event data io_req.oob_data is set to BTM_OOB_UNKNOWN
1823 ** by the tBTM_SP_CALLBACK implementation, this function is
1824 ** called to provide the actual response
1825 **
1826 ** Parameters: bd_addr - Address of the peer device
1827 ** io_cap - The IO capability of local device.
1828 ** oob - BTM_OOB_NONE or BTM_OOB_PRESENT.
1829 ** auth_req- MITM protection required or not.
1830 **
1831 *******************************************************************************/
BTM_IoCapRsp(BD_ADDR bd_addr,tBTM_IO_CAP io_cap,tBTM_OOB_DATA oob,tBTM_AUTH_REQ auth_req)1832 void BTM_IoCapRsp(BD_ADDR bd_addr, tBTM_IO_CAP io_cap, tBTM_OOB_DATA oob, tBTM_AUTH_REQ auth_req)
1833 {
1834 BTM_TRACE_EVENT ("BTM_IoCapRsp: state: %s oob: %d io_cap: %d",
1835 btm_pair_state_descr(btm_cb.pairing_state), oob, io_cap);
1836
1837 if ( (btm_cb.pairing_state != BTM_PAIR_STATE_WAIT_LOCAL_IOCAPS)
1838 || (memcmp (btm_cb.pairing_bda, bd_addr, BD_ADDR_LEN) != 0) )
1839 return;
1840
1841 if (oob < BTM_OOB_UNKNOWN && io_cap < BTM_IO_CAP_MAX)
1842 {
1843 btm_cb.devcb.loc_auth_req = auth_req;
1844 btm_cb.devcb.loc_io_caps = io_cap;
1845
1846 if (btm_cb.pairing_flags & BTM_PAIR_FLAGS_WE_STARTED_DD)
1847 auth_req = (BTM_AUTH_DD_BOND | (auth_req&BTM_AUTH_YN_BIT));
1848
1849 btsnd_hcic_io_cap_req_reply (bd_addr, io_cap, oob, auth_req);
1850 }
1851 }
1852
1853 /*******************************************************************************
1854 **
1855 ** Function BTM_ReadLocalOobData
1856 **
1857 ** Description This function is called to read the local OOB data from
1858 ** LM
1859 **
1860 *******************************************************************************/
BTM_ReadLocalOobData(void)1861 tBTM_STATUS BTM_ReadLocalOobData(void)
1862 {
1863 tBTM_STATUS status = BTM_SUCCESS;
1864
1865 if (btsnd_hcic_read_local_oob_data() == FALSE)
1866 status = BTM_NO_RESOURCES;
1867
1868 return status;
1869 }
1870
1871 /*******************************************************************************
1872 **
1873 ** Function BTM_RemoteOobDataReply
1874 **
1875 ** Description This function is called to provide the remote OOB data for
1876 ** Simple Pairing in response to BTM_SP_RMT_OOB_EVT
1877 **
1878 ** Parameters: bd_addr - Address of the peer device
1879 ** c - simple pairing Hash C.
1880 ** r - simple pairing Randomizer C.
1881 **
1882 *******************************************************************************/
BTM_RemoteOobDataReply(tBTM_STATUS res,BD_ADDR bd_addr,BT_OCTET16 c,BT_OCTET16 r)1883 void BTM_RemoteOobDataReply(tBTM_STATUS res, BD_ADDR bd_addr, BT_OCTET16 c, BT_OCTET16 r)
1884 {
1885 BTM_TRACE_EVENT ("BTM_RemoteOobDataReply(): State: %s res:%d",
1886 btm_pair_state_descr(btm_cb.pairing_state), res);
1887
1888 /* If timeout already expired or has been canceled, ignore the reply */
1889 if (btm_cb.pairing_state != BTM_PAIR_STATE_WAIT_LOCAL_OOB_RSP)
1890 return;
1891
1892 btm_sec_change_pairing_state (BTM_PAIR_STATE_WAIT_AUTH_COMPLETE);
1893
1894 if (res != BTM_SUCCESS)
1895 {
1896 /* use BTM_PAIR_STATE_WAIT_AUTH_COMPLETE to report authentication failed event */
1897 btm_cb.acl_disc_reason = HCI_ERR_HOST_REJECT_SECURITY;
1898 btsnd_hcic_rem_oob_neg_reply (bd_addr);
1899 }
1900 else
1901 {
1902 btm_cb.acl_disc_reason = HCI_SUCCESS;
1903 btsnd_hcic_rem_oob_reply (bd_addr, c, r);
1904 }
1905 }
1906
1907 /*******************************************************************************
1908 **
1909 ** Function BTM_BuildOobData
1910 **
1911 ** Description This function is called to build the OOB data payload to
1912 ** be sent over OOB (non-Bluetooth) link
1913 **
1914 ** Parameters: p_data - the location for OOB data
1915 ** max_len - p_data size.
1916 ** c - simple pairing Hash C.
1917 ** r - simple pairing Randomizer C.
1918 ** name_len- 0, local device name would not be included.
1919 ** otherwise, the local device name is included for
1920 ** up to this specified length
1921 **
1922 ** Returns Number of bytes in p_data.
1923 **
1924 *******************************************************************************/
BTM_BuildOobData(UINT8 * p_data,UINT16 max_len,BT_OCTET16 c,BT_OCTET16 r,UINT8 name_len)1925 UINT16 BTM_BuildOobData(UINT8 *p_data, UINT16 max_len, BT_OCTET16 c,
1926 BT_OCTET16 r, UINT8 name_len)
1927 {
1928 UINT8 *p = p_data;
1929 UINT16 len = 0;
1930 UINT16 delta;
1931 #if BTM_MAX_LOC_BD_NAME_LEN > 0
1932 UINT16 name_size;
1933 UINT8 name_type = BTM_EIR_SHORTENED_LOCAL_NAME_TYPE;
1934 #endif
1935
1936 if (p_data && max_len >= BTM_OOB_MANDATORY_SIZE)
1937 {
1938 /* add mandatory part */
1939 UINT16_TO_STREAM(p, len);
1940 BDADDR_TO_STREAM(p, btm_cb.devcb.local_addr);
1941
1942 len = BTM_OOB_MANDATORY_SIZE;
1943 max_len -= len;
1944
1945 /* now optional part */
1946
1947 /* add Hash C */
1948 delta = BTM_OOB_HASH_C_SIZE + 2;
1949 if (max_len >= delta)
1950 {
1951 *p++ = BTM_OOB_HASH_C_SIZE + 1;
1952 *p++ = BTM_EIR_OOB_SSP_HASH_C_TYPE;
1953 ARRAY_TO_STREAM(p, c, BTM_OOB_HASH_C_SIZE);
1954 len += delta;
1955 max_len -= delta;
1956 }
1957
1958 /* add Rand R */
1959 delta = BTM_OOB_RAND_R_SIZE + 2;
1960 if (max_len >= delta)
1961 {
1962 *p++ = BTM_OOB_RAND_R_SIZE + 1;
1963 *p++ = BTM_EIR_OOB_SSP_RAND_R_TYPE;
1964 ARRAY_TO_STREAM(p, r, BTM_OOB_RAND_R_SIZE);
1965 len += delta;
1966 max_len -= delta;
1967 }
1968
1969 /* add class of device */
1970 delta = BTM_OOB_COD_SIZE + 2;
1971 if (max_len >= delta)
1972 {
1973 *p++ = BTM_OOB_COD_SIZE + 1;
1974 *p++ = BTM_EIR_OOB_COD_TYPE;
1975 DEVCLASS_TO_STREAM(p, btm_cb.devcb.dev_class);
1976 len += delta;
1977 max_len -= delta;
1978 }
1979 #if BTM_MAX_LOC_BD_NAME_LEN > 0
1980 name_size = name_len;
1981 if (name_size > strlen(btm_cb.cfg.bd_name))
1982 {
1983 name_type = BTM_EIR_COMPLETE_LOCAL_NAME_TYPE;
1984 name_size = (UINT16)strlen(btm_cb.cfg.bd_name);
1985 }
1986 delta = name_size + 2;
1987 if (max_len >= delta)
1988 {
1989 *p++ = name_size + 1;
1990 *p++ = name_type;
1991 ARRAY_TO_STREAM (p, btm_cb.cfg.bd_name, name_size);
1992 len += delta;
1993 max_len -= delta;
1994 }
1995 #endif
1996 /* update len */
1997 p = p_data;
1998 UINT16_TO_STREAM(p, len);
1999 }
2000 return len;
2001 }
2002
2003 /*******************************************************************************
2004 **
2005 ** Function BTM_ReadOobData
2006 **
2007 ** Description This function is called to parse the OOB data payload
2008 ** received over OOB (non-Bluetooth) link
2009 **
2010 ** Parameters: p_data - the location for OOB data
2011 ** eir_tag - The associated EIR tag to read the data.
2012 ** *p_len(output) - the length of the data with the given tag.
2013 **
2014 ** Returns the beginning of the data with the given tag.
2015 ** NULL, if the tag is not found.
2016 **
2017 *******************************************************************************/
BTM_ReadOobData(UINT8 * p_data,UINT8 eir_tag,UINT8 * p_len)2018 UINT8 * BTM_ReadOobData(UINT8 *p_data, UINT8 eir_tag, UINT8 *p_len)
2019 {
2020 UINT8 *p = p_data;
2021 UINT16 max_len;
2022 UINT8 len, type;
2023 UINT8 *p_ret = NULL;
2024 UINT8 ret_len = 0;
2025
2026 if (p_data)
2027 {
2028 STREAM_TO_UINT16(max_len, p);
2029 if (max_len >= BTM_OOB_MANDATORY_SIZE)
2030 {
2031 if (BTM_EIR_OOB_BD_ADDR_TYPE == eir_tag)
2032 {
2033 p_ret = p; /* the location for bd_addr */
2034 ret_len = BTM_OOB_BD_ADDR_SIZE;
2035 }
2036 else
2037 {
2038 p += BD_ADDR_LEN;
2039 max_len -= BTM_OOB_MANDATORY_SIZE;
2040 /* now the optional data in EIR format */
2041 while (max_len > 0)
2042 {
2043 len = *p++; /* tag data len + 1 */
2044 type = *p++;
2045 if (eir_tag == type)
2046 {
2047 p_ret = p;
2048 ret_len = len - 1;
2049 break;
2050 }
2051 /* the data size of this tag is len + 1 (tag data len + 2) */
2052 if (max_len > len)
2053 {
2054 max_len -= len;
2055 max_len--;
2056 len--;
2057 p += len;
2058 }
2059 else
2060 max_len = 0;
2061 }
2062 }
2063 }
2064 }
2065
2066 if (p_len)
2067 *p_len = ret_len;
2068
2069 return p_ret;
2070 }
2071 #endif
2072
2073 /*******************************************************************************
2074 **
2075 ** Function BTM_SetOutService
2076 **
2077 ** Description This function is called to set the service for
2078 ** outgoing connections.
2079 **
2080 ** If the profile/application calls BTM_SetSecurityLevel
2081 ** before initiating a connection, this function does not
2082 ** need to be called.
2083 **
2084 ** Returns void
2085 **
2086 *******************************************************************************/
BTM_SetOutService(BD_ADDR bd_addr,UINT8 service_id,UINT32 mx_chan_id)2087 void BTM_SetOutService(BD_ADDR bd_addr, UINT8 service_id, UINT32 mx_chan_id)
2088 {
2089 tBTM_SEC_DEV_REC *p_dev_rec;
2090 tBTM_SEC_SERV_REC *p_serv_rec = &btm_cb.sec_serv_rec[0];
2091 int i;
2092
2093 btm_cb.p_out_serv = p_serv_rec;
2094 p_dev_rec = btm_find_dev (bd_addr);
2095
2096 for (i = 0; i < BTM_SEC_MAX_SERVICE_RECORDS; i++, p_serv_rec++)
2097 {
2098 if ((p_serv_rec->security_flags & BTM_SEC_IN_USE)
2099 && (p_serv_rec->service_id == service_id)
2100 && (p_serv_rec->orig_mx_chan_id == mx_chan_id))
2101 {
2102 BTM_TRACE_API("BTM_SetOutService p_out_serv id %d, psm 0x%04x, proto_id %d, chan_id %d",
2103 p_serv_rec->service_id, p_serv_rec->psm, p_serv_rec->mx_proto_id, p_serv_rec->orig_mx_chan_id);
2104 btm_cb.p_out_serv = p_serv_rec;
2105 if (p_dev_rec)
2106 p_dev_rec->p_cur_service = p_serv_rec;
2107 break;
2108 }
2109 }
2110 }
2111
2112 /************************************************************************
2113 ** I N T E R N A L F U N C T I O N S
2114 *************************************************************************/
2115 /*******************************************************************************
2116 **
2117 ** Function btm_sec_is_upgrade_possible
2118 **
2119 ** Description This function returns TRUE if the existing link key
2120 ** can be upgraded or if the link key does not exist.
2121 **
2122 ** Returns BOOLEAN
2123 **
2124 *******************************************************************************/
btm_sec_is_upgrade_possible(tBTM_SEC_DEV_REC * p_dev_rec,BOOLEAN is_originator)2125 static BOOLEAN btm_sec_is_upgrade_possible(tBTM_SEC_DEV_REC *p_dev_rec, BOOLEAN is_originator)
2126 {
2127 UINT16 mtm_check = is_originator ? BTM_SEC_OUT_MITM : BTM_SEC_IN_MITM;
2128 BOOLEAN is_possible = TRUE;
2129
2130 if (p_dev_rec->sec_flags & BTM_SEC_LINK_KEY_KNOWN)
2131 {
2132 is_possible = FALSE;
2133 if(p_dev_rec->p_cur_service)
2134 {
2135 BTM_TRACE_DEBUG ("btm_sec_is_upgrade_possible id:%d, link_key_typet:%d, rmt_io_caps:%d, chk flags:x%x, flags:x%x",
2136 p_dev_rec->p_cur_service->service_id, p_dev_rec->link_key_type, p_dev_rec->rmt_io_caps,
2137 mtm_check, p_dev_rec->p_cur_service->security_flags);
2138 }
2139 else
2140 {
2141 BTM_TRACE_DEBUG ("btm_sec_is_upgrade_possible link_key_typet:%d, rmt_io_caps:%d, chk flags:x%x, ",
2142 p_dev_rec->link_key_type, p_dev_rec->rmt_io_caps, mtm_check);
2143 }
2144 /* Already have a link key to the connected peer. Is the link key secure enough?
2145 ** Is a link key upgrade even possible?
2146 */
2147 if ((p_dev_rec->security_required & mtm_check) /* needs MITM */
2148 && (p_dev_rec->link_key_type == BTM_LKEY_TYPE_UNAUTH_COMB) /* has unauthenticated link key */
2149 && (p_dev_rec->rmt_io_caps < BTM_IO_CAP_MAX) /* a valid peer IO cap */
2150 && (btm_sec_io_map[p_dev_rec->rmt_io_caps][btm_cb.devcb.loc_io_caps])) /* authenticated link key is possible */
2151 {
2152 /* upgrade is possible: check if the application wants the upgrade.
2153 * If the application is configured to use a global MITM flag,
2154 * it probably would not want to upgrade the link key based on the security level database */
2155 is_possible = TRUE;
2156 }
2157 }
2158 BTM_TRACE_DEBUG ("btm_sec_is_upgrade_possible is_possible:%d sec_flags:0x%x", is_possible, p_dev_rec->sec_flags);
2159 return is_possible;
2160 }
2161
2162 /*******************************************************************************
2163 **
2164 ** Function btm_sec_check_upgrade
2165 **
2166 ** Description This function is called to check if the existing link key
2167 ** needs to be upgraded.
2168 **
2169 ** Returns void
2170 **
2171 *******************************************************************************/
btm_sec_check_upgrade(tBTM_SEC_DEV_REC * p_dev_rec,BOOLEAN is_originator)2172 static void btm_sec_check_upgrade(tBTM_SEC_DEV_REC *p_dev_rec, BOOLEAN is_originator)
2173 {
2174 tBTM_SP_UPGRADE evt_data;
2175
2176 BTM_TRACE_DEBUG ("btm_sec_check_upgrade...");
2177
2178 /* Only check if link key already exists */
2179 if (!(p_dev_rec->sec_flags & BTM_SEC_LINK_KEY_KNOWN))
2180 return;
2181 if (btm_sec_is_upgrade_possible (p_dev_rec, is_originator) == TRUE)
2182 {
2183 BTM_TRACE_DEBUG ("need upgrade!! sec_flags:0x%x", p_dev_rec->sec_flags);
2184 /* upgrade is possible: check if the application wants the upgrade.
2185 * If the application is configured to use a global MITM flag,
2186 * it probably would not want to upgrade the link key based on the security level database */
2187 memcpy (evt_data.bd_addr, p_dev_rec->bd_addr, BD_ADDR_LEN);
2188 evt_data.upgrade = TRUE;
2189 if (btm_cb.api.p_sp_callback)
2190 (*btm_cb.api.p_sp_callback) (BTM_SP_UPGRADE_EVT, (tBTM_SP_EVT_DATA *)&evt_data);
2191
2192 BTM_TRACE_DEBUG ("evt_data.upgrade:0x%x", evt_data.upgrade);
2193 if (evt_data.upgrade)
2194 {
2195 /* if the application confirms the upgrade, set the upgrade bit */
2196 p_dev_rec->sm4 |= BTM_SM4_UPGRADE;
2197
2198 /* Clear the link key known to go through authentication/pairing again */
2199 p_dev_rec->sec_flags &= ~(BTM_SEC_LINK_KEY_KNOWN | BTM_SEC_LINK_KEY_AUTHED);
2200 p_dev_rec->sec_flags &= ~BTM_SEC_AUTHENTICATED;
2201 BTM_TRACE_DEBUG ("sec_flags:0x%x", p_dev_rec->sec_flags);
2202 }
2203 }
2204 }
2205
2206 /*******************************************************************************
2207 **
2208 ** Function btm_sec_l2cap_access_req
2209 **
2210 ** Description This function is called by the L2CAP to grant permission to
2211 ** establish L2CAP connection to or from the peer device.
2212 **
2213 ** Parameters: bd_addr - Address of the peer device
2214 ** psm - L2CAP PSM
2215 ** is_originator - TRUE if protocol above L2CAP originates
2216 ** connection
2217 ** p_callback - Pointer to callback function called if
2218 ** this function returns PENDING after required
2219 ** procedures are complete. MUST NOT BE NULL.
2220 **
2221 ** Returns tBTM_STATUS
2222 **
2223 *******************************************************************************/
2224 #define BTM_SEC_OUT_FLAGS (BTM_SEC_OUT_AUTHENTICATE | BTM_SEC_OUT_ENCRYPT | BTM_SEC_OUT_AUTHORIZE)
2225 #define BTM_SEC_IN_FLAGS (BTM_SEC_IN_AUTHENTICATE | BTM_SEC_IN_ENCRYPT | BTM_SEC_IN_AUTHORIZE)
2226
btm_sec_l2cap_access_req(BD_ADDR bd_addr,UINT16 psm,UINT16 handle,CONNECTION_TYPE conn_type,tBTM_SEC_CALLBACK * p_callback,void * p_ref_data)2227 tBTM_STATUS btm_sec_l2cap_access_req (BD_ADDR bd_addr, UINT16 psm, UINT16 handle,
2228 CONNECTION_TYPE conn_type,
2229 tBTM_SEC_CALLBACK *p_callback,
2230 void *p_ref_data)
2231 {
2232 tBTM_SEC_DEV_REC *p_dev_rec;
2233 tBTM_SEC_SERV_REC *p_serv_rec;
2234 UINT16 security_required;
2235 UINT16 old_security_required;
2236 BOOLEAN old_is_originator;
2237 tBTM_STATUS rc = BTM_SUCCESS;
2238 BOOLEAN chk_acp_auth_done = FALSE;
2239 BOOLEAN is_originator;
2240 BOOLEAN transport = FALSE; /* should check PSM range in LE connection oriented L2CAP connection */
2241
2242 #if (L2CAP_UCD_INCLUDED == TRUE)
2243 if (conn_type & CONNECTION_TYPE_ORIG_MASK)
2244 is_originator = TRUE;
2245 else
2246 is_originator = FALSE;
2247
2248 BTM_TRACE_DEBUG ("btm_sec_l2cap_access_req conn_type:0x%x, 0x%x", conn_type, p_ref_data);
2249 #else
2250 is_originator = conn_type;
2251
2252 BTM_TRACE_DEBUG ("btm_sec_l2cap_access_req is_originator:%d, 0x%x", is_originator, p_ref_data);
2253 #endif
2254
2255 /* Find or get oldest record */
2256 p_dev_rec = btm_find_or_alloc_dev (bd_addr);
2257
2258 p_dev_rec->hci_handle = handle;
2259
2260 /* Find the service record for the PSM */
2261 p_serv_rec = btm_sec_find_first_serv (conn_type, psm);
2262
2263 /* If there is no application registered with this PSM do not allow connection */
2264 if (!p_serv_rec)
2265 {
2266 BTM_TRACE_WARNING ("btm_sec_l2cap_access_req() PSM:%d no application registerd", psm);
2267
2268 (*p_callback) (bd_addr, transport, p_ref_data, BTM_MODE_UNSUPPORTED);
2269
2270 return(BTM_MODE_UNSUPPORTED);
2271 }
2272
2273 /* SDP connection we will always let through */
2274 if (BT_PSM_SDP == psm)
2275 {
2276 (*p_callback) (bd_addr,transport, p_ref_data, BTM_SUCCESS_NO_SECURITY);
2277
2278 return(BTM_SUCCESS);
2279 }
2280 #if (L2CAP_UCD_INCLUDED == TRUE)
2281 if ( conn_type & CONNECTION_TYPE_CONNLESS_MASK )
2282 {
2283 security_required = p_serv_rec->ucd_security_flags;
2284
2285 rc = BTM_CMD_STARTED;
2286 if (is_originator)
2287 {
2288 if (((security_required & BTM_SEC_OUT_FLAGS) == 0) ||
2289 ((((security_required & BTM_SEC_OUT_FLAGS) == BTM_SEC_OUT_AUTHENTICATE) && (p_dev_rec->sec_flags & BTM_SEC_AUTHENTICATED))) ||
2290 ((((security_required & BTM_SEC_OUT_FLAGS) == (BTM_SEC_OUT_AUTHENTICATE | BTM_SEC_OUT_ENCRYPT)) && (p_dev_rec->sec_flags & BTM_SEC_ENCRYPTED))) ||
2291 ((((security_required & BTM_SEC_OUT_FLAGS) == BTM_SEC_OUT_FLAGS) && (p_dev_rec->sec_flags & BTM_SEC_AUTHORIZED))) )
2292 {
2293 rc = BTM_SUCCESS;
2294 }
2295 }
2296 else
2297 {
2298 if (((security_required & BTM_SEC_IN_FLAGS) == 0) ||
2299 ((((security_required & BTM_SEC_IN_FLAGS) == BTM_SEC_IN_AUTHENTICATE) && (p_dev_rec->sec_flags & BTM_SEC_AUTHENTICATED))) ||
2300 ((((security_required & BTM_SEC_IN_FLAGS) == (BTM_SEC_IN_AUTHENTICATE | BTM_SEC_IN_ENCRYPT)) && (p_dev_rec->sec_flags & BTM_SEC_ENCRYPTED))) ||
2301 ((((security_required & BTM_SEC_IN_FLAGS) == BTM_SEC_IN_FLAGS) && (p_dev_rec->sec_flags & BTM_SEC_AUTHORIZED))) )
2302 {
2303 rc = BTM_SUCCESS;
2304 }
2305 }
2306
2307 if (rc == BTM_SUCCESS)
2308 {
2309 if (p_callback)
2310 (*p_callback) (bd_addr, transport, (void *)p_ref_data, BTM_SUCCESS);
2311
2312 return(BTM_SUCCESS);
2313 }
2314 }
2315 else
2316 #endif
2317 {
2318 security_required = p_serv_rec->security_flags;
2319 }
2320
2321 /* there are some devices (moto KRZR) which connects to several services at the same time */
2322 /* we will process one after another */
2323 if ( (p_dev_rec->p_callback) || (btm_cb.pairing_state != BTM_PAIR_STATE_IDLE) )
2324 {
2325 BTM_TRACE_EVENT ("btm_sec_l2cap_access_req() - busy - PSM:%d delayed state: %s mode:%d, sm4:0x%x",
2326 psm, btm_pair_state_descr(btm_cb.pairing_state), btm_cb.security_mode, p_dev_rec->sm4);
2327 BTM_TRACE_EVENT ("security_flags:x%x, sec_flags:x%x", security_required, p_dev_rec->sec_flags);
2328 rc = BTM_CMD_STARTED;
2329 if ((BTM_SEC_MODE_SP != btm_cb.security_mode)
2330 || ((BTM_SEC_MODE_SP == btm_cb.security_mode) && (BTM_SM4_KNOWN == p_dev_rec->sm4))
2331 || (BTM_SEC_IS_SM4(p_dev_rec->sm4) && (btm_sec_is_upgrade_possible(p_dev_rec, is_originator) == FALSE))
2332 )
2333 {
2334 /* legacy mode - local is legacy or local is lisbon/peer is legacy
2335 * or SM4 with no possibility of link key upgrade */
2336 if (is_originator)
2337 {
2338 if (((security_required & BTM_SEC_OUT_FLAGS) == 0) ||
2339 ((((security_required & BTM_SEC_OUT_FLAGS) == BTM_SEC_OUT_AUTHENTICATE) && btm_dev_authenticated(p_dev_rec))) ||
2340 ((((security_required & BTM_SEC_OUT_FLAGS) == (BTM_SEC_OUT_AUTHENTICATE | BTM_SEC_OUT_ENCRYPT)) && btm_dev_encrypted(p_dev_rec))) ||
2341 ((((security_required & BTM_SEC_OUT_FLAGS) == BTM_SEC_OUT_FLAGS) && btm_dev_authorized(p_dev_rec) && btm_dev_encrypted(p_dev_rec))) )
2342 {
2343 rc = BTM_SUCCESS;
2344 }
2345 }
2346 else
2347 {
2348 if (((security_required & BTM_SEC_IN_FLAGS) == 0) ||
2349 (((security_required & BTM_SEC_IN_FLAGS) == BTM_SEC_IN_AUTHENTICATE) && btm_dev_authenticated(p_dev_rec)) ||
2350 (((security_required & BTM_SEC_IN_FLAGS) == (BTM_SEC_IN_AUTHENTICATE | BTM_SEC_IN_ENCRYPT)) && btm_dev_encrypted(p_dev_rec)) ||
2351 (((security_required & BTM_SEC_IN_FLAGS) == BTM_SEC_IN_AUTHORIZE) && (btm_dev_authorized(p_dev_rec)||btm_serv_trusted(p_dev_rec, p_serv_rec))) ||
2352 (((security_required & BTM_SEC_IN_FLAGS) == (BTM_SEC_IN_AUTHENTICATE | BTM_SEC_IN_AUTHORIZE)) && ((btm_dev_authorized(p_dev_rec)||btm_serv_trusted(p_dev_rec, p_serv_rec)) && btm_dev_authenticated(p_dev_rec))) ||
2353 (((security_required & BTM_SEC_IN_FLAGS) == (BTM_SEC_IN_ENCRYPT | BTM_SEC_IN_AUTHORIZE)) && ((btm_dev_authorized(p_dev_rec)||btm_serv_trusted(p_dev_rec, p_serv_rec)) && btm_dev_encrypted(p_dev_rec))) ||
2354 (((security_required & BTM_SEC_IN_FLAGS) == BTM_SEC_IN_FLAGS) && btm_dev_encrypted(p_dev_rec) && (btm_dev_authorized(p_dev_rec)||btm_serv_trusted(p_dev_rec, p_serv_rec))))
2355 {
2356 rc = BTM_SUCCESS;
2357 }
2358 }
2359
2360 if (rc == BTM_SUCCESS)
2361 {
2362 if (p_callback)
2363 (*p_callback) (bd_addr, transport, (void *)p_ref_data, BTM_SUCCESS);
2364
2365 return(BTM_SUCCESS);
2366 }
2367 }
2368
2369 btm_cb.sec_req_pending = TRUE;
2370 return(BTM_CMD_STARTED);
2371 }
2372
2373 /* Save pointer to service record */
2374 p_dev_rec->p_cur_service = p_serv_rec;
2375
2376
2377 /* mess /w security_required in btm_sec_l2cap_access_req for Lisbon */
2378 if (btm_cb.security_mode == BTM_SEC_MODE_SP)
2379 {
2380 if (is_originator)
2381 {
2382 if (BTM_SEC_IS_SM4(p_dev_rec->sm4))
2383 {
2384 /* SM4 to SM4 -> always authenticate & encrypt */
2385 security_required |= (BTM_SEC_OUT_AUTHENTICATE | BTM_SEC_OUT_ENCRYPT);
2386 }
2387 else
2388 {
2389 if ( !(BTM_SM4_KNOWN & p_dev_rec->sm4))
2390 {
2391 BTM_TRACE_DEBUG ("remote features unknown!!sec_flags:0x%x", p_dev_rec->sec_flags);
2392 /* the remote features are not known yet */
2393 p_dev_rec->sm4 |= BTM_SM4_REQ_PEND;
2394
2395 return(BTM_CMD_STARTED);
2396 }
2397 }
2398 }
2399 else
2400 {
2401 /* responder */
2402 if (BTM_SEC_IS_SM4(p_dev_rec->sm4))
2403 {
2404 /* SM4 to SM4: the acceptor needs to make sure the authentication is already done */
2405 chk_acp_auth_done = TRUE;
2406 /* SM4 to SM4 -> always authenticate & encrypt */
2407 security_required |= (BTM_SEC_IN_AUTHENTICATE | BTM_SEC_IN_ENCRYPT);
2408 }
2409 else
2410 {
2411 if ( !(BTM_SM4_KNOWN & p_dev_rec->sm4))
2412 {
2413 BTM_TRACE_DEBUG ("(rsp) remote features unknown!!sec_flags:0x%x", p_dev_rec->sec_flags);
2414 /* the remote features are not known yet */
2415 p_dev_rec->sm4 |= BTM_SM4_REQ_PEND;
2416
2417 return(BTM_CMD_STARTED);
2418 }
2419 }
2420 }
2421 }
2422
2423 BTM_TRACE_DEBUG ("btm_sec_l2cap_access_req() sm4:0x%x, sec_flags:0x%x, security_required:0x%x chk:%d",
2424 p_dev_rec->sm4, p_dev_rec->sec_flags, security_required, chk_acp_auth_done);
2425
2426 old_security_required = p_dev_rec->security_required;
2427 old_is_originator = p_dev_rec->is_originator;
2428 p_dev_rec->security_required = security_required;
2429 p_dev_rec->p_ref_data = p_ref_data;
2430 p_dev_rec->is_originator = is_originator;
2431
2432 #if (L2CAP_UCD_INCLUDED == TRUE)
2433 if ( conn_type & CONNECTION_TYPE_CONNLESS_MASK )
2434 p_dev_rec->is_ucd = TRUE;
2435 else
2436 p_dev_rec->is_ucd = FALSE;
2437 #endif
2438
2439 /* If there are multiple service records used through the same PSM */
2440 /* leave security decision for the multiplexor on the top */
2441 #if (L2CAP_UCD_INCLUDED == TRUE)
2442 if (((btm_sec_find_next_serv (p_serv_rec)) != NULL)
2443 &&(!( conn_type & CONNECTION_TYPE_CONNLESS_MASK ))) /* if not UCD */
2444 #else
2445 if ((btm_sec_find_next_serv (p_serv_rec)) != NULL)
2446 #endif
2447 {
2448 BTM_TRACE_DEBUG ("no next_serv sm4:0x%x, chk:%d", p_dev_rec->sm4, chk_acp_auth_done);
2449 if (!BTM_SEC_IS_SM4(p_dev_rec->sm4))
2450 {
2451 BTM_TRACE_EVENT ("Security Manager: l2cap_access_req PSM:%d postponed for multiplexer", psm);
2452 /* pre-Lisbon: restore the old settings */
2453 p_dev_rec->security_required = old_security_required;
2454 p_dev_rec->is_originator = old_is_originator;
2455
2456 (*p_callback) (bd_addr, transport, p_ref_data, BTM_SUCCESS);
2457
2458 return(BTM_SUCCESS);
2459 }
2460 }
2461
2462 /* if the originator is using dynamic PSM in legacy mode, do not start any security process now.
2463 * The layer above L2CAP needs to carry out the security requirement after L2CAP connect response is received*/
2464 if (is_originator && (btm_cb.security_mode != BTM_SEC_MODE_SP || !BTM_SEC_IS_SM4(p_dev_rec->sm4)) && (psm >= 0x1001))
2465 {
2466 BTM_TRACE_EVENT ("dynamic PSM:0x%x in legacy mode - postponed for upper layer", psm);
2467 /* restore the old settings */
2468 p_dev_rec->security_required = old_security_required;
2469 p_dev_rec->is_originator = old_is_originator;
2470
2471 (*p_callback) (bd_addr, transport, p_ref_data, BTM_SUCCESS);
2472
2473 return(BTM_SUCCESS);
2474 }
2475
2476 if (chk_acp_auth_done)
2477 {
2478 BTM_TRACE_DEBUG ("(SM4 to SM4) btm_sec_l2cap_access_req rspd. authenticated: x%x, enc: x%x",
2479 (p_dev_rec->sec_flags & BTM_SEC_AUTHENTICATED), (p_dev_rec->sec_flags & BTM_SEC_ENCRYPTED));
2480 /* SM4, but we do not know for sure which level of security we need.
2481 * as long as we have a link key, it's OK */
2482 if ((0 == (p_dev_rec->sec_flags & BTM_SEC_AUTHENTICATED))
2483 ||(0 == (p_dev_rec->sec_flags & BTM_SEC_ENCRYPTED)))
2484 {
2485 rc = BTM_DELAY_CHECK;
2486 /*
2487 2046 may report HCI_Encryption_Change and L2C Connection Request out of sequence
2488 because of data path issues. Delay this disconnect a little bit
2489 */
2490 BTM_TRACE_ERROR ("peer should have initiated security process by now (SM4 to SM4)");
2491 p_dev_rec->p_callback = p_callback;
2492 p_dev_rec->sec_state = BTM_SEC_STATE_DELAY_FOR_ENC;
2493 (*p_callback) (bd_addr, transport, p_ref_data, rc);
2494
2495 return(BTM_CMD_STARTED);
2496 }
2497 }
2498
2499 p_dev_rec->p_callback = p_callback;
2500
2501 if (p_dev_rec->last_author_service_id == BTM_SEC_NO_LAST_SERVICE_ID
2502 || p_dev_rec->last_author_service_id != p_dev_rec->p_cur_service->service_id)
2503 {
2504 /* Although authentication and encryption are per connection
2505 ** authorization is per access request. For example when serial connection
2506 ** is up and authorized and client requests to read file (access to other
2507 ** scn), we need to request user's permission again.
2508 */
2509 p_dev_rec->sec_flags &= ~BTM_SEC_AUTHORIZED;
2510 }
2511
2512 if (BTM_SEC_IS_SM4(p_dev_rec->sm4))
2513 {
2514 /* If we already have a link key to the connected peer, is the link key secure enough ? */
2515 btm_sec_check_upgrade(p_dev_rec, is_originator);
2516 }
2517
2518 BTM_TRACE_EVENT ("Security Manager: l2cap_access_req PSM:%d Handle:%d State:%d Flags:0x%x Required:0x%x Service ID:%d",
2519 psm, handle, p_dev_rec->sec_state, p_dev_rec->sec_flags, p_dev_rec->security_required, p_dev_rec->p_cur_service->service_id);
2520
2521 if ((rc = btm_sec_execute_procedure (p_dev_rec)) != BTM_CMD_STARTED)
2522 {
2523 p_dev_rec->p_callback = NULL;
2524 (*p_callback) (bd_addr, transport, p_dev_rec->p_ref_data, (UINT8)rc);
2525 }
2526
2527 return(rc);
2528 }
2529
2530 /*******************************************************************************
2531 **
2532 ** Function btm_sec_mx_access_request
2533 **
2534 ** Description This function is called by all Multiplexing Protocols during
2535 ** establishing connection to or from peer device to grant
2536 ** permission to establish application connection.
2537 **
2538 ** Parameters: bd_addr - Address of the peer device
2539 ** psm - L2CAP PSM
2540 ** is_originator - TRUE if protocol above L2CAP originates
2541 ** connection
2542 ** mx_proto_id - protocol ID of the multiplexer
2543 ** mx_chan_id - multiplexer channel to reach application
2544 ** p_callback - Pointer to callback function called if
2545 ** this function returns PENDING after required
2546 ** procedures are completed
2547 ** p_ref_data - Pointer to any reference data needed by the
2548 ** the callback function.
2549 **
2550 ** Returns BTM_CMD_STARTED
2551 **
2552 *******************************************************************************/
btm_sec_mx_access_request(BD_ADDR bd_addr,UINT16 psm,BOOLEAN is_originator,UINT32 mx_proto_id,UINT32 mx_chan_id,tBTM_SEC_CALLBACK * p_callback,void * p_ref_data)2553 tBTM_STATUS btm_sec_mx_access_request (BD_ADDR bd_addr, UINT16 psm, BOOLEAN is_originator,
2554 UINT32 mx_proto_id, UINT32 mx_chan_id,
2555 tBTM_SEC_CALLBACK *p_callback, void *p_ref_data)
2556
2557 {
2558 tBTM_SEC_DEV_REC *p_dev_rec;
2559 tBTM_SEC_SERV_REC *p_serv_rec;
2560 tBTM_STATUS rc;
2561 UINT16 security_required;
2562 BOOLEAN transport = FALSE;/* should check PSM range in LE connection oriented L2CAP connection */
2563
2564 BTM_TRACE_DEBUG ("btm_sec_mx_access_request is_originator:%d", is_originator);
2565 /* Find or get oldest record */
2566 p_dev_rec = btm_find_or_alloc_dev (bd_addr);
2567
2568 /* Find the service record for the PSM */
2569 p_serv_rec = btm_sec_find_mx_serv (is_originator, psm, mx_proto_id, mx_chan_id);
2570
2571 /* If there is no application registered with this PSM do not allow connection */
2572 if (!p_serv_rec)
2573 {
2574 if (p_callback)
2575 (*p_callback) (bd_addr, transport, p_ref_data, BTM_MODE_UNSUPPORTED);
2576
2577 BTM_TRACE_ERROR ("Security Manager: MX service not found PSM:%d Proto:%d SCN:%d",
2578 psm, mx_proto_id, mx_chan_id);
2579 return BTM_NO_RESOURCES;
2580 }
2581
2582 /* there are some devices (moto phone) which connects to several services at the same time */
2583 /* we will process one after another */
2584 if ( (p_dev_rec->p_callback) || (btm_cb.pairing_state != BTM_PAIR_STATE_IDLE) )
2585 {
2586 BTM_TRACE_EVENT ("btm_sec_mx_access_request service PSM:%d Proto:%d SCN:%d delayed state: %s",
2587 psm, mx_proto_id, mx_chan_id, btm_pair_state_descr(btm_cb.pairing_state));
2588
2589 rc = BTM_CMD_STARTED;
2590 security_required = p_serv_rec->security_flags;
2591 if ((BTM_SEC_MODE_SP != btm_cb.security_mode)
2592 || ((BTM_SEC_MODE_SP == btm_cb.security_mode) && (BTM_SM4_KNOWN == p_dev_rec->sm4))
2593 || (BTM_SEC_IS_SM4(p_dev_rec->sm4) && (btm_sec_is_upgrade_possible(p_dev_rec, is_originator) == FALSE))
2594 )
2595 {
2596 /* legacy mode - local is legacy or local is lisbon/peer is legacy
2597 * or SM4 with no possibility of link key upgrade */
2598 if (is_originator)
2599 {
2600 if (((security_required & BTM_SEC_OUT_FLAGS) == 0) ||
2601 ((((security_required & BTM_SEC_OUT_FLAGS) == BTM_SEC_OUT_AUTHENTICATE) && btm_dev_authenticated(p_dev_rec))) ||
2602 ((((security_required & BTM_SEC_OUT_FLAGS) == (BTM_SEC_OUT_AUTHENTICATE | BTM_SEC_OUT_ENCRYPT)) && btm_dev_encrypted(p_dev_rec)))
2603 )
2604 {
2605 rc = BTM_SUCCESS;
2606 }
2607 }
2608 else
2609 {
2610 if (((security_required & BTM_SEC_IN_FLAGS) == 0) ||
2611 ((((security_required & BTM_SEC_IN_FLAGS) == BTM_SEC_IN_AUTHENTICATE) && btm_dev_authenticated(p_dev_rec))) ||
2612 (((security_required & BTM_SEC_IN_FLAGS) == BTM_SEC_IN_AUTHORIZE) && (btm_dev_authorized(p_dev_rec)||btm_serv_trusted(p_dev_rec, p_serv_rec))) ||
2613 (((security_required & BTM_SEC_IN_FLAGS) == (BTM_SEC_IN_AUTHORIZE | BTM_SEC_IN_AUTHENTICATE)) && ((btm_dev_authorized(p_dev_rec)||btm_serv_trusted(p_dev_rec, p_serv_rec)) && btm_dev_authenticated(p_dev_rec))) ||
2614 (((security_required & BTM_SEC_IN_FLAGS) == (BTM_SEC_IN_AUTHORIZE | BTM_SEC_IN_ENCRYPT)) && ((btm_dev_authorized(p_dev_rec)||btm_serv_trusted(p_dev_rec, p_serv_rec))&& btm_dev_encrypted(p_dev_rec))) ||
2615 ((((security_required & BTM_SEC_IN_FLAGS) == (BTM_SEC_IN_AUTHENTICATE | BTM_SEC_IN_ENCRYPT)) && btm_dev_encrypted(p_dev_rec)))
2616 )
2617 {
2618 rc = BTM_SUCCESS;
2619 }
2620 }
2621 }
2622 if (rc == BTM_CMD_STARTED)
2623 {
2624 btm_sec_queue_mx_request (bd_addr, psm, is_originator, mx_proto_id, mx_chan_id, p_callback, p_ref_data);
2625 return rc;
2626 }
2627 }
2628
2629 p_dev_rec->p_cur_service = p_serv_rec;
2630 p_dev_rec->security_required = p_serv_rec->security_flags;
2631
2632 if (BTM_SEC_MODE_SP == btm_cb.security_mode)
2633 {
2634 if (BTM_SEC_IS_SM4(p_dev_rec->sm4))
2635 {
2636 /* If we already have a link key, check if that link key is good enough */
2637 btm_sec_check_upgrade(p_dev_rec, is_originator);
2638 }
2639 }
2640
2641 p_dev_rec->is_originator = is_originator;
2642 p_dev_rec->p_callback = p_callback;
2643 p_dev_rec->p_ref_data = p_ref_data;
2644
2645 /* Although authentication and encryption are per connection */
2646 /* authorization is per access request. For example when serial connection */
2647 /* is up and authorized and client requests to read file (access to other */
2648 /* scn, we need to request user's permission again. */
2649 p_dev_rec->sec_flags &= ~(BTM_SEC_AUTHORIZED);
2650
2651 BTM_TRACE_EVENT ("Security Manager: mx_access_req proto_id:%d chan_id:%d State:%d Flags:0x%x Required:0x%x Service ID:%d",
2652 mx_proto_id, mx_chan_id, p_dev_rec->sec_state, p_dev_rec->sec_flags, p_dev_rec->security_required, p_dev_rec->p_cur_service->service_id);
2653
2654 if ((rc = btm_sec_execute_procedure (p_dev_rec)) != BTM_CMD_STARTED)
2655 {
2656 if (p_callback)
2657 {
2658 p_dev_rec->p_callback = NULL;
2659
2660 (*p_callback) (bd_addr,transport, p_ref_data, (UINT8)rc);
2661 }
2662 }
2663
2664 return rc;
2665 }
2666
2667 /*******************************************************************************
2668 **
2669 ** Function btm_sec_conn_req
2670 **
2671 ** Description This function is when the peer device is requesting
2672 ** connection
2673 **
2674 ** Returns void
2675 **
2676 *******************************************************************************/
btm_sec_conn_req(UINT8 * bda,UINT8 * dc)2677 void btm_sec_conn_req (UINT8 *bda, UINT8 *dc)
2678 {
2679 tBTM_SEC_DEV_REC *p_dev_rec = btm_find_dev (bda);
2680
2681 /* Some device may request a connection before we are done with the HCI_Reset sequence */
2682 if (btm_cb.devcb.state != BTM_DEV_STATE_READY)
2683 {
2684 BTM_TRACE_EVENT ("Security Manager: connect request when device not ready");
2685 btsnd_hcic_reject_conn (bda, HCI_ERR_HOST_REJECT_DEVICE);
2686 return;
2687 }
2688
2689 /* Security guys wants us not to allow connection from not paired devices */
2690
2691 /* Check if connection is allowed for only paired devices */
2692 if (btm_cb.connect_only_paired)
2693 {
2694 if (!p_dev_rec || !(p_dev_rec->sec_flags & BTM_SEC_LINK_KEY_AUTHED))
2695 {
2696 BTM_TRACE_EVENT ("Security Manager: connect request from non-paired device");
2697 btsnd_hcic_reject_conn (bda, HCI_ERR_HOST_REJECT_DEVICE);
2698 return;
2699 }
2700 }
2701
2702 #if BTM_ALLOW_CONN_IF_NONDISCOVER == FALSE
2703 /* If non-discoverable, only allow known devices to connect */
2704 if (btm_cb.btm_inq_vars.discoverable_mode == BTM_NON_DISCOVERABLE)
2705 {
2706 if (!p_dev_rec)
2707 {
2708 BTM_TRACE_EVENT ("Security Manager: connect request from not paired device");
2709 btsnd_hcic_reject_conn (bda, HCI_ERR_HOST_REJECT_DEVICE);
2710 return;
2711 }
2712 }
2713 #endif
2714
2715 /* Host can be registered to verify comming BDA or DC */
2716 if (btm_cb.p_conn_filter_cb)
2717 {
2718 if (!(* btm_cb.p_conn_filter_cb) (bda, dc))
2719 {
2720 BTM_TRACE_EVENT ("Security Manager: connect request did not pass filter");
2721
2722 /* incomming call did not pass connection filters. Reject */
2723 btsnd_hcic_reject_conn (bda, HCI_ERR_HOST_REJECT_DEVICE);
2724 return;
2725 }
2726 }
2727
2728 if ((btm_cb.pairing_state != BTM_PAIR_STATE_IDLE)
2729 &&(btm_cb.pairing_flags & BTM_PAIR_FLAGS_WE_STARTED_DD)
2730 &&(!memcmp (btm_cb.pairing_bda, bda, BD_ADDR_LEN)))
2731 {
2732 BTM_TRACE_EVENT ("Security Manager: reject connect request from bonding device");
2733
2734 /* incoming connection from bonding device is rejected */
2735 btm_cb.pairing_flags |= BTM_PAIR_FLAGS_REJECTED_CONNECT;
2736 btsnd_hcic_reject_conn (bda, HCI_ERR_HOST_REJECT_DEVICE);
2737 return;
2738 }
2739
2740 /* Host is not interested or approved connection. Save BDA and DC and */
2741 /* pass request to L2CAP */
2742 memcpy (btm_cb.connecting_bda, bda, BD_ADDR_LEN);
2743 memcpy (btm_cb.connecting_dc, dc, DEV_CLASS_LEN);
2744
2745 if (l2c_link_hci_conn_req (bda))
2746 {
2747 if (!p_dev_rec)
2748 {
2749 /* accept the connection -> allocate a device record */
2750 p_dev_rec = btm_sec_alloc_dev (bda);
2751 }
2752 if (p_dev_rec)
2753 {
2754 p_dev_rec->sm4 |= BTM_SM4_CONN_PEND;
2755 }
2756 }
2757 }
2758
2759 /*******************************************************************************
2760 **
2761 ** Function btm_sec_bond_cancel_complete
2762 **
2763 ** Description This function is called to report bond cancel complete
2764 ** event.
2765 **
2766 ** Returns void
2767 **
2768 *******************************************************************************/
btm_sec_bond_cancel_complete(void)2769 static void btm_sec_bond_cancel_complete (void)
2770 {
2771 tBTM_SEC_DEV_REC *p_dev_rec;
2772
2773 if ((btm_cb.pairing_flags & BTM_PAIR_FLAGS_DISC_WHEN_DONE) ||
2774 (BTM_PAIR_STATE_WAIT_LOCAL_PIN == btm_cb.pairing_state &&
2775 BTM_PAIR_FLAGS_WE_STARTED_DD & btm_cb.pairing_flags) ||
2776 (btm_cb.pairing_state == BTM_PAIR_STATE_GET_REM_NAME &&
2777 BTM_PAIR_FLAGS_WE_CANCEL_DD & btm_cb.pairing_flags))
2778 {
2779 /* for dedicated bonding in legacy mode, authentication happens at "link level"
2780 * btm_sec_connected is called with failed status.
2781 * In theory, the code that handles is_pairing_device/TRUE should clean out security related code.
2782 * However, this function may clean out the security related flags and btm_sec_connected would not know
2783 * this function also needs to do proper clean up.
2784 */
2785 if ((p_dev_rec = btm_find_dev (btm_cb.pairing_bda)) != NULL)
2786 p_dev_rec->security_required = BTM_SEC_NONE;
2787 btm_sec_change_pairing_state (BTM_PAIR_STATE_IDLE);
2788
2789 /* Notify application that the cancel succeeded */
2790 if (btm_cb.api.p_bond_cancel_cmpl_callback)
2791 btm_cb.api.p_bond_cancel_cmpl_callback(BTM_SUCCESS);
2792 }
2793 }
2794
2795 /*******************************************************************************
2796 **
2797 ** Function btm_create_conn_cancel_complete
2798 **
2799 ** Description This function is called when the command complete message
2800 ** is received from the HCI for the create connection cancel
2801 ** command.
2802 **
2803 ** Returns void
2804 **
2805 *******************************************************************************/
btm_create_conn_cancel_complete(UINT8 * p)2806 void btm_create_conn_cancel_complete (UINT8 *p)
2807 {
2808 UINT8 status;
2809
2810 STREAM_TO_UINT8 (status, p);
2811 BTM_TRACE_EVENT ("btm_create_conn_cancel_complete(): in State: %s status:%d",
2812 btm_pair_state_descr(btm_cb.pairing_state), status);
2813
2814 /* if the create conn cancel cmd was issued by the bond cancel,
2815 ** the application needs to be notified that bond cancel succeeded
2816 */
2817 switch (status)
2818 {
2819 case HCI_SUCCESS:
2820 btm_sec_bond_cancel_complete();
2821 break;
2822 case HCI_ERR_CONNECTION_EXISTS:
2823 case HCI_ERR_NO_CONNECTION:
2824 default:
2825 /* Notify application of the error */
2826 if (btm_cb.api.p_bond_cancel_cmpl_callback)
2827 btm_cb.api.p_bond_cancel_cmpl_callback(BTM_ERR_PROCESSING);
2828 break;
2829 }
2830 }
2831
2832 /*******************************************************************************
2833 **
2834 ** Function btm_sec_check_pending_reqs
2835 **
2836 ** Description This function is called at the end of the security procedure
2837 ** to let L2CAP and RFCOMM know to re-submit any pending requests
2838 **
2839 ** Returns void
2840 **
2841 *******************************************************************************/
btm_sec_check_pending_reqs(void)2842 void btm_sec_check_pending_reqs (void)
2843 {
2844 tBTM_SEC_QUEUE_ENTRY *p_e;
2845 BUFFER_Q bq;
2846
2847 if (btm_cb.pairing_state == BTM_PAIR_STATE_IDLE)
2848 {
2849 /* First, resubmit L2CAP requests */
2850 if (btm_cb.sec_req_pending)
2851 {
2852 btm_cb.sec_req_pending = FALSE;
2853 l2cu_resubmit_pending_sec_req (NULL);
2854 }
2855
2856 /* Now, re-submit anything in the mux queue */
2857 bq = btm_cb.sec_pending_q;
2858
2859 GKI_init_q (&btm_cb.sec_pending_q);
2860
2861 while ((p_e = (tBTM_SEC_QUEUE_ENTRY *)GKI_dequeue (&bq)) != NULL)
2862 {
2863 /* Check that the ACL is still up before starting security procedures */
2864 if (btm_bda_to_acl(p_e->bd_addr, BT_TRANSPORT_BR_EDR) != NULL)
2865 {
2866 BTM_TRACE_EVENT ("btm_sec_check_pending_reqs() submitting PSM: 0x%04x Is_Orig: %u mx_proto_id: %u mx_chan_id: %u",
2867 p_e->psm, p_e->is_orig, p_e->mx_proto_id, p_e->mx_chan_id);
2868
2869 btm_sec_mx_access_request (p_e->bd_addr, p_e->psm, p_e->is_orig,
2870 p_e->mx_proto_id, p_e->mx_chan_id,
2871 p_e->p_callback, p_e->p_ref_data);
2872 }
2873
2874 GKI_freebuf (p_e);
2875 }
2876 }
2877 }
2878
2879 /*******************************************************************************
2880 **
2881 ** Function btm_sec_init
2882 **
2883 ** Description This function is on the SEC startup
2884 **
2885 ** Returns void
2886 **
2887 *******************************************************************************/
btm_sec_init(UINT8 sec_mode)2888 void btm_sec_init (UINT8 sec_mode)
2889 {
2890 #if 0 /* cleared in btm_init; put back in if calling from anywhere else! */
2891 int i;
2892
2893 memset (btm_cb.sec_serv_rec, 0, sizeof (btm_cb.sec_serv_rec));
2894 memset (btm_cb.sec_dev_rec, 0, sizeof (btm_cb.sec_dev_rec));
2895 memset (&btm_cb.pairing_tle, 0, sizeof(TIMER_LIST_ENT));
2896
2897 #endif
2898 btm_cb.security_mode = sec_mode;
2899 memset (btm_cb.pairing_bda, 0xff, BD_ADDR_LEN);
2900 btm_cb.max_collision_delay = BTM_SEC_MAX_COLLISION_DELAY;
2901 }
2902
2903 /*******************************************************************************
2904 **
2905 ** Function btm_sec_device_down
2906 **
2907 ** Description This function should be called when device is disabled or
2908 ** turned off
2909 **
2910 ** Returns void
2911 **
2912 *******************************************************************************/
btm_sec_device_down(void)2913 void btm_sec_device_down (void)
2914 {
2915 BTM_TRACE_EVENT ("btm_sec_device_down() State: %s", btm_pair_state_descr(btm_cb.pairing_state));
2916
2917 btm_sec_change_pairing_state (BTM_PAIR_STATE_IDLE);
2918 }
2919
2920 /*******************************************************************************
2921 **
2922 ** Function btm_sec_dev_reset
2923 **
2924 ** Description This function should be called after device reset
2925 **
2926 ** Returns void
2927 **
2928 *******************************************************************************/
btm_sec_dev_reset(void)2929 void btm_sec_dev_reset (void)
2930 {
2931 #if (BTM_PRE_LISBON_INCLUDED == TRUE)
2932 if (btm_cb.security_mode == BTM_SEC_MODE_LINK)
2933 {
2934 btsnd_hcic_write_auth_enable (TRUE);
2935 btsnd_hcic_write_encr_mode (HCI_ENCRYPT_MODE_POINT_TO_POINT);
2936 }
2937 #endif
2938 #if (BTM_PRE_LISBON_INCLUDED == TRUE)
2939 else
2940 #endif
2941 /* btm_sec_dev_reset() is only called from btm_decode_ext_features_page(...)
2942 * right now. */
2943 if (HCI_SIMPLE_PAIRING_SUPPORTED(btm_cb.devcb.local_lmp_features[HCI_EXT_FEATURES_PAGE_0]))
2944 {
2945 btsnd_hcic_write_simple_pairing_mode(HCI_SP_MODE_ENABLED);
2946 #if BLE_INCLUDED == TRUE
2947 btsnd_hcic_set_event_mask(LOCAL_BR_EDR_CONTROLLER_ID,
2948 (UINT8 *)HCI_DUMO_EVENT_MASK_EXT);
2949
2950 btsnd_hcic_ble_set_evt_mask((UINT8 *)HCI_BLE_EVENT_MASK_DEF);
2951
2952 #else
2953 btsnd_hcic_set_event_mask(LOCAL_BR_EDR_CONTROLLER_ID,
2954 (UINT8 *)HCI_LISBON_EVENT_MASK_EXT);
2955 #endif
2956 /* set the default IO capabilities */
2957 btm_cb.devcb.loc_io_caps = BTM_LOCAL_IO_CAPS;
2958 /* add mx service to use no security */
2959 #if (RFCOMM_INCLUDED == TRUE)
2960 BTM_SetSecurityLevel(FALSE, "RFC_MUX", BTM_SEC_SERVICE_RFC_MUX,
2961 BTM_SEC_NONE, BT_PSM_RFCOMM, BTM_SEC_PROTO_RFCOMM, 0);
2962 #endif
2963 }
2964 else
2965 {
2966 btm_cb.security_mode = BTM_SEC_MODE_SERVICE;
2967 }
2968
2969 BTM_TRACE_DEBUG ("btm_sec_dev_reset sec mode: %d", btm_cb.security_mode);
2970 }
2971
2972 /*******************************************************************************
2973 **
2974 ** Function btm_sec_abort_access_req
2975 **
2976 ** Description This function is called by the L2CAP or RFCOMM to abort
2977 ** the pending operation.
2978 **
2979 ** Parameters: bd_addr - Address of the peer device
2980 **
2981 ** Returns void
2982 **
2983 *******************************************************************************/
btm_sec_abort_access_req(BD_ADDR bd_addr)2984 void btm_sec_abort_access_req (BD_ADDR bd_addr)
2985 {
2986 tBTM_SEC_DEV_REC *p_dev_rec = btm_find_dev (bd_addr);
2987
2988 if (!p_dev_rec)
2989 return;
2990
2991 if (btm_cb.api.p_abort_callback)
2992 (*btm_cb.api.p_abort_callback)(bd_addr, p_dev_rec->dev_class, p_dev_rec->sec_bd_name);
2993
2994 if ((p_dev_rec->sec_state != BTM_SEC_STATE_AUTHORIZING)
2995 && (p_dev_rec->sec_state != BTM_SEC_STATE_AUTHENTICATING))
2996 return;
2997
2998 p_dev_rec->sec_state = BTM_SEC_STATE_IDLE;
2999 p_dev_rec->p_callback = NULL;
3000 }
3001
3002 /*******************************************************************************
3003 **
3004 ** Function btm_sec_dd_create_conn
3005 **
3006 ** Description This function is called to create the ACL connection for
3007 ** the dedicated boding process
3008 **
3009 ** Returns void
3010 **
3011 *******************************************************************************/
btm_sec_dd_create_conn(tBTM_SEC_DEV_REC * p_dev_rec)3012 static tBTM_STATUS btm_sec_dd_create_conn (tBTM_SEC_DEV_REC *p_dev_rec)
3013 {
3014 tL2C_LCB *p_lcb;
3015
3016 /* Make sure an L2cap link control block is available */
3017 if ((p_lcb = l2cu_allocate_lcb (p_dev_rec->bd_addr, TRUE, BT_TRANSPORT_BR_EDR)) == NULL)
3018 {
3019 BTM_TRACE_WARNING ("Security Manager: failed allocate LCB [%02x%02x%02x%02x%02x%02x]",
3020 p_dev_rec->bd_addr[0], p_dev_rec->bd_addr[1], p_dev_rec->bd_addr[2],
3021 p_dev_rec->bd_addr[3], p_dev_rec->bd_addr[4], p_dev_rec->bd_addr[5]);
3022
3023 return(BTM_NO_RESOURCES);
3024 }
3025
3026 /* set up the control block to indicated dedicated bonding */
3027 btm_cb.pairing_flags |= BTM_PAIR_FLAGS_DISC_WHEN_DONE;
3028
3029 if (l2cu_create_conn(p_lcb, BT_TRANSPORT_BR_EDR) == FALSE)
3030 {
3031 BTM_TRACE_WARNING ("Security Manager: failed create [%02x%02x%02x%02x%02x%02x]",
3032 p_dev_rec->bd_addr[0], p_dev_rec->bd_addr[1], p_dev_rec->bd_addr[2],
3033 p_dev_rec->bd_addr[3], p_dev_rec->bd_addr[4], p_dev_rec->bd_addr[5]);
3034
3035 l2cu_release_lcb(p_lcb);
3036 return(BTM_NO_RESOURCES);
3037 }
3038
3039 #if (defined(BTM_BUSY_LEVEL_CHANGE_INCLUDED) && BTM_BUSY_LEVEL_CHANGE_INCLUDED == TRUE)
3040 btm_acl_update_busy_level (BTM_BLI_PAGE_EVT);
3041 #endif
3042
3043 BTM_TRACE_DEBUG ("Security Manager: btm_sec_dd_create_conn [%02x%02x%02x%02x%02x%02x]",
3044 p_dev_rec->bd_addr[0], p_dev_rec->bd_addr[1], p_dev_rec->bd_addr[2],
3045 p_dev_rec->bd_addr[3], p_dev_rec->bd_addr[4], p_dev_rec->bd_addr[5]);
3046
3047 btm_sec_change_pairing_state (BTM_PAIR_STATE_WAIT_PIN_REQ);
3048
3049 return(BTM_CMD_STARTED);
3050 }
3051
3052 /*******************************************************************************
3053 **
3054 ** Function btm_sec_rmt_name_request_complete
3055 **
3056 ** Description This function is called when remote name was obtained from
3057 ** the peer device
3058 **
3059 ** Returns void
3060 **
3061 *******************************************************************************/
btm_sec_rmt_name_request_complete(UINT8 * p_bd_addr,UINT8 * p_bd_name,UINT8 status)3062 void btm_sec_rmt_name_request_complete (UINT8 *p_bd_addr, UINT8 *p_bd_name, UINT8 status)
3063 {
3064 tBTM_SEC_DEV_REC *p_dev_rec;
3065 int i;
3066 DEV_CLASS dev_class;
3067 UINT8 old_sec_state;
3068
3069 BTM_TRACE_EVENT ("btm_sec_rmt_name_request_complete");
3070 if (((p_bd_addr == NULL) && !BTM_ACL_IS_CONNECTED(btm_cb.connecting_bda))
3071 || ((p_bd_addr != NULL) && !BTM_ACL_IS_CONNECTED(p_bd_addr)))
3072 {
3073 btm_acl_resubmit_page();
3074 }
3075
3076 /* If remote name request failed, p_bd_addr is null and we need to search */
3077 /* based on state assuming that we are doing 1 at a time */
3078 if (p_bd_addr)
3079 p_dev_rec = btm_find_dev (p_bd_addr);
3080 else
3081 {
3082 p_dev_rec = &btm_cb.sec_dev_rec[0];
3083
3084 for (i = 0; i < BTM_SEC_MAX_DEVICE_RECORDS; i++, p_dev_rec++)
3085 {
3086 if ((p_dev_rec->sec_flags & BTM_SEC_IN_USE)
3087 && (p_dev_rec->sec_state == BTM_SEC_STATE_GETTING_NAME))
3088 {
3089 p_bd_addr = p_dev_rec->bd_addr;
3090 break;
3091 }
3092 }
3093
3094 if (i == BTM_SEC_MAX_DEVICE_RECORDS)
3095 p_dev_rec = NULL;
3096 }
3097
3098
3099 /* Commenting out trace due to obf/compilation problems.
3100 */
3101 #if (BT_USE_TRACES == TRUE)
3102 if (!p_bd_name)
3103 p_bd_name = (UINT8 *)"";
3104
3105 if (p_dev_rec)
3106 {
3107 BTM_TRACE_EVENT ("Security Manager: rmt_name_complete PairState: %s RemName: %s status: %d State:%d p_dev_rec: 0x%08x ",
3108 btm_pair_state_descr (btm_cb.pairing_state), p_bd_name,
3109 status, p_dev_rec->sec_state, p_dev_rec);
3110 }
3111 else
3112 {
3113 BTM_TRACE_EVENT ("Security Manager: rmt_name_complete PairState: %s RemName: %s status: %d",
3114 btm_pair_state_descr (btm_cb.pairing_state), p_bd_name,
3115 status);
3116 }
3117 #endif
3118
3119 if (p_dev_rec)
3120 {
3121 old_sec_state = p_dev_rec->sec_state;
3122 if (status == HCI_SUCCESS)
3123 {
3124 BCM_STRNCPY_S ((char *)p_dev_rec->sec_bd_name, sizeof (p_dev_rec->sec_bd_name), (char *)p_bd_name, BTM_MAX_REM_BD_NAME_LEN);
3125 p_dev_rec->sec_flags |= BTM_SEC_NAME_KNOWN;
3126 BTM_TRACE_EVENT ("setting BTM_SEC_NAME_KNOWN sec_flags:0x%x", p_dev_rec->sec_flags);
3127 }
3128 else
3129 {
3130 /* Notify all clients waiting for name to be resolved even if it failed so clients can continue */
3131 p_dev_rec->sec_bd_name[0] = 0;
3132 }
3133
3134 if (p_dev_rec->sec_state == BTM_SEC_STATE_GETTING_NAME)
3135 p_dev_rec->sec_state = BTM_SEC_STATE_IDLE;
3136
3137 /* Notify all clients waiting for name to be resolved */
3138 for (i = 0;i < BTM_SEC_MAX_RMT_NAME_CALLBACKS; i++)
3139 {
3140 if (btm_cb.p_rmt_name_callback[i] && p_bd_addr)
3141 (*btm_cb.p_rmt_name_callback[i])(p_bd_addr, p_dev_rec->dev_class,
3142 p_dev_rec->sec_bd_name);
3143 }
3144 }
3145 else
3146 {
3147 dev_class[0] = 0;
3148 dev_class[1] = 0;
3149 dev_class[2] = 0;
3150
3151 /* Notify all clients waiting for name to be resolved even if not found so clients can continue */
3152 for (i = 0;i < BTM_SEC_MAX_RMT_NAME_CALLBACKS; i++)
3153 {
3154 if (btm_cb.p_rmt_name_callback[i] && p_bd_addr)
3155 (*btm_cb.p_rmt_name_callback[i])(p_bd_addr, dev_class, (UINT8 *)"");
3156 }
3157
3158 return;
3159 }
3160
3161 /* If we were delaying asking UI for a PIN because name was not resolved, ask now */
3162 if ( (btm_cb.pairing_state == BTM_PAIR_STATE_WAIT_LOCAL_PIN) && p_bd_addr
3163 && (memcmp (btm_cb.pairing_bda, p_bd_addr, BD_ADDR_LEN) == 0) )
3164 {
3165 BTM_TRACE_EVENT ("btm_sec_rmt_name_request_complete() delayed pin now being requested flags:0x%x, (p_pin_callback=0x%p)", btm_cb.pairing_flags, btm_cb.api.p_pin_callback);
3166
3167 if (((btm_cb.pairing_flags & BTM_PAIR_FLAGS_WE_STARTED_DD) == 0) &&
3168 ((btm_cb.pairing_flags & BTM_PAIR_FLAGS_PIN_REQD) == 0) &&
3169 btm_cb.api.p_pin_callback)
3170 {
3171 BTM_TRACE_EVENT ("btm_sec_rmt_name_request_complete() calling pin_callback");
3172 btm_cb.pairing_flags |= BTM_PAIR_FLAGS_PIN_REQD;
3173 (*btm_cb.api.p_pin_callback) (p_dev_rec->bd_addr, p_dev_rec->dev_class, p_bd_name);
3174 }
3175
3176 /* Set the same state again to force the timer to be restarted */
3177 btm_sec_change_pairing_state (BTM_PAIR_STATE_WAIT_LOCAL_PIN);
3178 return;
3179 }
3180
3181 /* Check if we were delaying bonding because name was not resolved */
3182 if ( btm_cb.pairing_state == BTM_PAIR_STATE_GET_REM_NAME)
3183 {
3184 if (p_bd_addr && memcmp (btm_cb.pairing_bda, p_bd_addr, BD_ADDR_LEN) == 0)
3185 {
3186 BTM_TRACE_EVENT ("btm_sec_rmt_name_request_complete() continue bonding sm4: 0x%04x, status:0x%x", p_dev_rec->sm4, status);
3187 if(btm_cb.pairing_flags & BTM_PAIR_FLAGS_WE_CANCEL_DD)
3188 {
3189 btm_sec_bond_cancel_complete();
3190 return;
3191 }
3192
3193 if (status != HCI_SUCCESS)
3194 {
3195 btm_sec_change_pairing_state (BTM_PAIR_STATE_IDLE);
3196
3197 if (btm_cb.api.p_auth_complete_callback)
3198 (*btm_cb.api.p_auth_complete_callback) (p_dev_rec->bd_addr, p_dev_rec->dev_class,
3199 p_dev_rec->sec_bd_name, status);
3200 return;
3201 }
3202
3203 /* if peer is very old legacy devices, HCI_RMT_HOST_SUP_FEAT_NOTIFY_EVT is not reported */
3204 if (BTM_SEC_IS_SM4_UNKNOWN(p_dev_rec->sm4))
3205 {
3206 /* set the KNOWN flag only if BTM_PAIR_FLAGS_REJECTED_CONNECT is not set.*/
3207 /* If it is set, there may be a race condition */
3208 BTM_TRACE_DEBUG ("btm_sec_rmt_name_request_complete IS_SM4_UNKNOWN Flags:0x%04x",
3209 btm_cb.pairing_flags);
3210 if ((btm_cb.pairing_flags & BTM_PAIR_FLAGS_REJECTED_CONNECT) == 0)
3211 {
3212 p_dev_rec->sm4 |= BTM_SM4_KNOWN;
3213 }
3214 }
3215
3216 BTM_TRACE_DEBUG("%s, SM4 Value: %x, Legacy:%d,IS SM4:%d, Unknown:%d",__FUNCTION__,
3217 p_dev_rec->sm4, BTM_SEC_IS_SM4_LEGACY(p_dev_rec->sm4),
3218 BTM_SEC_IS_SM4(p_dev_rec->sm4),BTM_SEC_IS_SM4_UNKNOWN(p_dev_rec->sm4));
3219
3220 /* BT 2.1 or carkit, bring up the connection to force the peer to request PIN.
3221 ** Else prefetch (btm_sec_check_prefetch_pin will do the prefetching if needed)
3222 */
3223 if ((p_dev_rec->sm4 != BTM_SM4_KNOWN) || !btm_sec_check_prefetch_pin(p_dev_rec))
3224 {
3225 /* if we rejected incoming connection request, we have to wait HCI_Connection_Complete event */
3226 /* before originating */
3227 if (btm_cb.pairing_flags & BTM_PAIR_FLAGS_REJECTED_CONNECT)
3228 {
3229 BTM_TRACE_WARNING ("btm_sec_rmt_name_request_complete: waiting HCI_Connection_Complete after rejecting connection");
3230 }
3231 /* Both we and the peer are 2.1 - continue to create connection */
3232 else if (btm_sec_dd_create_conn(p_dev_rec) != BTM_CMD_STARTED)
3233 {
3234 BTM_TRACE_WARNING ("btm_sec_rmt_name_request_complete: failed to start connection");
3235
3236 btm_sec_change_pairing_state (BTM_PAIR_STATE_IDLE);
3237
3238 if (btm_cb.api.p_auth_complete_callback)
3239 (*btm_cb.api.p_auth_complete_callback) (p_dev_rec->bd_addr, p_dev_rec->dev_class,
3240 p_dev_rec->sec_bd_name, HCI_ERR_MEMORY_FULL);
3241 }
3242 }
3243 return;
3244 }
3245 else
3246 {
3247 BTM_TRACE_WARNING ("btm_sec_rmt_name_request_complete: wrong BDA, retry with pairing BDA");
3248
3249 BTM_ReadRemoteDeviceName (btm_cb.pairing_bda, NULL, BT_TRANSPORT_BR_EDR);
3250 return;
3251 }
3252 }
3253
3254 /* check if we were delaying link_key_callback because name was not resolved */
3255 if (p_dev_rec->link_key_not_sent)
3256 {
3257 /* If HCI connection complete has not arrived, wait for it */
3258 if (p_dev_rec->hci_handle == BTM_SEC_INVALID_HANDLE)
3259 return;
3260
3261 p_dev_rec->link_key_not_sent = FALSE;
3262 btm_send_link_key_notif(p_dev_rec);
3263
3264 /* If its not us who perform authentication, we should tell stackserver */
3265 /* that some authentication has been completed */
3266 /* This is required when different entities receive link notification and auth complete */
3267 if (!(p_dev_rec->security_required & BTM_SEC_OUT_AUTHENTICATE))
3268 {
3269 if (btm_cb.api.p_auth_complete_callback)
3270 (*btm_cb.api.p_auth_complete_callback) (p_dev_rec->bd_addr,
3271 p_dev_rec->dev_class,
3272 p_dev_rec->sec_bd_name, HCI_SUCCESS);
3273
3274 }
3275 }
3276
3277 /* If this is a bonding procedure can disconnect the link now */
3278 if ((btm_cb.pairing_flags & BTM_PAIR_FLAGS_WE_STARTED_DD)
3279 && (p_dev_rec->sec_flags & BTM_SEC_AUTHENTICATED))
3280 {
3281 BTM_TRACE_WARNING ("btm_sec_rmt_name_request_complete (none/ce)");
3282 p_dev_rec->security_required &= ~(BTM_SEC_OUT_AUTHENTICATE);
3283 l2cu_start_post_bond_timer(p_dev_rec->hci_handle);
3284 return;
3285 }
3286
3287 if (old_sec_state != BTM_SEC_STATE_GETTING_NAME)
3288 return;
3289
3290 /* If get name failed, notify the waiting layer */
3291 if (status != HCI_SUCCESS)
3292 {
3293 btm_sec_dev_rec_cback_event (p_dev_rec, BTM_ERR_PROCESSING, FALSE);
3294 return;
3295 }
3296
3297 if (p_dev_rec->sm4 & BTM_SM4_REQ_PEND)
3298 {
3299 BTM_TRACE_EVENT ("waiting for remote features!!");
3300 return;
3301 }
3302
3303 /* Remote Name succeeded, execute the next security procedure, if any */
3304 status = (UINT8)btm_sec_execute_procedure (p_dev_rec);
3305
3306 /* If result is pending reply from the user or from the device is pending */
3307 if (status == BTM_CMD_STARTED)
3308 return;
3309
3310 /* There is no next procedure or start of procedure failed, notify the waiting layer */
3311 btm_sec_dev_rec_cback_event (p_dev_rec, status, FALSE);
3312 }
3313
3314 /*******************************************************************************
3315 **
3316 ** Function btm_sec_rmt_host_support_feat_evt
3317 **
3318 ** Description This function is called when the
3319 ** HCI_RMT_HOST_SUP_FEAT_NOTIFY_EVT is received
3320 **
3321 ** Returns void
3322 **
3323 *******************************************************************************/
btm_sec_rmt_host_support_feat_evt(UINT8 * p)3324 void btm_sec_rmt_host_support_feat_evt (UINT8 *p)
3325 {
3326 tBTM_SEC_DEV_REC *p_dev_rec;
3327 BD_ADDR bd_addr; /* peer address */
3328 BD_FEATURES features;
3329
3330 STREAM_TO_BDADDR (bd_addr, p);
3331 p_dev_rec = btm_find_or_alloc_dev (bd_addr);
3332
3333 BTM_TRACE_EVENT ("btm_sec_rmt_host_support_feat_evt sm4: 0x%x p[0]: 0x%x", p_dev_rec->sm4, p[0]);
3334
3335 if (BTM_SEC_IS_SM4_UNKNOWN(p_dev_rec->sm4))
3336 {
3337 p_dev_rec->sm4 = BTM_SM4_KNOWN;
3338 STREAM_TO_ARRAY(features, p, HCI_FEATURE_BYTES_PER_PAGE);
3339 if (HCI_SSP_HOST_SUPPORTED(features))
3340 {
3341 p_dev_rec->sm4 = BTM_SM4_TRUE;
3342 }
3343 BTM_TRACE_EVENT ("btm_sec_rmt_host_support_feat_evt sm4: 0x%x features[0]: 0x%x", p_dev_rec->sm4, features[0]);
3344 }
3345 }
3346
3347 /*******************************************************************************
3348 **
3349 ** Function btm_io_capabilities_req
3350 **
3351 ** Description This function is called when LM request for the IO
3352 ** capability of the local device and
3353 ** if the OOB data is present for the device in the event
3354 **
3355 ** Returns void
3356 **
3357 *******************************************************************************/
btm_io_capabilities_req(UINT8 * p)3358 void btm_io_capabilities_req (UINT8 *p)
3359 {
3360 tBTM_SP_IO_REQ evt_data;
3361 UINT8 err_code = 0;
3362 tBTM_SEC_DEV_REC *p_dev_rec;
3363 BOOLEAN is_orig = TRUE;
3364 UINT8 callback_rc = BTM_SUCCESS;
3365
3366 STREAM_TO_BDADDR (evt_data.bd_addr, p);
3367
3368 /* setup the default response according to compile options */
3369 /* assume that the local IO capability does not change
3370 * loc_io_caps is initialized with the default value */
3371 evt_data.io_cap = btm_cb.devcb.loc_io_caps;
3372 evt_data.oob_data = BTM_OOB_NONE;
3373 evt_data.auth_req = BTM_DEFAULT_AUTH_REQ;
3374
3375 BTM_TRACE_EVENT ("btm_io_capabilities_req() State: %s", btm_pair_state_descr(btm_cb.pairing_state));
3376
3377 p_dev_rec = btm_find_or_alloc_dev (evt_data.bd_addr);
3378 p_dev_rec->sm4 |= BTM_SM4_TRUE;
3379
3380 BTM_TRACE_EVENT ("btm_io_capabilities_req() State: %s Flags: 0x%04x p_cur_service: 0x%08x",
3381 btm_pair_state_descr(btm_cb.pairing_state), btm_cb.pairing_flags, p_dev_rec->p_cur_service);
3382
3383 if (btm_cb.pairing_state != BTM_PAIR_STATE_IDLE)
3384 {
3385 if (btm_cb.pairing_state == BTM_PAIR_STATE_INCOMING_SSP)
3386 {
3387 /* received IO capability response already-> not the originator of SSP */
3388 is_orig = FALSE;
3389
3390 if (btm_cb.pairing_flags & BTM_PAIR_FLAGS_PEER_STARTED_DD)
3391 evt_data.auth_req = BTM_DEFAULT_DD_AUTH_REQ;
3392 }
3393 /* security is already in progress */
3394 else if (btm_cb.pairing_state == BTM_PAIR_STATE_WAIT_PIN_REQ)
3395 {
3396 /* coverity[uninit_use_in_call]
3397 Event uninit_use_in_call: Using uninitialized element of array "evt_data.bd_addr" in call to function "memcmp"
3398 False-positive: evt_data.bd_addr is set at the beginning with: STREAM_TO_BDADDR (evt_data.bd_addr, p);
3399 */
3400 if (memcmp (evt_data.bd_addr, btm_cb.pairing_bda, BD_ADDR_LEN))
3401 {
3402 /* and it's not the device in bonding -> reject it */
3403 err_code = HCI_ERR_HOST_BUSY_PAIRING;
3404 }
3405 else
3406 {
3407 /* local device initiated dedicated bonding */
3408 evt_data.auth_req = BTM_DEFAULT_DD_AUTH_REQ;
3409 }
3410 }
3411 else
3412 {
3413 err_code = HCI_ERR_HOST_BUSY_PAIRING;
3414 }
3415 }
3416
3417 /* paring is not allowed */
3418 if (btm_cb.pairing_disabled)
3419 err_code = HCI_ERR_PAIRING_NOT_ALLOWED;
3420
3421 if (err_code != 0)
3422 {
3423 /* coverity[uninit_use_in_call]
3424 Event uninit_use_in_call: Using uninitialized element of array "evt_data.bd_addr" in call to function "memcmp"
3425 False-positive: evt_data.bd_addr is set at the beginning with: STREAM_TO_BDADDR (evt_data.bd_addr, p);
3426 */
3427 btsnd_hcic_io_cap_req_neg_reply(evt_data.bd_addr, err_code);
3428 return;
3429 }
3430
3431 evt_data.is_orig = is_orig;
3432
3433 if (is_orig)
3434 {
3435 /* local device initiated the pairing non-bonding -> use p_cur_service */
3436 if (!(btm_cb.pairing_flags & BTM_PAIR_FLAGS_WE_STARTED_DD) &&
3437 p_dev_rec->p_cur_service &&
3438 (p_dev_rec->p_cur_service->security_flags & BTM_SEC_OUT_AUTHENTICATE))
3439 {
3440 evt_data.auth_req = (p_dev_rec->p_cur_service->security_flags & BTM_SEC_OUT_MITM) ? BTM_AUTH_SP_YES : BTM_AUTH_SP_NO;
3441 }
3442 }
3443
3444 /* Notify L2CAP to increase timeout */
3445 l2c_pin_code_request (evt_data.bd_addr);
3446
3447 memcpy (btm_cb.pairing_bda, evt_data.bd_addr, BD_ADDR_LEN);
3448
3449 /* coverity[uninit_use_in_call]
3450 Event uninit_use_in_call: Using uninitialized element of array "evt_data.bd_addr" in call to function "memcmp"
3451 False-positive: False-positive: evt_data.bd_addr is set at the beginning with: STREAM_TO_BDADDR (evt_data.bd_addr, p);
3452 */
3453 if (!memcmp (evt_data.bd_addr, btm_cb.connecting_bda, BD_ADDR_LEN))
3454 memcpy (p_dev_rec->dev_class, btm_cb.connecting_dc, DEV_CLASS_LEN);
3455
3456 btm_sec_change_pairing_state (BTM_PAIR_STATE_WAIT_LOCAL_IOCAPS);
3457
3458 callback_rc = BTM_SUCCESS;
3459 if (p_dev_rec->sm4 & BTM_SM4_UPGRADE)
3460 {
3461 p_dev_rec->sm4 &= ~BTM_SM4_UPGRADE;
3462
3463 /* link key upgrade: always use SPGB_YES - assuming we want to save the link key */
3464 evt_data.auth_req = BTM_AUTH_SPGB_YES;
3465 }
3466 else if (btm_cb.api.p_sp_callback)
3467 {
3468 /* the callback function implementation may change the IO capability... */
3469 callback_rc = (*btm_cb.api.p_sp_callback) (BTM_SP_IO_REQ_EVT, (tBTM_SP_EVT_DATA *)&evt_data);
3470 }
3471
3472 #if BTM_OOB_INCLUDED == TRUE
3473 if ((callback_rc == BTM_SUCCESS) || (BTM_OOB_UNKNOWN != evt_data.oob_data))
3474 #else
3475 if (callback_rc == BTM_SUCCESS)
3476 #endif
3477 {
3478 if ((btm_cb.pairing_flags & BTM_PAIR_FLAGS_WE_STARTED_DD))
3479 {
3480 evt_data.auth_req = (BTM_AUTH_DD_BOND | (evt_data.auth_req & BTM_AUTH_YN_BIT));
3481 }
3482
3483 /* if the user does not indicate "reply later" by setting the oob_data to unknown
3484 * send the response right now. Save the current IO capability in the control block */
3485 btm_cb.devcb.loc_auth_req = evt_data.auth_req;
3486 btm_cb.devcb.loc_io_caps = evt_data.io_cap;
3487
3488 BTM_TRACE_EVENT ("btm_io_capabilities_req: State: %s IO_CAP:%d oob_data:%d auth_req:%d",
3489 btm_pair_state_descr(btm_cb.pairing_state), evt_data.io_cap,
3490 evt_data.oob_data, evt_data.auth_req);
3491
3492 btsnd_hcic_io_cap_req_reply(evt_data.bd_addr, evt_data.io_cap,
3493 evt_data.oob_data, evt_data.auth_req);
3494 }
3495 }
3496
3497 /*******************************************************************************
3498 **
3499 ** Function btm_io_capabilities_rsp
3500 **
3501 ** Description This function is called when the IO capability of the
3502 ** specified device is received
3503 **
3504 ** Returns void
3505 **
3506 *******************************************************************************/
btm_io_capabilities_rsp(UINT8 * p)3507 void btm_io_capabilities_rsp (UINT8 *p)
3508 {
3509 tBTM_SEC_DEV_REC *p_dev_rec;
3510 tBTM_SP_IO_RSP evt_data;
3511
3512 STREAM_TO_BDADDR (evt_data.bd_addr, p);
3513 STREAM_TO_UINT8 (evt_data.io_cap, p);
3514 STREAM_TO_UINT8 (evt_data.oob_data, p);
3515 STREAM_TO_UINT8 (evt_data.auth_req, p);
3516
3517 /* Allocate a new device record or reuse the oldest one */
3518 p_dev_rec = btm_find_or_alloc_dev (evt_data.bd_addr);
3519
3520 /* If no security is in progress, this indicates incoming security */
3521 if (btm_cb.pairing_state == BTM_PAIR_STATE_IDLE)
3522 {
3523 memcpy (btm_cb.pairing_bda, evt_data.bd_addr, BD_ADDR_LEN);
3524
3525 btm_sec_change_pairing_state (BTM_PAIR_STATE_INCOMING_SSP);
3526
3527 /* Make sure we reset the trusted mask to help against attacks */
3528 BTM_SEC_CLR_TRUSTED_DEVICE(p_dev_rec->trusted_mask);
3529
3530 /* work around for FW bug */
3531 btm_inq_stop_on_ssp();
3532 }
3533
3534 /* Notify L2CAP to increase timeout */
3535 l2c_pin_code_request (evt_data.bd_addr);
3536
3537 /* We must have a device record here.
3538 * Use the connecting device's CoD for the connection */
3539 /* coverity[uninit_use_in_call]
3540 Event uninit_use_in_call: Using uninitialized element of array "evt_data.bd_addr" in call to function "memcmp"
3541 FALSE-POSITIVE error from Coverity test-tool. evt_data.bd_addr is set at the beginning with: STREAM_TO_BDADDR (evt_data.bd_addr, p);
3542 */
3543 if (!memcmp (evt_data.bd_addr, btm_cb.connecting_bda, BD_ADDR_LEN))
3544 memcpy (p_dev_rec->dev_class, btm_cb.connecting_dc, DEV_CLASS_LEN);
3545
3546 /* peer sets dedicated bonding bit and we did not initiate dedicated bonding */
3547 if (btm_cb.pairing_state == BTM_PAIR_STATE_INCOMING_SSP /* peer initiated bonding */
3548 && (evt_data.auth_req & BTM_AUTH_DD_BOND) ) /* and dedicated bonding bit is set */
3549 {
3550 btm_cb.pairing_flags |= BTM_PAIR_FLAGS_PEER_STARTED_DD;
3551 }
3552
3553 /* save the IO capability in the device record */
3554 p_dev_rec->rmt_io_caps = evt_data.io_cap;
3555 p_dev_rec->rmt_auth_req = evt_data.auth_req;
3556
3557 if (btm_cb.api.p_sp_callback)
3558 (*btm_cb.api.p_sp_callback) (BTM_SP_IO_RSP_EVT, (tBTM_SP_EVT_DATA *)&evt_data);
3559 }
3560
3561 /*******************************************************************************
3562 **
3563 ** Function btm_proc_sp_req_evt
3564 **
3565 ** Description This function is called to process/report
3566 ** HCI_USER_CONFIRMATION_REQUEST_EVT
3567 ** or HCI_USER_PASSKEY_REQUEST_EVT
3568 ** or HCI_USER_PASSKEY_NOTIFY_EVT
3569 **
3570 ** Returns void
3571 **
3572 *******************************************************************************/
btm_proc_sp_req_evt(tBTM_SP_EVT event,UINT8 * p)3573 void btm_proc_sp_req_evt (tBTM_SP_EVT event, UINT8 *p)
3574 {
3575 tBTM_STATUS status = BTM_ERR_PROCESSING;
3576 tBTM_SP_EVT_DATA evt_data;
3577 UINT8 *p_bda = evt_data.cfm_req.bd_addr;
3578 tBTM_SEC_DEV_REC *p_dev_rec;
3579
3580 /* All events start with bd_addr */
3581 STREAM_TO_BDADDR (p_bda, p);
3582
3583 BTM_TRACE_EVENT ("btm_proc_sp_req_evt() BDA: %08x%04x event: 0x%x, State: %s",
3584 (p_bda[0]<<24) + (p_bda[1]<<16) + (p_bda[2]<<8) + p_bda[3], (p_bda[4] << 8) + p_bda[5],
3585 event, btm_pair_state_descr(btm_cb.pairing_state));
3586
3587 if ( ((p_dev_rec = btm_find_dev (p_bda)) != NULL)
3588 && (btm_cb.pairing_state != BTM_PAIR_STATE_IDLE)
3589 && (memcmp (btm_cb.pairing_bda, p_bda, BD_ADDR_LEN) == 0) )
3590 {
3591 memcpy (evt_data.cfm_req.bd_addr, p_dev_rec->bd_addr, BD_ADDR_LEN);
3592 memcpy (evt_data.cfm_req.dev_class, p_dev_rec->dev_class, DEV_CLASS_LEN);
3593
3594 BCM_STRNCPY_S ((char *)evt_data.cfm_req.bd_name, sizeof(evt_data.cfm_req.bd_name), (char *)p_dev_rec->sec_bd_name, BTM_MAX_REM_BD_NAME_LEN);
3595
3596 switch (event)
3597 {
3598 case BTM_SP_CFM_REQ_EVT:
3599 /* Numeric confirmation. Need user to conf the passkey */
3600 btm_sec_change_pairing_state (BTM_PAIR_STATE_WAIT_NUMERIC_CONFIRM);
3601
3602 /* The device record must be allocated in the "IO cap exchange" step */
3603 STREAM_TO_UINT32 (evt_data.cfm_req.num_val, p);
3604
3605 evt_data.cfm_req.just_works = TRUE;
3606
3607 /* process user confirm req in association with the auth_req param */
3608 #if (BTM_LOCAL_IO_CAPS == BTM_IO_CAP_IO)
3609 if ( (p_dev_rec->rmt_io_caps == BTM_IO_CAP_IO)
3610 && (btm_cb.devcb.loc_io_caps == BTM_IO_CAP_IO)
3611 && ((p_dev_rec->rmt_auth_req & BTM_AUTH_SP_YES) || (btm_cb.devcb.loc_auth_req & BTM_AUTH_SP_YES)) )
3612 {
3613 /* Both devices are DisplayYesNo and one or both devices want to authenticate
3614 -> use authenticated link key */
3615 evt_data.cfm_req.just_works = FALSE;
3616 }
3617 #endif
3618 BTM_TRACE_DEBUG ("btm_proc_sp_req_evt() just_works:%d, io loc:%d, rmt:%d, auth loc:%d, rmt:%d",
3619 evt_data.cfm_req.just_works, btm_cb.devcb.loc_io_caps, p_dev_rec->rmt_io_caps,
3620 btm_cb.devcb.loc_auth_req, p_dev_rec->rmt_auth_req);
3621
3622 evt_data.cfm_req.loc_auth_req = btm_cb.devcb.loc_auth_req;
3623 evt_data.cfm_req.rmt_auth_req = p_dev_rec->rmt_auth_req;
3624 evt_data.cfm_req.loc_io_caps = btm_cb.devcb.loc_io_caps;
3625 evt_data.cfm_req.rmt_io_caps = p_dev_rec->rmt_io_caps;
3626 break;
3627
3628 case BTM_SP_KEY_NOTIF_EVT:
3629 /* Passkey notification (other side is a keyboard) */
3630 STREAM_TO_UINT32 (evt_data.key_notif.passkey, p);
3631
3632 BTM_TRACE_DEBUG ("BTM_SP_KEY_NOTIF_EVT: passkey: %u", evt_data.key_notif.passkey);
3633
3634 btm_sec_change_pairing_state (BTM_PAIR_STATE_WAIT_AUTH_COMPLETE);
3635 break;
3636
3637 #if (BTM_LOCAL_IO_CAPS != BTM_IO_CAP_NONE)
3638 case BTM_SP_KEY_REQ_EVT:
3639 /* HCI_USER_PASSKEY_REQUEST_EVT */
3640 btm_sec_change_pairing_state (BTM_PAIR_STATE_KEY_ENTRY);
3641 break;
3642 #endif
3643 }
3644
3645 if (btm_cb.api.p_sp_callback)
3646 {
3647 status = (*btm_cb.api.p_sp_callback) (event, (tBTM_SP_EVT_DATA *)&evt_data);
3648 if (status != BTM_NOT_AUTHORIZED)
3649 {
3650 return;
3651 }
3652 /* else BTM_NOT_AUTHORIZED means when the app wants to reject the req right now */
3653 }
3654 else if ( (event == BTM_SP_CFM_REQ_EVT) && (evt_data.cfm_req.just_works == TRUE) )
3655 {
3656 /* automatically reply with just works if no sp_cback */
3657 status = BTM_SUCCESS;
3658 }
3659
3660 if (event == BTM_SP_CFM_REQ_EVT)
3661 {
3662 BTM_TRACE_DEBUG ("calling BTM_ConfirmReqReply with status: %d", status);
3663 BTM_ConfirmReqReply (status, p_bda);
3664 }
3665 #if (BTM_LOCAL_IO_CAPS != BTM_IO_CAP_NONE)
3666 else if (event == BTM_SP_KEY_REQ_EVT)
3667 {
3668 BTM_PasskeyReqReply(status, p_bda, 0);
3669 }
3670 #endif
3671 return;
3672 }
3673
3674 /* Something bad. we can only fail this connection */
3675 btm_cb.acl_disc_reason = HCI_ERR_HOST_REJECT_SECURITY;
3676
3677 if (BTM_SP_CFM_REQ_EVT == event)
3678 {
3679 btsnd_hcic_user_conf_reply (p_bda, FALSE);
3680 }
3681 else if (BTM_SP_KEY_NOTIF_EVT == event)
3682 {
3683 /* do nothing -> it very unlikely to happen.
3684 This event is most likely to be received by a HID host when it first connects to a HID device.
3685 Usually the Host initiated the connection in this case.
3686 On Mobile platforms, if there's a security process happening,
3687 the host probably can not initiate another connection.
3688 BTW (PC) is another story. */
3689 if (NULL != (p_dev_rec = btm_find_dev (p_bda)) )
3690 {
3691 btm_sec_disconnect (p_dev_rec->hci_handle, HCI_ERR_AUTH_FAILURE);
3692 }
3693 }
3694 #if (BTM_LOCAL_IO_CAPS != BTM_IO_CAP_NONE)
3695 else
3696 {
3697 btsnd_hcic_user_passkey_neg_reply(p_bda);
3698 }
3699 #endif
3700 }
3701
3702 /*******************************************************************************
3703 **
3704 ** Function btm_keypress_notif_evt
3705 **
3706 ** Description This function is called when a key press notification is
3707 ** received
3708 **
3709 ** Returns void
3710 **
3711 *******************************************************************************/
btm_keypress_notif_evt(UINT8 * p)3712 void btm_keypress_notif_evt (UINT8 *p)
3713 {
3714 tBTM_SP_KEYPRESS evt_data;
3715 UINT8 *p_bda;
3716
3717 /* parse & report BTM_SP_KEYPRESS_EVT */
3718 if (btm_cb.api.p_sp_callback)
3719 {
3720 p_bda = evt_data.bd_addr;
3721
3722 STREAM_TO_BDADDR (p_bda, p);
3723 evt_data.notif_type = *p;
3724
3725 (*btm_cb.api.p_sp_callback) (BTM_SP_KEYPRESS_EVT, (tBTM_SP_EVT_DATA *)&evt_data);
3726 }
3727 }
3728
3729 /*******************************************************************************
3730 **
3731 ** Function btm_simple_pair_complete
3732 **
3733 ** Description This function is called when simple pairing process is
3734 ** complete
3735 **
3736 ** Returns void
3737 **
3738 *******************************************************************************/
btm_simple_pair_complete(UINT8 * p)3739 void btm_simple_pair_complete (UINT8 *p)
3740 {
3741 tBTM_SP_COMPLT evt_data;
3742 tBTM_SEC_DEV_REC *p_dev_rec;
3743 UINT8 status;
3744 BOOLEAN disc = FALSE;
3745
3746 status = *p++;
3747 STREAM_TO_BDADDR (evt_data.bd_addr, p);
3748
3749 if ((p_dev_rec = btm_find_dev (evt_data.bd_addr)) == NULL)
3750 {
3751 BTM_TRACE_ERROR ("btm_simple_pair_complete() with unknown BDA: %08x%04x",
3752 (evt_data.bd_addr[0]<<24) + (evt_data.bd_addr[1]<<16) + (evt_data.bd_addr[2]<<8) + evt_data.bd_addr[3],
3753 (evt_data.bd_addr[4] << 8) + evt_data.bd_addr[5]);
3754 return;
3755 }
3756
3757 BTM_TRACE_EVENT ("btm_simple_pair_complete() Pair State: %s Status:%d sec_state: %u",
3758 btm_pair_state_descr(btm_cb.pairing_state), status, p_dev_rec->sec_state);
3759
3760 evt_data.status = BTM_ERR_PROCESSING;
3761 if (status == HCI_SUCCESS)
3762 {
3763 evt_data.status = BTM_SUCCESS;
3764 p_dev_rec->sec_flags |= BTM_SEC_AUTHENTICATED;
3765 }
3766 else
3767 {
3768 if (status == HCI_ERR_PAIRING_NOT_ALLOWED)
3769 {
3770 /* The test spec wants the peer device to get this failure code. */
3771 btm_sec_change_pairing_state (BTM_PAIR_STATE_WAIT_DISCONNECT);
3772
3773 /* Change the timer to 1 second */
3774 btu_start_timer (&btm_cb.pairing_tle, BTU_TTYPE_USER_FUNC, BT_1SEC_TIMEOUT);
3775 }
3776 else if (memcmp (btm_cb.pairing_bda, evt_data.bd_addr, BD_ADDR_LEN) == 0)
3777 {
3778 /* stop the timer */
3779 btu_stop_timer (&btm_cb.pairing_tle);
3780
3781 if (p_dev_rec->sec_state != BTM_SEC_STATE_AUTHENTICATING)
3782 {
3783 /* the initiating side: will receive auth complete event. disconnect ACL at that time */
3784 disc = TRUE;
3785 }
3786 }
3787 else
3788 disc = TRUE;
3789 }
3790
3791 /* Let the pairing state stay active, p_auth_complete_callback will report the failure */
3792 memcpy (evt_data.bd_addr, p_dev_rec->bd_addr, BD_ADDR_LEN);
3793 memcpy (evt_data.dev_class, p_dev_rec->dev_class, DEV_CLASS_LEN);
3794
3795 if (btm_cb.api.p_sp_callback)
3796 (*btm_cb.api.p_sp_callback) (BTM_SP_COMPLT_EVT, (tBTM_SP_EVT_DATA *)&evt_data);
3797
3798 if (disc)
3799 {
3800 /* simple pairing failed */
3801 /* Avoid sending disconnect on HCI_ERR_PEER_USER */
3802 if ((status != HCI_ERR_PEER_USER) && (status != HCI_ERR_CONN_CAUSE_LOCAL_HOST))
3803 {
3804 btm_sec_send_hci_disconnect (p_dev_rec, HCI_ERR_AUTH_FAILURE, p_dev_rec->hci_handle);
3805 }
3806 }
3807 }
3808
3809 #if BTM_OOB_INCLUDED == TRUE
3810 /*******************************************************************************
3811 **
3812 ** Function btm_rem_oob_req
3813 **
3814 ** Description This function is called to process/report
3815 ** HCI_REMOTE_OOB_DATA_REQUEST_EVT
3816 **
3817 ** Returns void
3818 **
3819 *******************************************************************************/
btm_rem_oob_req(UINT8 * p)3820 void btm_rem_oob_req (UINT8 *p)
3821 {
3822 UINT8 *p_bda;
3823 tBTM_SP_RMT_OOB evt_data;
3824 tBTM_SEC_DEV_REC *p_dev_rec;
3825 BT_OCTET16 c;
3826 BT_OCTET16 r;
3827
3828 p_bda = evt_data.bd_addr;
3829
3830 STREAM_TO_BDADDR (p_bda, p);
3831
3832 BTM_TRACE_EVENT ("btm_rem_oob_req() BDA: %02x:%02x:%02x:%02x:%02x:%02x",
3833 p_bda[0], p_bda[1], p_bda[2], p_bda[3], p_bda[4], p_bda[5]);
3834
3835 if ( (NULL != (p_dev_rec = btm_find_dev (p_bda))) &&
3836 btm_cb.api.p_sp_callback)
3837 {
3838 memcpy (evt_data.bd_addr, p_dev_rec->bd_addr, BD_ADDR_LEN);
3839 memcpy (evt_data.dev_class, p_dev_rec->dev_class, DEV_CLASS_LEN);
3840 BCM_STRNCPY_S((char *)evt_data.bd_name, sizeof(evt_data.bd_name), (char *)p_dev_rec->sec_bd_name, BTM_MAX_REM_BD_NAME_LEN+1);
3841 evt_data.bd_name[BTM_MAX_REM_BD_NAME_LEN] = 0;
3842
3843 btm_sec_change_pairing_state(BTM_PAIR_STATE_WAIT_LOCAL_OOB_RSP);
3844 if ((*btm_cb.api.p_sp_callback) (BTM_SP_RMT_OOB_EVT, (tBTM_SP_EVT_DATA *)&evt_data) == BTM_NOT_AUTHORIZED)
3845 {
3846 BTM_RemoteOobDataReply(TRUE, p_bda, c, r);
3847 }
3848 return;
3849 }
3850
3851 /* something bad. we can only fail this connection */
3852 btm_cb.acl_disc_reason = HCI_ERR_HOST_REJECT_SECURITY;
3853 btsnd_hcic_rem_oob_neg_reply (p_bda);
3854 }
3855
3856 /*******************************************************************************
3857 **
3858 ** Function btm_read_local_oob_complete
3859 **
3860 ** Description This function is called when read local oob data is
3861 ** completed by the LM
3862 **
3863 ** Returns void
3864 **
3865 *******************************************************************************/
btm_read_local_oob_complete(UINT8 * p)3866 void btm_read_local_oob_complete (UINT8 *p)
3867 {
3868 tBTM_SP_LOC_OOB evt_data;
3869 UINT8 status = *p++;
3870
3871 BTM_TRACE_EVENT ("btm_read_local_oob_complete:%d", status);
3872 if (status == HCI_SUCCESS)
3873 {
3874 evt_data.status = BTM_SUCCESS;
3875 STREAM_TO_ARRAY16(evt_data.c, p);
3876 STREAM_TO_ARRAY16(evt_data.r, p);
3877 }
3878 else
3879 evt_data.status = BTM_ERR_PROCESSING;
3880
3881 if (btm_cb.api.p_sp_callback)
3882 (*btm_cb.api.p_sp_callback) (BTM_SP_LOC_OOB_EVT, (tBTM_SP_EVT_DATA *)&evt_data);
3883 }
3884 #endif /* BTM_OOB_INCLUDED */
3885
3886 /*******************************************************************************
3887 **
3888 ** Function btm_sec_auth_collision
3889 **
3890 ** Description This function is called when authentication or encryption
3891 ** needs to be retried at a later time.
3892 **
3893 ** Returns void
3894 **
3895 *******************************************************************************/
btm_sec_auth_collision(UINT16 handle)3896 static void btm_sec_auth_collision (UINT16 handle)
3897 {
3898 tBTM_SEC_DEV_REC *p_dev_rec;
3899
3900 if (!btm_cb.collision_start_time)
3901 btm_cb.collision_start_time = GKI_get_tick_count ();
3902
3903 if ((GKI_get_tick_count () - btm_cb.collision_start_time) < btm_cb.max_collision_delay)
3904 {
3905 if (handle == BTM_SEC_INVALID_HANDLE)
3906 {
3907 if ((p_dev_rec = btm_sec_find_dev_by_sec_state (BTM_SEC_STATE_AUTHENTICATING)) == NULL)
3908 p_dev_rec = btm_sec_find_dev_by_sec_state (BTM_SEC_STATE_ENCRYPTING);
3909 }
3910 else
3911 p_dev_rec = btm_find_dev_by_handle (handle);
3912
3913 if (p_dev_rec != NULL)
3914 {
3915 BTM_TRACE_DEBUG ("btm_sec_auth_collision: state %d (retrying in a moment...)", p_dev_rec->sec_state);
3916 /* We will restart authentication after timeout */
3917 if (p_dev_rec->sec_state == BTM_SEC_STATE_AUTHENTICATING || p_dev_rec->sec_state == BTM_SEC_STATE_ENCRYPTING)
3918 p_dev_rec->sec_state = 0;
3919
3920 btm_cb.p_collided_dev_rec = p_dev_rec;
3921 btm_cb.sec_collision_tle.param = (UINT32) btm_sec_collision_timeout;
3922 btu_start_timer (&btm_cb.sec_collision_tle, BTU_TTYPE_USER_FUNC, BT_1SEC_TIMEOUT);
3923 }
3924 }
3925 }
3926
3927 /*******************************************************************************
3928 **
3929 ** Function btm_sec_auth_complete
3930 **
3931 ** Description This function is when authentication of the connection is
3932 ** completed by the LM
3933 **
3934 ** Returns void
3935 **
3936 *******************************************************************************/
btm_sec_auth_complete(UINT16 handle,UINT8 status)3937 void btm_sec_auth_complete (UINT16 handle, UINT8 status)
3938 {
3939 UINT8 old_sm4;
3940 tBTM_PAIRING_STATE old_state = btm_cb.pairing_state;
3941 tBTM_SEC_DEV_REC *p_dev_rec = btm_find_dev_by_handle (handle);
3942 BOOLEAN are_bonding = FALSE;
3943
3944 /* Commenting out trace due to obf/compilation problems.
3945 */
3946 #if (BT_USE_TRACES == TRUE)
3947 if (p_dev_rec)
3948 {
3949 BTM_TRACE_EVENT ("Security Manager: auth_complete PairState: %s handle:%u status:%d dev->sec_state: %u Bda:%08x, RName:%s",
3950 btm_pair_state_descr (btm_cb.pairing_state),
3951 handle, status,
3952 p_dev_rec->sec_state,
3953 (p_dev_rec->bd_addr[2]<<24)+(p_dev_rec->bd_addr[3]<<16)+(p_dev_rec->bd_addr[4]<<8)+p_dev_rec->bd_addr[5],
3954 p_dev_rec->sec_bd_name);
3955 }
3956 else
3957 {
3958 BTM_TRACE_EVENT ("Security Manager: auth_complete PairState: %s handle:%u status:%d",
3959 btm_pair_state_descr (btm_cb.pairing_state),
3960 handle, status);
3961 }
3962 #endif
3963
3964 /* For transaction collision we need to wait and repeat. There is no need */
3965 /* for random timeout because only slave should receive the result */
3966 if ((status == HCI_ERR_LMP_ERR_TRANS_COLLISION) || (status == HCI_ERR_DIFF_TRANSACTION_COLLISION))
3967 {
3968 btm_sec_auth_collision(handle);
3969 return;
3970 }
3971 btm_cb.collision_start_time = 0;
3972
3973 btm_restore_mode();
3974
3975 /* Check if connection was made just to do bonding. If we authenticate
3976 the connection that is up, this is the last event received.
3977 */
3978 if (p_dev_rec
3979 && (btm_cb.pairing_flags & BTM_PAIR_FLAGS_WE_STARTED_DD)
3980 && !(btm_cb.pairing_flags & BTM_PAIR_FLAGS_DISC_WHEN_DONE))
3981 {
3982 p_dev_rec->security_required &= ~BTM_SEC_OUT_AUTHENTICATE;
3983
3984 l2cu_start_post_bond_timer (p_dev_rec->hci_handle);
3985 }
3986
3987 if (!p_dev_rec)
3988 return;
3989
3990 /* keep the old sm4 flag and clear the retry bit in control block */
3991 old_sm4 = p_dev_rec->sm4;
3992 p_dev_rec->sm4 &= ~BTM_SM4_RETRY;
3993
3994 if ( (btm_cb.pairing_state != BTM_PAIR_STATE_IDLE)
3995 && (btm_cb.pairing_flags & BTM_PAIR_FLAGS_WE_STARTED_DD)
3996 && (memcmp (p_dev_rec->bd_addr, btm_cb.pairing_bda, BD_ADDR_LEN) == 0) )
3997 are_bonding = TRUE;
3998
3999 btm_sec_change_pairing_state (BTM_PAIR_STATE_IDLE);
4000
4001 if (p_dev_rec->sec_state != BTM_SEC_STATE_AUTHENTICATING)
4002 {
4003 if ( (btm_cb.api.p_auth_complete_callback && status != HCI_SUCCESS)
4004 && (old_state != BTM_PAIR_STATE_IDLE) )
4005 {
4006 (*btm_cb.api.p_auth_complete_callback) (p_dev_rec->bd_addr,
4007 p_dev_rec->dev_class,
4008 p_dev_rec->sec_bd_name, status);
4009 }
4010 return;
4011 }
4012
4013 /* There can be a race condition, when we are starting authentication and
4014 ** the peer device is doing encryption.
4015 ** If first we receive encryption change up, then initiated authentication
4016 ** can not be performed. According to the spec we can not do authentication
4017 ** on the encrypted link, so device is correct.
4018 */
4019 if ((status == HCI_ERR_COMMAND_DISALLOWED)
4020 && ((p_dev_rec->sec_flags & (BTM_SEC_AUTHENTICATED | BTM_SEC_ENCRYPTED)) ==
4021 (BTM_SEC_AUTHENTICATED | BTM_SEC_ENCRYPTED)))
4022 {
4023 status = HCI_SUCCESS;
4024 }
4025 /* Currently we do not notify user if it is a keyboard which connects */
4026 /* User probably Disabled the keyboard while it was asleap. Let her try */
4027 if (btm_cb.api.p_auth_complete_callback)
4028 {
4029 /* report the suthentication status */
4030 if (old_state != BTM_PAIR_STATE_IDLE)
4031 (*btm_cb.api.p_auth_complete_callback) (p_dev_rec->bd_addr,
4032 p_dev_rec->dev_class,
4033 p_dev_rec->sec_bd_name, status);
4034 }
4035
4036 p_dev_rec->sec_state = BTM_SEC_STATE_IDLE;
4037
4038 /* If this is a bonding procedure can disconnect the link now */
4039 if (are_bonding)
4040 {
4041 p_dev_rec->security_required &= ~BTM_SEC_OUT_AUTHENTICATE;
4042
4043 if (status != HCI_SUCCESS)
4044 {
4045 if(((status != HCI_ERR_PEER_USER) && (status != HCI_ERR_CONN_CAUSE_LOCAL_HOST)))
4046 btm_sec_send_hci_disconnect (p_dev_rec, HCI_ERR_PEER_USER, p_dev_rec->hci_handle);
4047 }
4048 else
4049 l2cu_start_post_bond_timer (p_dev_rec->hci_handle);
4050
4051 return;
4052 }
4053
4054 /* If authentication failed, notify the waiting layer */
4055 if (status != HCI_SUCCESS)
4056 {
4057 if ((old_sm4 & BTM_SM4_RETRY) == 0)
4058 {
4059 /* allow retry only once */
4060 if (status == HCI_ERR_LMP_ERR_TRANS_COLLISION)
4061 {
4062 /* not retried yet. set the retry bit */
4063 p_dev_rec->sm4 |= BTM_SM4_RETRY;
4064 BTM_TRACE_DEBUG ("Collision retry sm4:x%x sec_flags:0x%x", p_dev_rec->sm4, p_dev_rec->sec_flags);
4065 }
4066 /* this retry for missing key is for Lisbon or later only.
4067 * Legacy device do not need this. the controller will drive the retry automatically */
4068 else if (HCI_ERR_KEY_MISSING == status && BTM_SEC_IS_SM4(p_dev_rec->sm4))
4069 {
4070 /* not retried yet. set the retry bit */
4071 p_dev_rec->sm4 |= BTM_SM4_RETRY;
4072 p_dev_rec->sec_flags &= ~BTM_SEC_LINK_KEY_KNOWN;
4073 BTM_TRACE_DEBUG ("Retry for missing key sm4:x%x sec_flags:0x%x", p_dev_rec->sm4, p_dev_rec->sec_flags);
4074
4075 /* With BRCM controller, we do not need to delete the stored link key in controller.
4076 If the stack may sit on top of other controller, we may need this
4077 BTM_DeleteStoredLinkKey (bd_addr, NULL); */
4078 }
4079
4080 if (p_dev_rec->sm4 & BTM_SM4_RETRY)
4081 {
4082 btm_sec_execute_procedure (p_dev_rec);
4083 return;
4084 }
4085 }
4086
4087 btm_sec_dev_rec_cback_event (p_dev_rec, BTM_ERR_PROCESSING, FALSE);
4088
4089 if (btm_cb.pairing_flags & BTM_PAIR_FLAGS_DISC_WHEN_DONE)
4090 {
4091 btm_sec_send_hci_disconnect (p_dev_rec, HCI_ERR_AUTH_FAILURE, p_dev_rec->hci_handle);
4092 }
4093 return;
4094 }
4095
4096 p_dev_rec->sec_flags |= BTM_SEC_AUTHENTICATED;
4097
4098 /* Authentication succeeded, execute the next security procedure, if any */
4099 status = btm_sec_execute_procedure (p_dev_rec);
4100
4101 /* If there is no next procedure, or procedure failed to start, notify the caller */
4102 if (status != BTM_CMD_STARTED)
4103 btm_sec_dev_rec_cback_event (p_dev_rec, status, FALSE);
4104 }
4105
4106 /*******************************************************************************
4107 **
4108 ** Function btm_sec_mkey_comp_event
4109 **
4110 ** Description This function is when encryption of the connection is
4111 ** completed by the LM
4112 **
4113 ** Returns void
4114 **
4115 *******************************************************************************/
btm_sec_mkey_comp_event(UINT16 handle,UINT8 status,UINT8 key_flg)4116 void btm_sec_mkey_comp_event (UINT16 handle, UINT8 status, UINT8 key_flg)
4117 {
4118 tBTM_SEC_DEV_REC *p_dev_rec = btm_find_dev_by_handle (handle);
4119 UINT8 bd_addr[BD_ADDR_LEN] = { 0xff, 0xff, 0xff, 0xff, 0xff, 0xff} ;
4120
4121 BTM_TRACE_EVENT ("Security Manager: mkey comp status:%d State:%d",
4122 status, (p_dev_rec) ? p_dev_rec->sec_state : 0);
4123
4124 /* If encryption setup failed, notify the waiting layer */
4125 /* There is no next procedure or start of procedure failed, notify the waiting layer */
4126 if (btm_cb.mkey_cback)
4127 {
4128 if (!p_dev_rec)
4129 (btm_cb.mkey_cback)(bd_addr, status, key_flg );
4130 else
4131 (btm_cb.mkey_cback)(p_dev_rec->bd_addr, status, key_flg );
4132 }
4133 }
4134
4135 /*******************************************************************************
4136 **
4137 ** Function btm_sec_encrypt_change
4138 **
4139 ** Description This function is when encryption of the connection is
4140 ** completed by the LM
4141 **
4142 ** Returns void
4143 **
4144 *******************************************************************************/
btm_sec_encrypt_change(UINT16 handle,UINT8 status,UINT8 encr_enable)4145 void btm_sec_encrypt_change (UINT16 handle, UINT8 status, UINT8 encr_enable)
4146 {
4147 tBTM_SEC_DEV_REC *p_dev_rec = btm_find_dev_by_handle (handle);
4148 #if BLE_INCLUDED == TRUE && SMP_INCLUDED == TRUE
4149 tACL_CONN *p_acl = NULL;
4150 UINT8 acl_idx = btm_handle_to_acl_index(handle);
4151 #endif
4152 BTM_TRACE_EVENT ("Security Manager: encrypt_change status:%d State:%d, encr_enable = %d",
4153 status, (p_dev_rec) ? p_dev_rec->sec_state : 0, encr_enable);
4154 BTM_TRACE_DEBUG ("before update p_dev_rec->sec_flags=0x%x", (p_dev_rec) ? p_dev_rec->sec_flags : 0 );
4155
4156 /* For transaction collision we need to wait and repeat. There is no need */
4157 /* for random timeout because only slave should receive the result */
4158 if ((status == HCI_ERR_LMP_ERR_TRANS_COLLISION) || (status == HCI_ERR_DIFF_TRANSACTION_COLLISION))
4159 {
4160 btm_sec_auth_collision(handle);
4161 return;
4162 }
4163 btm_cb.collision_start_time = 0;
4164
4165 if (!p_dev_rec)
4166 return;
4167
4168 if ((status == HCI_SUCCESS) && encr_enable)
4169 {
4170 if (p_dev_rec->hci_handle == handle)
4171 p_dev_rec->sec_flags |= (BTM_SEC_AUTHENTICATED | BTM_SEC_ENCRYPTED);
4172 else
4173 p_dev_rec->sec_flags |= (BTM_SEC_LE_AUTHENTICATED | BTM_SEC_LE_ENCRYPTED);
4174 }
4175
4176 /* It is possible that we decrypted the link to perform role switch */
4177 /* mark link not to be encrypted, so that when we execute security next time it will kick in again */
4178 if ((status == HCI_SUCCESS) && !encr_enable)
4179 {
4180 if (p_dev_rec->hci_handle == handle)
4181 p_dev_rec->sec_flags &= ~BTM_SEC_ENCRYPTED;
4182 else
4183 p_dev_rec->sec_flags &= ~BTM_SEC_LE_ENCRYPTED;
4184 }
4185
4186 BTM_TRACE_DEBUG ("after update p_dev_rec->sec_flags=0x%x", p_dev_rec->sec_flags );
4187
4188 #if BLE_INCLUDED == TRUE && SMP_INCLUDED == TRUE
4189 if (acl_idx != MAX_L2CAP_LINKS )
4190 p_acl = &btm_cb.acl_db[acl_idx];
4191
4192 if (p_acl && p_acl->transport == BT_TRANSPORT_LE)
4193 {
4194 if (status == HCI_ERR_KEY_MISSING || status == HCI_ERR_AUTH_FAILURE
4195 ||status == HCI_ERR_ENCRY_MODE_NOT_ACCEPTABLE)
4196 p_dev_rec->sec_flags &= ~ (BTM_SEC_LE_LINK_KEY_KNOWN);
4197 btm_ble_link_encrypted(p_dev_rec->bd_addr, encr_enable);
4198 return;
4199 }
4200 else
4201 /* BR/EDR connection, update the encryption key size to be 16 as always */
4202 p_dev_rec->enc_key_size = 16;
4203 #endif
4204
4205 /* If this encryption was started by peer do not need to do anything */
4206 if (p_dev_rec->sec_state != BTM_SEC_STATE_ENCRYPTING)
4207 {
4208 if (BTM_SEC_STATE_DELAY_FOR_ENC == p_dev_rec->sec_state)
4209 {
4210 p_dev_rec->sec_state = BTM_SEC_STATE_IDLE;
4211 p_dev_rec->p_callback = NULL;
4212 l2cu_resubmit_pending_sec_req (p_dev_rec->bd_addr);
4213 }
4214 return;
4215 }
4216
4217 p_dev_rec->sec_state = BTM_SEC_STATE_IDLE;
4218
4219 /* If encryption setup failed, notify the waiting layer */
4220 if (status != HCI_SUCCESS)
4221 {
4222 btm_sec_dev_rec_cback_event (p_dev_rec, BTM_ERR_PROCESSING, FALSE);
4223 return;
4224 }
4225
4226 /* Encryption setup succeeded, execute the next security procedure, if any */
4227 status = (UINT8)btm_sec_execute_procedure (p_dev_rec);
4228
4229 /* If there is no next procedure, or procedure failed to start, notify the caller */
4230 if (status != BTM_CMD_STARTED)
4231 btm_sec_dev_rec_cback_event (p_dev_rec, status, FALSE);
4232 }
4233
4234 /*******************************************************************************
4235 **
4236 ** Function btm_sec_create_conn
4237 **
4238 ** Description This function records current role and forwards request to
4239 ** HCI
4240 **
4241 ** Returns void
4242 **
4243 *******************************************************************************/
btm_sec_create_conn(BD_ADDR bda,UINT16 packet_types,UINT8 page_scan_rep_mode,UINT8 page_scan_mode,UINT16 clock_offset,UINT8 allow_switch)4244 BOOLEAN btm_sec_create_conn (BD_ADDR bda, UINT16 packet_types,
4245 UINT8 page_scan_rep_mode, UINT8 page_scan_mode,
4246 UINT16 clock_offset, UINT8 allow_switch)
4247 {
4248 tBTM_SEC_DEV_REC *p_dev_rec = btm_find_or_alloc_dev (bda);
4249
4250 memcpy (btm_cb.connecting_bda, p_dev_rec->bd_addr, BD_ADDR_LEN);
4251 memcpy (btm_cb.connecting_dc, p_dev_rec->dev_class, DEV_CLASS_LEN);
4252
4253 btm_cb.acl_disc_reason = 0xff ;
4254
4255 p_dev_rec->sec_state = BTM_SEC_STATE_IDLE;
4256 p_dev_rec->role_master = TRUE;
4257
4258 /* If any SCO link up, do not allow a switch */
4259 if (BTM_GetNumScoLinks() != 0)
4260 allow_switch = HCI_CR_CONN_NOT_ALLOW_SWITCH;
4261
4262 return(btsnd_hcic_create_conn (bda, packet_types, page_scan_rep_mode,
4263 page_scan_mode, clock_offset, allow_switch));
4264 }
4265
4266 /*******************************************************************************
4267 **
4268 ** Function btm_sec_connect_after_reject_timeout
4269 **
4270 ** Description Connection for bonding could not start because of the collision
4271 ** Initiate outgoing connection
4272 **
4273 ** Returns Pointer to the TLE struct
4274 **
4275 *******************************************************************************/
btm_sec_connect_after_reject_timeout(TIMER_LIST_ENT * p_tle)4276 static void btm_sec_connect_after_reject_timeout (TIMER_LIST_ENT *p_tle)
4277 {
4278 tBTM_SEC_DEV_REC *p_dev_rec = btm_cb.p_collided_dev_rec;
4279 UNUSED(p_tle);
4280
4281 BTM_TRACE_EVENT ("btm_sec_connect_after_reject_timeout()");
4282 btm_cb.sec_collision_tle.param = 0;
4283 btm_cb.p_collided_dev_rec = 0;
4284
4285 if (btm_sec_dd_create_conn(p_dev_rec) != BTM_CMD_STARTED)
4286 {
4287 BTM_TRACE_WARNING ("Security Manager: btm_sec_connect_after_reject_timeout: failed to start connection");
4288
4289 btm_sec_change_pairing_state (BTM_PAIR_STATE_IDLE);
4290
4291 if (btm_cb.api.p_auth_complete_callback)
4292 (*btm_cb.api.p_auth_complete_callback) (p_dev_rec->bd_addr, p_dev_rec->dev_class,
4293 p_dev_rec->sec_bd_name, HCI_ERR_MEMORY_FULL);
4294 }
4295 }
4296
4297 /*******************************************************************************
4298 **
4299 ** Function btm_sec_connected
4300 **
4301 ** Description This function is when a connection to the peer device is
4302 ** establsihed
4303 **
4304 ** Returns void
4305 **
4306 *******************************************************************************/
btm_sec_connected(UINT8 * bda,UINT16 handle,UINT8 status,UINT8 enc_mode)4307 void btm_sec_connected (UINT8 *bda, UINT16 handle, UINT8 status, UINT8 enc_mode)
4308 {
4309 tBTM_SEC_DEV_REC *p_dev_rec = btm_find_dev (bda);
4310 UINT8 res;
4311 BOOLEAN is_pairing_device = FALSE;
4312 tACL_CONN *p_acl_cb;
4313 UINT8 bit_shift = 0;
4314
4315 btm_acl_resubmit_page();
4316
4317 /* Commenting out trace due to obf/compilation problems.
4318 */
4319 #if (BT_USE_TRACES == TRUE)
4320 if (p_dev_rec)
4321 {
4322 BTM_TRACE_EVENT ("Security Manager: btm_sec_connected in state: %s handle:%d status:%d enc_mode:%d bda:%x RName:%s",
4323 btm_pair_state_descr(btm_cb.pairing_state), handle, status, enc_mode,
4324 (bda[2]<<24)+(bda[3]<<16)+(bda[4]<<8)+bda[5],
4325 p_dev_rec->sec_bd_name);
4326 }
4327 else
4328 {
4329 BTM_TRACE_EVENT ("Security Manager: btm_sec_connected in state: %s handle:%d status:%d enc_mode:%d bda:%x ",
4330 btm_pair_state_descr(btm_cb.pairing_state), handle, status, enc_mode,
4331 (bda[2]<<24)+(bda[3]<<16)+(bda[4]<<8)+bda[5]);
4332 }
4333 #endif
4334
4335 if (!p_dev_rec)
4336 {
4337 /* There is no device record for new connection. Allocate one */
4338 if (status == HCI_SUCCESS)
4339 {
4340 p_dev_rec = btm_sec_alloc_dev (bda);
4341 }
4342 else
4343 {
4344 /* can not find the device record and the status is error,
4345 * just ignore it */
4346 return;
4347 }
4348 }
4349 else /* Update the timestamp for this device */
4350 {
4351
4352 #if BLE_INCLUDED == TRUE
4353 bit_shift = (handle == p_dev_rec->ble_hci_handle) ? 8 :0;
4354 #endif
4355 p_dev_rec->timestamp = btm_cb.dev_rec_count++;
4356 if (p_dev_rec->sm4 & BTM_SM4_CONN_PEND)
4357 {
4358 /* tell L2CAP it's a bonding connection. */
4359 if ( (btm_cb.pairing_state != BTM_PAIR_STATE_IDLE)
4360 && (memcmp (btm_cb.pairing_bda, p_dev_rec->bd_addr, BD_ADDR_LEN) == 0)
4361 && (btm_cb.pairing_flags & BTM_PAIR_FLAGS_WE_STARTED_DD) )
4362 {
4363 /* if incoming connection failed while pairing, then try to connect and continue */
4364 /* Motorola S9 disconnects without asking pin code */
4365 if ((status != HCI_SUCCESS)&&(btm_cb.pairing_state == BTM_PAIR_STATE_WAIT_PIN_REQ))
4366 {
4367 BTM_TRACE_WARNING ("Security Manager: btm_sec_connected: incoming connection failed without asking PIN");
4368
4369 p_dev_rec->sm4 &= ~BTM_SM4_CONN_PEND;
4370 if (p_dev_rec->sec_flags & BTM_SEC_NAME_KNOWN)
4371 {
4372 /* Start timer with 0 to initiate connection with new LCB */
4373 /* because L2CAP will delete current LCB with this event */
4374 btm_cb.p_collided_dev_rec = p_dev_rec;
4375 btm_cb.sec_collision_tle.param = (UINT32) btm_sec_connect_after_reject_timeout;
4376 btu_start_timer (&btm_cb.sec_collision_tle, BTU_TTYPE_USER_FUNC, 0);
4377 }
4378 else
4379 {
4380 btm_sec_change_pairing_state (BTM_PAIR_STATE_GET_REM_NAME);
4381 BTM_ReadRemoteDeviceName(p_dev_rec->bd_addr, NULL, BT_TRANSPORT_BR_EDR);
4382 }
4383 #if BTM_DISC_DURING_RS == TRUE
4384 p_dev_rec->rs_disc_pending = BTM_SEC_RS_NOT_PENDING; /* reset flag */
4385 #endif
4386 return;
4387 }
4388 else
4389 {
4390 l2cu_update_lcb_4_bonding(p_dev_rec->bd_addr, TRUE);
4391 }
4392 }
4393 /* always clear the pending flag */
4394 p_dev_rec->sm4 &= ~BTM_SM4_CONN_PEND;
4395 }
4396 }
4397
4398 #if BLE_INCLUDED == TRUE
4399 p_dev_rec->device_type |= BT_DEVICE_TYPE_BREDR;
4400 #endif
4401
4402 #if BTM_DISC_DURING_RS == TRUE
4403 p_dev_rec->rs_disc_pending = BTM_SEC_RS_NOT_PENDING; /* reset flag */
4404 #endif
4405
4406 p_dev_rec->rs_disc_pending = BTM_SEC_RS_NOT_PENDING; /* reset flag */
4407
4408 if ( (btm_cb.pairing_state != BTM_PAIR_STATE_IDLE)
4409 && (memcmp (btm_cb.pairing_bda, bda, BD_ADDR_LEN) == 0) )
4410 {
4411 /* if we rejected incoming connection from bonding device */
4412 if ((status == HCI_ERR_HOST_REJECT_DEVICE)
4413 &&(btm_cb.pairing_flags & BTM_PAIR_FLAGS_REJECTED_CONNECT))
4414 {
4415 BTM_TRACE_WARNING ("Security Manager: btm_sec_connected: HCI_Conn_Comp Flags:0x%04x, sm4: 0x%x",
4416 btm_cb.pairing_flags, p_dev_rec->sm4);
4417
4418 btm_cb.pairing_flags &= ~BTM_PAIR_FLAGS_REJECTED_CONNECT;
4419 if (BTM_SEC_IS_SM4_UNKNOWN(p_dev_rec->sm4))
4420 {
4421 /* Try again: RNR when no ACL causes HCI_RMT_HOST_SUP_FEAT_NOTIFY_EVT */
4422 btm_sec_change_pairing_state (BTM_PAIR_STATE_GET_REM_NAME);
4423 BTM_ReadRemoteDeviceName(bda, NULL, BT_TRANSPORT_BR_EDR);
4424 return;
4425 }
4426
4427 /* if we already have pin code */
4428 if (btm_cb.pairing_state != BTM_PAIR_STATE_WAIT_LOCAL_PIN)
4429 {
4430 /* Start timer with 0 to initiate connection with new LCB */
4431 /* because L2CAP will delete current LCB with this event */
4432 btm_cb.p_collided_dev_rec = p_dev_rec;
4433 btm_cb.sec_collision_tle.param = (UINT32) btm_sec_connect_after_reject_timeout;
4434 btu_start_timer (&btm_cb.sec_collision_tle, BTU_TTYPE_USER_FUNC, 0);
4435 }
4436
4437 return;
4438 }
4439 /* wait for incoming connection without resetting pairing state */
4440 else if (status == HCI_ERR_CONNECTION_EXISTS)
4441 {
4442 BTM_TRACE_WARNING ("Security Manager: btm_sec_connected: Wait for incoming connection");
4443 return;
4444 }
4445
4446 is_pairing_device = TRUE;
4447 }
4448
4449 /* If connection was made to do bonding restore link security if changed */
4450 btm_restore_mode();
4451
4452 /* if connection fails during pin request, notify application */
4453 if (status != HCI_SUCCESS)
4454 {
4455 /* If connection failed because of during pairing, need to tell user */
4456 if (is_pairing_device)
4457 {
4458 p_dev_rec->security_required &= ~BTM_SEC_OUT_AUTHENTICATE;
4459 p_dev_rec->sec_flags &= ~((BTM_SEC_LINK_KEY_KNOWN | BTM_SEC_LINK_KEY_AUTHED) << bit_shift);
4460 BTM_TRACE_DEBUG ("security_required:%x ", p_dev_rec->security_required );
4461
4462 btm_sec_change_pairing_state (BTM_PAIR_STATE_IDLE);
4463
4464 /* We need to notify host that the key is not known any more */
4465 if (btm_cb.api.p_auth_complete_callback)
4466 {
4467 (*btm_cb.api.p_auth_complete_callback) (p_dev_rec->bd_addr,
4468 p_dev_rec->dev_class,
4469 p_dev_rec->sec_bd_name, status);
4470 }
4471 }
4472 /*
4473 Do not send authentication failure, if following conditions hold good
4474 1. BTM Sec Pairing state is idle
4475 2. Link key for the remote device is present.
4476 3. Remote is SSP capable.
4477 */
4478 else if ((p_dev_rec->link_key_type <= BTM_LKEY_TYPE_REMOTE_UNIT) &&
4479 (((status == HCI_ERR_AUTH_FAILURE) ||
4480 (status == HCI_ERR_KEY_MISSING) ||
4481 (status == HCI_ERR_HOST_REJECT_SECURITY) ||
4482 (status == HCI_ERR_PAIRING_NOT_ALLOWED) ||
4483 (status == HCI_ERR_UNIT_KEY_USED) ||
4484 (status == HCI_ERR_PAIRING_WITH_UNIT_KEY_NOT_SUPPORTED) ||
4485 (status == HCI_ERR_ENCRY_MODE_NOT_ACCEPTABLE) ||
4486 (status == HCI_ERR_REPEATED_ATTEMPTS))))
4487 {
4488 p_dev_rec->security_required &= ~BTM_SEC_OUT_AUTHENTICATE;
4489 p_dev_rec->sec_flags &= ~ (BTM_SEC_LE_LINK_KEY_KNOWN << bit_shift);
4490
4491
4492 #ifdef BRCM_NOT_4_BTE
4493 /* If we rejected pairing, pass this special result code */
4494 if (btm_cb.acl_disc_reason == HCI_ERR_HOST_REJECT_SECURITY)
4495 {
4496 status = HCI_ERR_HOST_REJECT_SECURITY;
4497 }
4498 #endif
4499
4500 /* We need to notify host that the key is not known any more */
4501 if (btm_cb.api.p_auth_complete_callback)
4502 {
4503 (*btm_cb.api.p_auth_complete_callback) (p_dev_rec->bd_addr,
4504 p_dev_rec->dev_class,
4505 p_dev_rec->sec_bd_name, status);
4506 }
4507 }
4508
4509 if (status == HCI_ERR_CONNECTION_TOUT || status == HCI_ERR_LMP_RESPONSE_TIMEOUT ||
4510 status == HCI_ERR_UNSPECIFIED || status == HCI_ERR_PAGE_TIMEOUT)
4511 btm_sec_dev_rec_cback_event (p_dev_rec, BTM_DEVICE_TIMEOUT, FALSE);
4512 else
4513 btm_sec_dev_rec_cback_event (p_dev_rec, BTM_ERR_PROCESSING, FALSE);
4514
4515 return;
4516 }
4517
4518 /* If initiated dedicated bonding, return the link key now, and initiate disconnect */
4519 /* If dedicated bonding, and we now have a link key, we are all done */
4520 if ( is_pairing_device
4521 && (p_dev_rec->sec_flags & BTM_SEC_LINK_KEY_KNOWN) )
4522 {
4523 if (p_dev_rec->link_key_not_sent)
4524 {
4525 p_dev_rec->link_key_not_sent = FALSE;
4526 btm_send_link_key_notif(p_dev_rec);
4527 }
4528
4529 p_dev_rec->security_required &= ~BTM_SEC_OUT_AUTHENTICATE;
4530
4531 /* remember flag before it is initialized */
4532 if (btm_cb.pairing_flags & BTM_PAIR_FLAGS_WE_STARTED_DD)
4533 res = TRUE;
4534 else
4535 res = FALSE;
4536
4537 if (btm_cb.api.p_auth_complete_callback)
4538 (*btm_cb.api.p_auth_complete_callback) (p_dev_rec->bd_addr,
4539 p_dev_rec->dev_class,
4540 p_dev_rec->sec_bd_name, HCI_SUCCESS);
4541
4542 btm_sec_change_pairing_state (BTM_PAIR_STATE_IDLE);
4543
4544 if ( res )
4545 {
4546 /* Let l2cap start bond timer */
4547 l2cu_update_lcb_4_bonding (p_dev_rec->bd_addr, TRUE);
4548 }
4549
4550 return;
4551 }
4552
4553 p_dev_rec->hci_handle = handle;
4554
4555 /* role may not be correct here, it will be updated by l2cap, but we need to */
4556 /* notify btm_acl that link is up, so starting of rmt name request will not */
4557 /* set paging flag up */
4558 p_acl_cb = btm_bda_to_acl(bda, BT_TRANSPORT_BR_EDR);
4559 if (p_acl_cb)
4560 {
4561 /* whatever is in btm_establish_continue() without reporting the BTM_BL_CONN_EVT event */
4562 #if (!defined(BTM_BYPASS_EXTRA_ACL_SETUP) || BTM_BYPASS_EXTRA_ACL_SETUP == FALSE)
4563 /* For now there are a some devices that do not like sending */
4564 /* commands events and data at the same time. */
4565 /* Set the packet types to the default allowed by the device */
4566 btm_set_packet_types (p_acl_cb, btm_cb.btm_acl_pkt_types_supported);
4567
4568 if (btm_cb.btm_def_link_policy)
4569 BTM_SetLinkPolicy (p_acl_cb->remote_addr, &btm_cb.btm_def_link_policy);
4570 #endif
4571 }
4572 btm_acl_created (bda, p_dev_rec->dev_class, p_dev_rec->sec_bd_name, handle, HCI_ROLE_SLAVE, BT_TRANSPORT_BR_EDR);
4573
4574 /* Initialize security flags. We need to do that because some */
4575 /* authorization complete could have come after the connection is dropped */
4576 /* and that would set wrong flag that link has been authorized already */
4577 p_dev_rec->sec_flags &= ~((BTM_SEC_AUTHORIZED | BTM_SEC_AUTHENTICATED |
4578 BTM_SEC_ENCRYPTED | BTM_SEC_ROLE_SWITCHED) << bit_shift);
4579
4580 if (enc_mode != HCI_ENCRYPT_MODE_DISABLED)
4581 p_dev_rec->sec_flags |= ((BTM_SEC_AUTHENTICATED | BTM_SEC_ENCRYPTED) << bit_shift);
4582
4583 if (btm_cb.security_mode == BTM_SEC_MODE_LINK)
4584 p_dev_rec->sec_flags |= (BTM_SEC_AUTHENTICATED << bit_shift);
4585
4586 p_dev_rec->link_key_changed = FALSE;
4587
4588 /* After connection is established we perform security if we do not know */
4589 /* the name, or if we are originator because some procedure can have */
4590 /* been scheduled while connection was down */
4591 BTM_TRACE_DEBUG ("is_originator:%d ", p_dev_rec->is_originator);
4592 if (!(p_dev_rec->sec_flags & BTM_SEC_NAME_KNOWN) || p_dev_rec->is_originator)
4593 {
4594 if ((res = btm_sec_execute_procedure (p_dev_rec)) != BTM_CMD_STARTED)
4595 btm_sec_dev_rec_cback_event (p_dev_rec, res, FALSE);
4596 }
4597 return;
4598 }
4599
4600 /*******************************************************************************
4601 **
4602 ** Function btm_sec_role_changed
4603 **
4604 ** Description This function is colled when controller reports role
4605 ** changed, or failed command status for Role Change request
4606 **
4607 ** Returns void
4608 **
4609 *******************************************************************************/
btm_sec_role_changed(void * p_ref_data)4610 void btm_sec_role_changed (void *p_ref_data)
4611 {
4612 tBTM_SEC_DEV_REC *p_dev_rec = (tBTM_SEC_DEV_REC *)p_ref_data;
4613 UINT8 res;
4614
4615 BTM_TRACE_EVENT ("Security Manager: role changed");
4616
4617 /* If this role switch was started by peer do not need to do anything */
4618 if (p_dev_rec->sec_state != BTM_SEC_STATE_SWITCHING_ROLE)
4619 return;
4620
4621 /* If serurity required was to FORCE switch and it failed, notify the waiting layer */
4622 if (((p_dev_rec->security_required & BTM_SEC_FORCE_MASTER) && !p_dev_rec->role_master)
4623 || ((p_dev_rec->security_required & BTM_SEC_FORCE_SLAVE) && p_dev_rec->role_master))
4624 {
4625 btm_sec_dev_rec_cback_event (p_dev_rec, BTM_ERR_PROCESSING, FALSE);
4626 return;
4627 }
4628
4629 p_dev_rec->sec_flags |= BTM_SEC_ROLE_SWITCHED;
4630
4631 p_dev_rec->security_required &= ~(BTM_SEC_FORCE_MASTER | BTM_SEC_ATTEMPT_MASTER |
4632 BTM_SEC_FORCE_SLAVE | BTM_SEC_ATTEMPT_SLAVE);
4633
4634 p_dev_rec->sec_state = BTM_SEC_STATE_IDLE;
4635
4636 if ((res = (UINT8)btm_sec_execute_procedure (p_dev_rec)) != BTM_CMD_STARTED)
4637 {
4638 btm_sec_dev_rec_cback_event (p_dev_rec, res, FALSE);
4639 }
4640 }
4641
4642 /*******************************************************************************
4643 **
4644 ** Function btm_sec_disconnect
4645 **
4646 ** Description This function is called to disconnect HCI link
4647 **
4648 ** Returns btm status
4649 **
4650 *******************************************************************************/
btm_sec_disconnect(UINT16 handle,UINT8 reason)4651 tBTM_STATUS btm_sec_disconnect (UINT16 handle, UINT8 reason)
4652 {
4653 tBTM_SEC_DEV_REC *p_dev_rec = btm_find_dev_by_handle (handle);
4654
4655 /* In some weird race condition we may not have a record */
4656 if (!p_dev_rec)
4657 {
4658 btsnd_hcic_disconnect (handle, reason);
4659 return(BTM_SUCCESS);
4660 }
4661
4662 /* If we are in the process of bonding we need to tell client that auth failed */
4663 if ( (btm_cb.pairing_state != BTM_PAIR_STATE_IDLE)
4664 && (memcmp (btm_cb.pairing_bda, p_dev_rec->bd_addr, BD_ADDR_LEN) == 0)
4665 && (btm_cb.pairing_flags & BTM_PAIR_FLAGS_WE_STARTED_DD) )
4666 {
4667 /* we are currently doing bonding. Link will be disconnected when done */
4668 btm_cb.pairing_flags |= BTM_PAIR_FLAGS_DISC_WHEN_DONE;
4669 return(BTM_BUSY);
4670 }
4671
4672 return(btm_sec_send_hci_disconnect(p_dev_rec, reason, handle));
4673 }
4674
4675 /*******************************************************************************
4676 **
4677 ** Function btm_sec_disconnected
4678 **
4679 ** Description This function is when a connection to the peer device is
4680 ** dropped
4681 **
4682 ** Returns void
4683 **
4684 *******************************************************************************/
btm_sec_disconnected(UINT16 handle,UINT8 reason)4685 void btm_sec_disconnected (UINT16 handle, UINT8 reason)
4686 {
4687 tBTM_SEC_DEV_REC *p_dev_rec = btm_find_dev_by_handle (handle);
4688 UINT8 old_pairing_flags = btm_cb.pairing_flags;
4689 int result = HCI_ERR_AUTH_FAILURE;
4690 tBTM_SEC_CALLBACK *p_callback = NULL;
4691 tBT_TRANSPORT transport = BT_TRANSPORT_BR_EDR;
4692
4693 /* If page was delayed for disc complete, can do it now */
4694 btm_cb.discing = FALSE;
4695
4696 btm_acl_resubmit_page();
4697
4698 if (!p_dev_rec)
4699 return;
4700
4701 transport = (handle == p_dev_rec->hci_handle) ? BT_TRANSPORT_BR_EDR: BT_TRANSPORT_LE;
4702
4703 p_dev_rec->rs_disc_pending = BTM_SEC_RS_NOT_PENDING; /* reset flag */
4704
4705 #if BTM_DISC_DURING_RS == TRUE
4706 BTM_TRACE_ERROR("btm_sec_disconnected - Clearing Pending flag");
4707 p_dev_rec->rs_disc_pending = BTM_SEC_RS_NOT_PENDING; /* reset flag */
4708 #endif
4709
4710 /* clear unused flags */
4711 p_dev_rec->sm4 &= BTM_SM4_TRUE;
4712
4713 BTM_TRACE_EVENT("btm_sec_disconnected() sec_req:x%x State: %s reason:%d bda:%04x%08x RName:%s",
4714 p_dev_rec->security_required, btm_pair_state_descr(btm_cb.pairing_state), reason, (p_dev_rec->bd_addr[0]<<8)+p_dev_rec->bd_addr[1],
4715 (p_dev_rec->bd_addr[2]<<24)+(p_dev_rec->bd_addr[3]<<16)+(p_dev_rec->bd_addr[4]<<8)+p_dev_rec->bd_addr[5], p_dev_rec->sec_bd_name);
4716
4717 BTM_TRACE_EVENT("before Update sec_flags=0x%x", p_dev_rec->sec_flags);
4718
4719 /* If we are in the process of bonding we need to tell client that auth failed */
4720 if ( (btm_cb.pairing_state != BTM_PAIR_STATE_IDLE)
4721 && (memcmp (btm_cb.pairing_bda, p_dev_rec->bd_addr, BD_ADDR_LEN) == 0))
4722 {
4723 btm_sec_change_pairing_state (BTM_PAIR_STATE_IDLE);
4724 p_dev_rec->sec_flags &= ~BTM_SEC_LINK_KEY_KNOWN;
4725 if (btm_cb.api.p_auth_complete_callback)
4726 {
4727 /* If the disconnection reason is REPEATED_ATTEMPTS,
4728 send this error message to complete callback function
4729 to display the error message of Repeated attempts.
4730 All others, send HCI_ERR_AUTH_FAILURE. */
4731 if (reason == HCI_ERR_REPEATED_ATTEMPTS)
4732 {
4733 result = HCI_ERR_REPEATED_ATTEMPTS;
4734 }
4735 else if (old_pairing_flags & BTM_PAIR_FLAGS_WE_STARTED_DD)
4736 {
4737 result = HCI_ERR_HOST_REJECT_SECURITY;
4738 }
4739 (*btm_cb.api.p_auth_complete_callback) (p_dev_rec->bd_addr, p_dev_rec->dev_class,
4740 p_dev_rec->sec_bd_name, result);
4741 }
4742 }
4743
4744 #if BLE_INCLUDED == TRUE && SMP_INCLUDED == TRUE
4745 p_dev_rec->enc_key_size = 0;
4746 btm_ble_update_mode_operation(HCI_ROLE_UNKNOWN, p_dev_rec->bd_addr, HCI_SUCCESS);
4747 /* see sec_flags processing in btm_acl_removed */
4748
4749 if (transport == BT_TRANSPORT_LE)
4750 {
4751 p_dev_rec->ble_hci_handle = BTM_SEC_INVALID_HANDLE;
4752 p_dev_rec->sec_flags &= ~(BTM_SEC_LE_AUTHENTICATED|BTM_SEC_LE_ENCRYPTED);
4753 }
4754 else
4755 #endif
4756 {
4757 p_dev_rec->hci_handle = BTM_SEC_INVALID_HANDLE;
4758 p_dev_rec->sec_flags &= ~(BTM_SEC_AUTHORIZED | BTM_SEC_AUTHENTICATED | BTM_SEC_ENCRYPTED | BTM_SEC_ROLE_SWITCHED);
4759 }
4760
4761 p_dev_rec->sec_state = BTM_SEC_STATE_IDLE;
4762 p_dev_rec->security_required = BTM_SEC_NONE;
4763
4764 p_callback = p_dev_rec->p_callback;
4765
4766 /* if security is pending, send callback to clean up the security state */
4767 if(p_callback)
4768 {
4769 p_dev_rec->p_callback = NULL; /* when the peer device time out the authentication before
4770 we do, this call back must be reset here */
4771 (*p_callback) (p_dev_rec->bd_addr, transport, p_dev_rec->p_ref_data, BTM_ERR_PROCESSING);
4772 }
4773
4774 BTM_TRACE_EVENT("after Update sec_flags=0x%x", p_dev_rec->sec_flags);
4775 }
4776
4777 /*******************************************************************************
4778 **
4779 ** Function btm_sec_link_key_notification
4780 **
4781 ** Description This function is called when a new connection link key is
4782 ** generated
4783 **
4784 ** Returns Pointer to the record or NULL
4785 **
4786 *******************************************************************************/
btm_sec_link_key_notification(UINT8 * p_bda,UINT8 * p_link_key,UINT8 key_type)4787 void btm_sec_link_key_notification (UINT8 *p_bda, UINT8 *p_link_key, UINT8 key_type)
4788 {
4789 tBTM_SEC_DEV_REC *p_dev_rec = btm_find_or_alloc_dev (p_bda);
4790 BOOLEAN we_are_bonding = FALSE;
4791
4792 BTM_TRACE_EVENT ("btm_sec_link_key_notification() BDA:%04x%08x, TYPE: %d",
4793 (p_bda[0]<<8)+p_bda[1], (p_bda[2]<<24)+(p_bda[3]<<16)+(p_bda[4]<<8)+p_bda[5],
4794 key_type);
4795
4796 /* If connection was made to do bonding restore link security if changed */
4797 btm_restore_mode();
4798
4799 /* Override the key type if version is pre-1.1 */
4800 if (btm_cb.devcb.local_version.hci_version < HCI_VERSION_1_1)
4801 p_dev_rec->link_key_type = BTM_LKEY_TYPE_IGNORE;
4802 if (key_type != BTM_LKEY_TYPE_CHANGED_COMB)
4803 p_dev_rec->link_key_type = key_type;
4804
4805 p_dev_rec->sec_flags |= BTM_SEC_LINK_KEY_KNOWN;
4806 #if (BLE_INCLUDED == TRUE)
4807 /* BR/EDR connection, update the encryption key size to be 16 as always */
4808 p_dev_rec->enc_key_size = 16;
4809 #endif
4810 memcpy (p_dev_rec->link_key, p_link_key, LINK_KEY_LEN);
4811
4812 if ( (btm_cb.pairing_state != BTM_PAIR_STATE_IDLE)
4813 && (memcmp (btm_cb.pairing_bda, p_bda, BD_ADDR_LEN) == 0) )
4814 {
4815 if (btm_cb.pairing_flags & BTM_PAIR_FLAGS_WE_STARTED_DD)
4816 we_are_bonding = TRUE;
4817 else
4818 btm_sec_change_pairing_state (BTM_PAIR_STATE_IDLE);
4819 }
4820
4821 /* If name is not known at this point delay calling callback until the name is */
4822 /* resolved. Unless it is a HID Device and we really need to send all link keys. */
4823 if ((!(p_dev_rec->sec_flags & BTM_SEC_NAME_KNOWN)
4824 && ((p_dev_rec->dev_class[1] & BTM_COD_MAJOR_CLASS_MASK) != BTM_COD_MAJOR_PERIPHERAL)) )
4825 {
4826 BTM_TRACE_EVENT ("btm_sec_link_key_notification() Delayed BDA: %08x%04x Type:%d",
4827 (p_bda[0]<<24) + (p_bda[1]<<16) + (p_bda[2]<<8) + p_bda[3], (p_bda[4] << 8) + p_bda[5], key_type);
4828
4829 p_dev_rec->link_key_not_sent = TRUE;
4830
4831 /* If it is for bonding nothing else will follow, so we need to start name resolution */
4832 if (we_are_bonding)
4833 {
4834 if (!(btsnd_hcic_rmt_name_req (p_bda, HCI_PAGE_SCAN_REP_MODE_R1, HCI_MANDATARY_PAGE_SCAN_MODE, 0)))
4835 btm_inq_rmt_name_failed();
4836 }
4837
4838 BTM_TRACE_EVENT ("rmt_io_caps:%d, sec_flags:x%x, dev_class[1]:x%02x", p_dev_rec->rmt_io_caps, p_dev_rec->sec_flags, p_dev_rec->dev_class[1])
4839 return;
4840 }
4841
4842 /* If its not us who perform authentication, we should tell stackserver */
4843 /* that some authentication has been completed */
4844 /* This is required when different entities receive link notification and auth complete */
4845 if (!(p_dev_rec->security_required & BTM_SEC_OUT_AUTHENTICATE))
4846 {
4847 if (btm_cb.api.p_auth_complete_callback)
4848 (*btm_cb.api.p_auth_complete_callback) (p_dev_rec->bd_addr, p_dev_rec->dev_class,
4849 p_dev_rec->sec_bd_name, HCI_SUCCESS);
4850 }
4851
4852 /* We will save link key only if the user authorized it - BTE report link key in all cases */
4853 #ifdef BRCM_NONE_BTE
4854 if (p_dev_rec->sec_flags & BTM_SEC_LINK_KEY_AUTHED)
4855 #endif
4856 {
4857 if (btm_cb.api.p_link_key_callback)
4858 {
4859 (*btm_cb.api.p_link_key_callback) (p_bda, p_dev_rec->dev_class, p_dev_rec->sec_bd_name,
4860 p_link_key, p_dev_rec->link_key_type);
4861 }
4862 }
4863 }
4864
4865 /*******************************************************************************
4866 **
4867 ** Function btm_sec_link_key_request
4868 **
4869 ** Description This function is called when controller requests link key
4870 **
4871 ** Returns Pointer to the record or NULL
4872 **
4873 *******************************************************************************/
btm_sec_link_key_request(UINT8 * p_bda)4874 void btm_sec_link_key_request (UINT8 *p_bda)
4875 {
4876 tBTM_SEC_DEV_REC *p_dev_rec = btm_find_or_alloc_dev (p_bda);
4877
4878 BTM_TRACE_EVENT ("btm_sec_link_key_request() BDA: %02x:%02x:%02x:%02x:%02x:%02x",
4879 p_bda[0], p_bda[1], p_bda[2], p_bda[3], p_bda[4], p_bda[5]);
4880
4881 if( (btm_cb.pairing_state == BTM_PAIR_STATE_WAIT_PIN_REQ) &&
4882 (btm_cb.collision_start_time != 0) &&
4883 (memcmp (btm_cb.p_collided_dev_rec->bd_addr, p_bda, BD_ADDR_LEN) == 0) )
4884 {
4885 BTM_TRACE_EVENT ("btm_sec_link_key_request() rejecting link key req "
4886 "State: %d START_TIMEOUT : %d",
4887 btm_cb.pairing_state, btm_cb.collision_start_time);
4888 btsnd_hcic_link_key_neg_reply (p_bda);
4889 return;
4890 }
4891 if (p_dev_rec->sec_flags & BTM_SEC_LINK_KEY_KNOWN)
4892 {
4893 btsnd_hcic_link_key_req_reply (p_bda, p_dev_rec->link_key);
4894 return;
4895 }
4896
4897 /* Notify L2CAP to increase timeout */
4898 l2c_pin_code_request (p_bda);
4899
4900 /* Only ask the host for a key if this guy is not already bonding */
4901 if ( (btm_cb.pairing_state == BTM_PAIR_STATE_IDLE)
4902 || (memcmp (p_bda, btm_cb.pairing_bda, BD_ADDR_LEN) != 0) )
4903 {
4904 if (btm_cb.api.p_link_key_req_callback)
4905 {
4906 if ((*btm_cb.api.p_link_key_req_callback)(p_bda, p_dev_rec->link_key) == BTM_SUCCESS)
4907 {
4908 btsnd_hcic_link_key_req_reply (p_bda, p_dev_rec->link_key);
4909 return;
4910 }
4911 }
4912 }
4913
4914 /* The link key is not in the database and it is not known to the manager */
4915 btsnd_hcic_link_key_neg_reply (p_bda);
4916 }
4917
4918 /*******************************************************************************
4919 **
4920 ** Function btm_sec_pairing_timeout
4921 **
4922 ** Description This function is called when host does not provide PIN
4923 ** within requested time
4924 **
4925 ** Returns Pointer to the TLE struct
4926 **
4927 *******************************************************************************/
btm_sec_pairing_timeout(TIMER_LIST_ENT * p_tle)4928 static void btm_sec_pairing_timeout (TIMER_LIST_ENT *p_tle)
4929 {
4930 tBTM_CB *p_cb = &btm_cb;
4931 tBTM_SEC_DEV_REC *p_dev_rec;
4932 #if BTM_OOB_INCLUDED == TRUE
4933 #if (BTM_LOCAL_IO_CAPS == BTM_IO_CAP_NONE)
4934 tBTM_AUTH_REQ auth_req = BTM_AUTH_AP_NO;
4935 #else
4936 tBTM_AUTH_REQ auth_req = BTM_AUTH_AP_YES;
4937 #endif
4938 #endif
4939 UINT8 name[2];
4940 UNUSED(p_tle);
4941
4942 p_cb->pairing_tle.param = 0;
4943 /* Coverity: FALSE-POSITIVE error from Coverity tool. Please do NOT remove following comment. */
4944 /* coverity[UNUSED_VALUE] pointer p_dev_rec is actually used several times... This is a Coverity false-positive, i.e. a fake issue.
4945 */
4946 p_dev_rec = btm_find_dev (p_cb->pairing_bda);
4947
4948 BTM_TRACE_EVENT ("btm_sec_pairing_timeout() State: %s Flags: %u",
4949 btm_pair_state_descr(p_cb->pairing_state), p_cb->pairing_flags);
4950
4951 switch (p_cb->pairing_state)
4952 {
4953 case BTM_PAIR_STATE_WAIT_PIN_REQ:
4954 btm_sec_bond_cancel_complete();
4955 break;
4956
4957 case BTM_PAIR_STATE_WAIT_LOCAL_PIN:
4958 if ( (btm_cb.pairing_flags & BTM_PAIR_FLAGS_PRE_FETCH_PIN) == 0)
4959 btsnd_hcic_pin_code_neg_reply (p_cb->pairing_bda);
4960 btm_sec_change_pairing_state (BTM_PAIR_STATE_IDLE);
4961 /* We need to notify the UI that no longer need the PIN */
4962 if (btm_cb.api.p_auth_complete_callback)
4963 {
4964 if (p_dev_rec == NULL)
4965 {
4966 name[0] = 0;
4967 (*btm_cb.api.p_auth_complete_callback) (p_cb->pairing_bda,
4968 NULL,
4969 name, HCI_ERR_CONNECTION_TOUT);
4970 }
4971 else
4972 (*btm_cb.api.p_auth_complete_callback) (p_dev_rec->bd_addr,
4973 p_dev_rec->dev_class,
4974 p_dev_rec->sec_bd_name, HCI_ERR_CONNECTION_TOUT);
4975 }
4976 break;
4977
4978 case BTM_PAIR_STATE_WAIT_NUMERIC_CONFIRM:
4979 btsnd_hcic_user_conf_reply (p_cb->pairing_bda, FALSE);
4980 /* btm_sec_change_pairing_state (BTM_PAIR_STATE_IDLE); */
4981 break;
4982
4983 #if (BTM_LOCAL_IO_CAPS != BTM_IO_CAP_NONE)
4984 case BTM_PAIR_STATE_KEY_ENTRY:
4985 btsnd_hcic_user_passkey_neg_reply(p_cb->pairing_bda);
4986 /* btm_sec_change_pairing_state (BTM_PAIR_STATE_IDLE); */
4987 break;
4988 #endif /* !BTM_IO_CAP_NONE */
4989
4990 #if BTM_OOB_INCLUDED == TRUE
4991 case BTM_PAIR_STATE_WAIT_LOCAL_IOCAPS:
4992 if (btm_cb.pairing_flags & BTM_PAIR_FLAGS_WE_STARTED_DD)
4993 auth_req |= BTM_AUTH_DD_BOND;
4994
4995 btsnd_hcic_io_cap_req_reply (p_cb->pairing_bda, btm_cb.devcb.loc_io_caps,
4996 BTM_OOB_NONE, auth_req);
4997 btm_sec_change_pairing_state (BTM_PAIR_STATE_IDLE);
4998 break;
4999
5000 case BTM_PAIR_STATE_WAIT_LOCAL_OOB_RSP:
5001 btsnd_hcic_rem_oob_neg_reply (p_cb->pairing_bda);
5002 btm_sec_change_pairing_state (BTM_PAIR_STATE_IDLE);
5003 break;
5004 #endif /* BTM_OOB_INCLUDED */
5005
5006 case BTM_PAIR_STATE_WAIT_DISCONNECT:
5007 /* simple pairing failed. Started a 1-sec timer at simple pairing complete.
5008 * now it's time to tear down the ACL link*/
5009 if (p_dev_rec == NULL)
5010 {
5011 BTM_TRACE_ERROR ("btm_sec_pairing_timeout() BTM_PAIR_STATE_WAIT_DISCONNECT unknown BDA: %08x%04x",
5012 (p_cb->pairing_bda[0]<<24) + (p_cb->pairing_bda[1]<<16) + (p_cb->pairing_bda[2]<<8) + p_cb->pairing_bda[3],
5013 (p_cb->pairing_bda[4] << 8) + p_cb->pairing_bda[5]);
5014 break;
5015 }
5016 btm_sec_send_hci_disconnect (p_dev_rec, HCI_ERR_AUTH_FAILURE, p_dev_rec->hci_handle);
5017 btm_sec_change_pairing_state (BTM_PAIR_STATE_IDLE);
5018 break;
5019
5020 case BTM_PAIR_STATE_WAIT_AUTH_COMPLETE:
5021 /* We need to notify the UI that timeout has happened while waiting for authentication*/
5022 btm_sec_change_pairing_state (BTM_PAIR_STATE_IDLE);
5023 if (btm_cb.api.p_auth_complete_callback)
5024 {
5025 if (p_dev_rec == NULL)
5026 {
5027 name[0] = 0;
5028 (*btm_cb.api.p_auth_complete_callback) (p_cb->pairing_bda,
5029 NULL,
5030 name, HCI_ERR_CONNECTION_TOUT);
5031 }
5032 else
5033 (*btm_cb.api.p_auth_complete_callback) (p_dev_rec->bd_addr,
5034 p_dev_rec->dev_class,
5035 p_dev_rec->sec_bd_name, HCI_ERR_CONNECTION_TOUT);
5036 }
5037 break;
5038
5039 default:
5040 BTM_TRACE_WARNING ("btm_sec_pairing_timeout() not processed state: %s", btm_pair_state_descr(btm_cb.pairing_state));
5041 btm_sec_change_pairing_state (BTM_PAIR_STATE_IDLE);
5042 break;
5043 }
5044 }
5045
5046 /*******************************************************************************
5047 **
5048 ** Function btm_sec_pin_code_request
5049 **
5050 ** Description This function is called when controller requests PIN code
5051 **
5052 ** Returns Pointer to the record or NULL
5053 **
5054 *******************************************************************************/
btm_sec_pin_code_request(UINT8 * p_bda)5055 void btm_sec_pin_code_request (UINT8 *p_bda)
5056 {
5057 tBTM_SEC_DEV_REC *p_dev_rec;
5058 tBTM_CB *p_cb = &btm_cb;
5059
5060 #ifdef PORCHE_PAIRING_CONFLICT
5061 UINT8 default_pin_code_len = 4;
5062 PIN_CODE default_pin_code = {0x30, 0x30, 0x30, 0x30};
5063 #endif
5064 BTM_TRACE_EVENT ("btm_sec_pin_code_request() State: %s, BDA:%04x%08x",
5065 btm_pair_state_descr(btm_cb.pairing_state),
5066 (p_bda[0]<<8)+p_bda[1], (p_bda[2]<<24)+(p_bda[3]<<16)+(p_bda[4]<<8)+p_bda[5] );
5067
5068 if (btm_cb.pairing_state != BTM_PAIR_STATE_IDLE)
5069 {
5070 if ( (memcmp (p_bda, btm_cb.pairing_bda, BD_ADDR_LEN) == 0) &&
5071 (btm_cb.pairing_state == BTM_PAIR_STATE_WAIT_AUTH_COMPLETE) )
5072 {
5073 /* fake this out - porshe carkit issue - */
5074 // btm_cb.pairing_state = BTM_PAIR_STATE_IDLE;
5075 if(! btm_cb.pin_code_len_saved)
5076 {
5077 btsnd_hcic_pin_code_neg_reply (p_bda);
5078 return;
5079 }
5080 else
5081 {
5082 btsnd_hcic_pin_code_req_reply (p_bda, btm_cb.pin_code_len_saved, p_cb->pin_code);
5083 return;
5084 }
5085 }
5086 else if ((btm_cb.pairing_state != BTM_PAIR_STATE_WAIT_PIN_REQ)
5087 || memcmp (p_bda, btm_cb.pairing_bda, BD_ADDR_LEN) != 0)
5088 {
5089 BTM_TRACE_WARNING ("btm_sec_pin_code_request() rejected - state: %s",
5090 btm_pair_state_descr(btm_cb.pairing_state));
5091
5092 #ifdef PORCHE_PAIRING_CONFLICT
5093 /* reply pin code again due to counter in_rand when local initiates pairing */
5094 BTM_TRACE_EVENT ("btm_sec_pin_code_request from remote dev. for local initiated pairing");
5095 if(! btm_cb.pin_code_len_saved)
5096 {
5097 btm_sec_change_pairing_state (BTM_PAIR_STATE_WAIT_AUTH_COMPLETE);
5098 btsnd_hcic_pin_code_req_reply (p_bda, default_pin_code_len, default_pin_code);
5099 }
5100 else
5101 {
5102 btm_sec_change_pairing_state (BTM_PAIR_STATE_WAIT_AUTH_COMPLETE);
5103 btsnd_hcic_pin_code_req_reply (p_bda, btm_cb.pin_code_len_saved, p_cb->pin_code);
5104 }
5105 #else
5106 btsnd_hcic_pin_code_neg_reply (p_bda);
5107 #endif
5108 return;
5109 }
5110 }
5111
5112 p_dev_rec = btm_find_or_alloc_dev (p_bda);
5113 /* received PIN code request. must be non-sm4 */
5114 p_dev_rec->sm4 = BTM_SM4_KNOWN;
5115
5116 if (btm_cb.pairing_state == BTM_PAIR_STATE_IDLE)
5117 {
5118 memcpy (btm_cb.pairing_bda, p_bda, BD_ADDR_LEN);
5119
5120 btm_cb.pairing_flags = BTM_PAIR_FLAGS_PEER_STARTED_DD;
5121 /* Make sure we reset the trusted mask to help against attacks */
5122 BTM_SEC_CLR_TRUSTED_DEVICE(p_dev_rec->trusted_mask);
5123 }
5124
5125 if (!p_cb->pairing_disabled && (p_cb->cfg.pin_type == HCI_PIN_TYPE_FIXED))
5126 {
5127 BTM_TRACE_EVENT ("btm_sec_pin_code_request fixed pin replying");
5128 btm_sec_change_pairing_state (BTM_PAIR_STATE_WAIT_AUTH_COMPLETE);
5129 btsnd_hcic_pin_code_req_reply (p_bda, p_cb->cfg.pin_code_len, p_cb->cfg.pin_code);
5130 return;
5131 }
5132
5133 /* Use the connecting device's CoD for the connection */
5134 if ( (!memcmp (p_bda, p_cb->connecting_bda, BD_ADDR_LEN))
5135 && (p_cb->connecting_dc[0] || p_cb->connecting_dc[1] || p_cb->connecting_dc[2]) )
5136 memcpy (p_dev_rec->dev_class, p_cb->connecting_dc, DEV_CLASS_LEN);
5137
5138 /* We could have started connection after asking user for the PIN code */
5139 if (btm_cb.pin_code_len != 0)
5140 {
5141 BTM_TRACE_EVENT ("btm_sec_pin_code_request bonding sending reply");
5142 btsnd_hcic_pin_code_req_reply (p_bda, btm_cb.pin_code_len, p_cb->pin_code);
5143
5144 #ifdef PORCHE_PAIRING_CONFLICT
5145 btm_cb.pin_code_len_saved = btm_cb.pin_code_len;
5146 #endif
5147
5148 /* Mark that we forwarded received from the user PIN code */
5149 btm_cb.pin_code_len = 0;
5150
5151 /* We can change mode back right away, that other connection being established */
5152 /* is not forced to be secure - found a FW issue, so we can not do this
5153 btm_restore_mode(); */
5154
5155 btm_sec_change_pairing_state (BTM_PAIR_STATE_WAIT_AUTH_COMPLETE);
5156 }
5157
5158 /* If pairing disabled OR (no PIN callback and not bonding) */
5159 /* OR we could not allocate entry in the database reject pairing request */
5160 else if (p_cb->pairing_disabled
5161 || (p_cb->api.p_pin_callback == NULL)
5162
5163 /* OR Microsoft keyboard can for some reason try to establish connection */
5164 /* the only thing we can do here is to shut it up. Normally we will be originator */
5165 /* for keyboard bonding */
5166 || (!p_dev_rec->is_originator
5167 && ((p_dev_rec->dev_class[1] & BTM_COD_MAJOR_CLASS_MASK) == BTM_COD_MAJOR_PERIPHERAL)
5168 && (p_dev_rec->dev_class[2] & BTM_COD_MINOR_KEYBOARD)) )
5169 {
5170 BTM_TRACE_WARNING("btm_sec_pin_code_request(): Pairing disabled:%d; PIN callback:%x, Dev Rec:%x!",
5171 p_cb->pairing_disabled, p_cb->api.p_pin_callback, p_dev_rec);
5172
5173 btsnd_hcic_pin_code_neg_reply (p_bda);
5174 }
5175 /* Notify upper layer of PIN request and start expiration timer */
5176 else
5177 {
5178 btm_cb.pin_code_len_saved = 0;
5179 btm_sec_change_pairing_state (BTM_PAIR_STATE_WAIT_LOCAL_PIN);
5180 /* Pin code request can not come at the same time as connection request */
5181 memcpy (p_cb->connecting_bda, p_bda, BD_ADDR_LEN);
5182 memcpy (p_cb->connecting_dc, p_dev_rec->dev_class, DEV_CLASS_LEN);
5183
5184 /* Check if the name is known */
5185 /* Even if name is not known we might not be able to get one */
5186 /* this is the case when we are already getting something from the */
5187 /* device, so HCI level is flow controlled */
5188 /* Also cannot send remote name request while paging, i.e. connection is not completed */
5189 if (p_dev_rec->sec_flags & BTM_SEC_NAME_KNOWN)
5190 {
5191 BTM_TRACE_EVENT ("btm_sec_pin_code_request going for callback");
5192
5193 btm_cb.pairing_flags |= BTM_PAIR_FLAGS_PIN_REQD;
5194 if (p_cb->api.p_pin_callback)
5195 (*p_cb->api.p_pin_callback) (p_bda, p_dev_rec->dev_class, p_dev_rec->sec_bd_name);
5196 }
5197 else
5198 {
5199 BTM_TRACE_EVENT ("btm_sec_pin_code_request going for remote name");
5200
5201 /* We received PIN code request for the device with unknown name */
5202 /* it is not user friendly just to ask for the PIN without name */
5203 /* try to get name at first */
5204 if (!btsnd_hcic_rmt_name_req (p_dev_rec->bd_addr,
5205 HCI_PAGE_SCAN_REP_MODE_R1,
5206 HCI_MANDATARY_PAGE_SCAN_MODE, 0))
5207 {
5208 p_dev_rec->sec_flags |= BTM_SEC_NAME_KNOWN;
5209 p_dev_rec->sec_bd_name[0] = 'f';
5210 p_dev_rec->sec_bd_name[1] = '0';
5211 BTM_TRACE_ERROR ("can not send rmt_name_req?? fake a name and call callback");
5212
5213 btm_cb.pairing_flags |= BTM_PAIR_FLAGS_PIN_REQD;
5214 if (p_cb->api.p_pin_callback)
5215 (*p_cb->api.p_pin_callback) (p_bda, p_dev_rec->dev_class, p_dev_rec->sec_bd_name);
5216 }
5217 }
5218 }
5219
5220 return;
5221 }
5222
5223 /*******************************************************************************
5224 **
5225 ** Function btm_sec_update_clock_offset
5226 **
5227 ** Description This function is called to update clock offset
5228 **
5229 ** Returns void
5230 **
5231 *******************************************************************************/
btm_sec_update_clock_offset(UINT16 handle,UINT16 clock_offset)5232 void btm_sec_update_clock_offset (UINT16 handle, UINT16 clock_offset)
5233 {
5234 tBTM_SEC_DEV_REC *p_dev_rec;
5235 tBTM_INQ_INFO *p_inq_info;
5236
5237 if ((p_dev_rec = btm_find_dev_by_handle (handle)) == NULL)
5238 return;
5239
5240 p_dev_rec->clock_offset = clock_offset | BTM_CLOCK_OFFSET_VALID;
5241
5242 if ((p_inq_info = BTM_InqDbRead(p_dev_rec->bd_addr)) == NULL)
5243 return;
5244
5245 p_inq_info->results.clock_offset = clock_offset | BTM_CLOCK_OFFSET_VALID;
5246 }
5247
5248
5249 /******************************************************************
5250 ** S T A T I C F U N C T I O N S
5251 *******************************************************************/
5252
5253 /*******************************************************************************
5254 **
5255 ** Function btm_sec_execute_procedure
5256 **
5257 ** Description This function is called to start required security
5258 ** procedure. There is a case when multiplexing protocol
5259 ** calls this function on the originating side, connection to
5260 ** the peer will not be established. This function in this
5261 ** case performs only authorization.
5262 **
5263 ** Returns BTM_SUCCESS - permission is granted
5264 ** BTM_CMD_STARTED - in process
5265 ** BTM_NO_RESOURCES - permission declined
5266 **
5267 *******************************************************************************/
btm_sec_execute_procedure(tBTM_SEC_DEV_REC * p_dev_rec)5268 static tBTM_STATUS btm_sec_execute_procedure (tBTM_SEC_DEV_REC *p_dev_rec)
5269 {
5270 BTM_TRACE_EVENT ("btm_sec_execute_procedure: Required:0x%x Flags:0x%x State:%d",
5271 p_dev_rec->security_required, p_dev_rec->sec_flags, p_dev_rec->sec_state);
5272
5273 /* There is a chance that we are getting name. Wait until done. */
5274 if (p_dev_rec->sec_state != 0)
5275 return(BTM_CMD_STARTED);
5276
5277 /* If any security is required, get the name first */
5278 if (!(p_dev_rec->sec_flags & BTM_SEC_NAME_KNOWN)
5279 && (p_dev_rec->hci_handle != BTM_SEC_INVALID_HANDLE))
5280 {
5281 BTM_TRACE_EVENT ("Security Manager: Start get name");
5282 if (!btm_sec_start_get_name (p_dev_rec))
5283 {
5284 return(BTM_NO_RESOURCES);
5285 }
5286 return(BTM_CMD_STARTED);
5287 }
5288
5289 /* If connection is not authenticated and authentication is required */
5290 /* start authentication and return PENDING to the caller */
5291 if ((!(p_dev_rec->sec_flags & BTM_SEC_AUTHENTICATED))
5292 && (( p_dev_rec->is_originator && (p_dev_rec->security_required & BTM_SEC_OUT_AUTHENTICATE))
5293 || (!p_dev_rec->is_originator && (p_dev_rec->security_required & BTM_SEC_IN_AUTHENTICATE)))
5294 && (p_dev_rec->hci_handle != BTM_SEC_INVALID_HANDLE))
5295 {
5296 #if (L2CAP_UCD_INCLUDED == TRUE)
5297 /* if incoming UCD packet, discard it */
5298 if ( !p_dev_rec->is_originator && (p_dev_rec->is_ucd == TRUE ))
5299 return(BTM_FAILED_ON_SECURITY);
5300 #endif
5301
5302 BTM_TRACE_EVENT ("Security Manager: Start authentication");
5303
5304 if (!btm_sec_start_authentication (p_dev_rec))
5305 {
5306 return(BTM_NO_RESOURCES);
5307 }
5308 return(BTM_CMD_STARTED);
5309 }
5310
5311 /* If connection is not encrypted and encryption is required */
5312 /* start encryption and return PENDING to the caller */
5313 if (!(p_dev_rec->sec_flags & BTM_SEC_ENCRYPTED)
5314 && (( p_dev_rec->is_originator && (p_dev_rec->security_required & BTM_SEC_OUT_ENCRYPT))
5315 || (!p_dev_rec->is_originator && (p_dev_rec->security_required & BTM_SEC_IN_ENCRYPT)))
5316 && (p_dev_rec->hci_handle != BTM_SEC_INVALID_HANDLE))
5317 {
5318 #if (L2CAP_UCD_INCLUDED == TRUE)
5319 /* if incoming UCD packet, discard it */
5320 if ( !p_dev_rec->is_originator && (p_dev_rec->is_ucd == TRUE ))
5321 return(BTM_FAILED_ON_SECURITY);
5322 #endif
5323
5324 BTM_TRACE_EVENT ("Security Manager: Start encryption");
5325
5326 if (!btm_sec_start_encryption (p_dev_rec))
5327 {
5328 return(BTM_NO_RESOURCES);
5329 }
5330 return(BTM_CMD_STARTED);
5331 }
5332
5333 /* If connection is not authorized and authorization is required */
5334 /* start authorization and return PENDING to the caller */
5335 if (!(p_dev_rec->sec_flags & BTM_SEC_AUTHORIZED)
5336 && (( p_dev_rec->is_originator && (p_dev_rec->security_required & BTM_SEC_OUT_AUTHORIZE))
5337 || (!p_dev_rec->is_originator && (p_dev_rec->security_required & BTM_SEC_IN_AUTHORIZE))))
5338 {
5339 BTM_TRACE_EVENT ("service id:%d, is trusted:%d",
5340 p_dev_rec->p_cur_service->service_id,
5341 (BTM_SEC_IS_SERVICE_TRUSTED(p_dev_rec->trusted_mask,
5342 p_dev_rec->p_cur_service->service_id)));
5343 if ((btm_sec_are_all_trusted(p_dev_rec->trusted_mask) == FALSE) &&
5344 (p_dev_rec->p_cur_service->service_id < BTM_SEC_MAX_SERVICES) &&
5345 (BTM_SEC_IS_SERVICE_TRUSTED(p_dev_rec->trusted_mask,
5346 p_dev_rec->p_cur_service->service_id) == FALSE))
5347 {
5348 BTM_TRACE_EVENT ("Security Manager: Start authorization");
5349 return(btm_sec_start_authorization (p_dev_rec));
5350 }
5351 }
5352
5353 /* All required security procedures already established */
5354 p_dev_rec->security_required &= ~(BTM_SEC_OUT_AUTHORIZE | BTM_SEC_IN_AUTHORIZE |
5355 BTM_SEC_OUT_AUTHENTICATE | BTM_SEC_IN_AUTHENTICATE |
5356 BTM_SEC_OUT_ENCRYPT | BTM_SEC_IN_ENCRYPT |
5357 BTM_SEC_FORCE_MASTER | BTM_SEC_ATTEMPT_MASTER |
5358 BTM_SEC_FORCE_SLAVE | BTM_SEC_ATTEMPT_SLAVE);
5359
5360 BTM_TRACE_EVENT ("Security Manager: trusted:0x%04x%04x", p_dev_rec->trusted_mask[1], p_dev_rec->trusted_mask[0]);
5361 BTM_TRACE_EVENT ("Security Manager: access granted");
5362
5363 return(BTM_SUCCESS);
5364 }
5365
5366
5367 /*******************************************************************************
5368 **
5369 ** Function btm_sec_start_get_name
5370 **
5371 ** Description This function is called to start get name procedure
5372 **
5373 ** Returns TRUE if started
5374 **
5375 *******************************************************************************/
btm_sec_start_get_name(tBTM_SEC_DEV_REC * p_dev_rec)5376 static BOOLEAN btm_sec_start_get_name (tBTM_SEC_DEV_REC *p_dev_rec)
5377 {
5378 UINT8 tempstate = p_dev_rec->sec_state;
5379
5380 p_dev_rec->sec_state = BTM_SEC_STATE_GETTING_NAME;
5381
5382 /* Device should be connected, no need to provide correct page params */
5383 /* 0 and NULL are as timeout and callback params because they are not used in security get name case */
5384 if ((btm_initiate_rem_name (p_dev_rec->bd_addr, NULL, BTM_RMT_NAME_SEC,
5385 0, NULL)) != BTM_CMD_STARTED)
5386 {
5387 p_dev_rec->sec_state = tempstate;
5388 return(FALSE);
5389 }
5390
5391 return(TRUE);
5392 }
5393
5394 /*******************************************************************************
5395 **
5396 ** Function btm_sec_start_authentication
5397 **
5398 ** Description This function is called to start authentication
5399 **
5400 ** Returns TRUE if started
5401 **
5402 *******************************************************************************/
btm_sec_start_authentication(tBTM_SEC_DEV_REC * p_dev_rec)5403 static BOOLEAN btm_sec_start_authentication (tBTM_SEC_DEV_REC *p_dev_rec)
5404 {
5405 p_dev_rec->sec_state = BTM_SEC_STATE_AUTHENTICATING;
5406
5407 return(btsnd_hcic_auth_request (p_dev_rec->hci_handle));
5408 }
5409
5410 /*******************************************************************************
5411 **
5412 ** Function btm_sec_start_encryption
5413 **
5414 ** Description This function is called to start encryption
5415 **
5416 ** Returns TRUE if started
5417 **
5418 *******************************************************************************/
btm_sec_start_encryption(tBTM_SEC_DEV_REC * p_dev_rec)5419 static BOOLEAN btm_sec_start_encryption (tBTM_SEC_DEV_REC *p_dev_rec)
5420 {
5421 if (!btsnd_hcic_set_conn_encrypt (p_dev_rec->hci_handle, TRUE))
5422 return(FALSE);
5423
5424 p_dev_rec->sec_state = BTM_SEC_STATE_ENCRYPTING;
5425 return(TRUE);
5426 }
5427
5428
5429 /*******************************************************************************
5430 **
5431 ** Function btm_sec_start_authorization
5432 **
5433 ** Description This function is called to start authorization
5434 **
5435 ** Returns TRUE if started
5436 **
5437 *******************************************************************************/
btm_sec_start_authorization(tBTM_SEC_DEV_REC * p_dev_rec)5438 static UINT8 btm_sec_start_authorization (tBTM_SEC_DEV_REC *p_dev_rec)
5439 {
5440 UINT8 result;
5441 UINT8 *p_service_name = NULL;
5442 UINT8 service_id;
5443
5444 if ((p_dev_rec->sec_flags & BTM_SEC_NAME_KNOWN)
5445 || (p_dev_rec->hci_handle == BTM_SEC_INVALID_HANDLE))
5446 {
5447 if (!btm_cb.api.p_authorize_callback)
5448 return(BTM_MODE_UNSUPPORTED);
5449
5450 if (p_dev_rec->p_cur_service)
5451 {
5452 #if BTM_SEC_SERVICE_NAME_LEN > 0
5453 if (p_dev_rec->is_originator)
5454 p_service_name = p_dev_rec->p_cur_service->orig_service_name;
5455 else
5456 p_service_name = p_dev_rec->p_cur_service->term_service_name;
5457 #endif
5458 service_id = p_dev_rec->p_cur_service->service_id;
5459 }
5460 else
5461 service_id = 0;
5462
5463 /* Send authorization request if not already sent during this service connection */
5464 if (p_dev_rec->last_author_service_id == BTM_SEC_NO_LAST_SERVICE_ID
5465 || p_dev_rec->last_author_service_id != service_id)
5466 {
5467 p_dev_rec->sec_state = BTM_SEC_STATE_AUTHORIZING;
5468 result = (*btm_cb.api.p_authorize_callback) (p_dev_rec->bd_addr,
5469 p_dev_rec->dev_class,
5470 p_dev_rec->sec_bd_name,
5471 p_service_name,
5472 service_id,
5473 p_dev_rec->is_originator);
5474 }
5475
5476 else /* Already authorized once for this L2CAP bringup */
5477 {
5478 BTM_TRACE_DEBUG ("btm_sec_start_authorization: (Ignoring extra Authorization prompt for service %d)", service_id);
5479 return (BTM_SUCCESS);
5480 }
5481
5482 if (result == BTM_SUCCESS)
5483 {
5484 p_dev_rec->sec_flags |= BTM_SEC_AUTHORIZED;
5485
5486 /* Save the currently authorized service in case we are asked again by another multiplexer layer */
5487 if (!p_dev_rec->is_originator)
5488 p_dev_rec->last_author_service_id = service_id;
5489
5490 p_dev_rec->sec_state = BTM_SEC_STATE_IDLE;
5491 }
5492 return(result);
5493 }
5494 btm_sec_start_get_name (p_dev_rec);
5495 return(BTM_CMD_STARTED);
5496 }
5497
5498 /*******************************************************************************
5499 **
5500 ** Function btm_sec_are_all_trusted
5501 **
5502 ** Description This function is called check if all services are trusted
5503 **
5504 ** Returns TRUE if all are trusted, otherwise FALSE
5505 **
5506 *******************************************************************************/
btm_sec_are_all_trusted(UINT32 p_mask[])5507 BOOLEAN btm_sec_are_all_trusted(UINT32 p_mask[])
5508 {
5509 UINT32 trusted_inx;
5510 for (trusted_inx = 0; trusted_inx < BTM_SEC_SERVICE_ARRAY_SIZE; trusted_inx++)
5511 {
5512 if (p_mask[trusted_inx] != BTM_SEC_TRUST_ALL)
5513 return(FALSE);
5514 }
5515
5516 return(TRUE);
5517 }
5518
5519 /*******************************************************************************
5520 **
5521 ** Function btm_sec_find_first_serv
5522 **
5523 ** Description Look for the first record in the service database
5524 ** with specified PSM
5525 **
5526 ** Returns Pointer to the record or NULL
5527 **
5528 *******************************************************************************/
btm_sec_find_first_serv(CONNECTION_TYPE conn_type,UINT16 psm)5529 static tBTM_SEC_SERV_REC *btm_sec_find_first_serv (CONNECTION_TYPE conn_type, UINT16 psm)
5530 {
5531 tBTM_SEC_SERV_REC *p_serv_rec = &btm_cb.sec_serv_rec[0];
5532 int i;
5533 BOOLEAN is_originator;
5534
5535 #if (L2CAP_UCD_INCLUDED == TRUE)
5536
5537 if ( conn_type & CONNECTION_TYPE_ORIG_MASK )
5538 is_originator = TRUE;
5539 else
5540 is_originator = FALSE;
5541 #else
5542 is_originator = conn_type;
5543 #endif
5544
5545 if (is_originator && btm_cb.p_out_serv && btm_cb.p_out_serv->psm == psm)
5546 {
5547 /* If this is outgoing connection and the PSM matches p_out_serv,
5548 * use it as the current service */
5549 return btm_cb.p_out_serv;
5550 }
5551
5552 /* otherwise, just find the first record with the specified PSM */
5553 for (i = 0; i < BTM_SEC_MAX_SERVICE_RECORDS; i++, p_serv_rec++)
5554 {
5555 if ( (p_serv_rec->security_flags & BTM_SEC_IN_USE) && (p_serv_rec->psm == psm) )
5556 return(p_serv_rec);
5557 }
5558 return(NULL);
5559 }
5560
5561
5562 /*******************************************************************************
5563 **
5564 ** Function btm_sec_find_next_serv
5565 **
5566 ** Description Look for the next record in the service database
5567 ** with specified PSM
5568 **
5569 ** Returns Pointer to the record or NULL
5570 **
5571 *******************************************************************************/
btm_sec_find_next_serv(tBTM_SEC_SERV_REC * p_cur)5572 static tBTM_SEC_SERV_REC *btm_sec_find_next_serv (tBTM_SEC_SERV_REC *p_cur)
5573 {
5574 tBTM_SEC_SERV_REC *p_serv_rec = &btm_cb.sec_serv_rec[0];
5575 int i;
5576
5577 for (i = 0; i < BTM_SEC_MAX_SERVICE_RECORDS; i++, p_serv_rec++)
5578 {
5579 if ((p_serv_rec->security_flags & BTM_SEC_IN_USE)
5580 && (p_serv_rec->psm == p_cur->psm) )
5581 {
5582 if (p_cur != p_serv_rec)
5583 {
5584 return(p_serv_rec);
5585 }
5586 }
5587 }
5588 return(NULL);
5589 }
5590
5591
5592 /*******************************************************************************
5593 **
5594 ** Function btm_sec_find_mx_serv
5595 **
5596 ** Description Look for the record in the service database with specified
5597 ** PSM and multiplexor channel information
5598 **
5599 ** Returns Pointer to the record or NULL
5600 **
5601 *******************************************************************************/
btm_sec_find_mx_serv(UINT8 is_originator,UINT16 psm,UINT32 mx_proto_id,UINT32 mx_chan_id)5602 static tBTM_SEC_SERV_REC *btm_sec_find_mx_serv (UINT8 is_originator, UINT16 psm,
5603 UINT32 mx_proto_id, UINT32 mx_chan_id)
5604 {
5605 tBTM_SEC_SERV_REC *p_out_serv = btm_cb.p_out_serv;
5606 tBTM_SEC_SERV_REC *p_serv_rec = &btm_cb.sec_serv_rec[0];
5607 int i;
5608
5609 BTM_TRACE_DEBUG ("btm_sec_find_mx_serv");
5610 if (is_originator && p_out_serv && p_out_serv->psm == psm
5611 && p_out_serv->mx_proto_id == mx_proto_id
5612 && p_out_serv->orig_mx_chan_id == mx_chan_id)
5613 {
5614 /* If this is outgoing connection and the parameters match p_out_serv,
5615 * use it as the current service */
5616 return btm_cb.p_out_serv;
5617 }
5618
5619 /* otherwise, the old way */
5620 for (i = 0; i < BTM_SEC_MAX_SERVICE_RECORDS; i++, p_serv_rec++)
5621 {
5622 if ((p_serv_rec->security_flags & BTM_SEC_IN_USE)
5623 && (p_serv_rec->psm == psm)
5624 && (p_serv_rec->mx_proto_id == mx_proto_id)
5625 && (( is_originator && (p_serv_rec->orig_mx_chan_id == mx_chan_id))
5626 || (!is_originator && (p_serv_rec->term_mx_chan_id == mx_chan_id))))
5627 {
5628 return(p_serv_rec);
5629 }
5630 }
5631 return(NULL);
5632 }
5633
5634
5635 /*******************************************************************************
5636 **
5637 ** Function btm_sec_collision_timeout
5638 **
5639 ** Description Encryption could not start because of the collision
5640 ** try to do it again
5641 **
5642 ** Returns Pointer to the TLE struct
5643 **
5644 *******************************************************************************/
btm_sec_collision_timeout(TIMER_LIST_ENT * p_tle)5645 static void btm_sec_collision_timeout (TIMER_LIST_ENT *p_tle)
5646 {
5647 tBTM_STATUS status;
5648 UNUSED(p_tle);
5649
5650 BTM_TRACE_EVENT ("btm_sec_collision_timeout()");
5651 btm_cb.sec_collision_tle.param = 0;
5652
5653 status = btm_sec_execute_procedure (btm_cb.p_collided_dev_rec);
5654
5655 /* If result is pending reply from the user or from the device is pending */
5656 if (status != BTM_CMD_STARTED)
5657 {
5658 /* There is no next procedure or start of procedure failed, notify the waiting layer */
5659 btm_sec_dev_rec_cback_event (btm_cb.p_collided_dev_rec, status, FALSE);
5660 }
5661 }
5662
5663 /*******************************************************************************
5664 **
5665 ** Function btm_sec_link_key_request
5666 **
5667 ** Description This function is called when controller requests link key
5668 **
5669 ** Returns Pointer to the record or NULL
5670 **
5671 *******************************************************************************/
btm_send_link_key_notif(tBTM_SEC_DEV_REC * p_dev_rec)5672 static void btm_send_link_key_notif (tBTM_SEC_DEV_REC *p_dev_rec)
5673 {
5674 if (btm_cb.api.p_link_key_callback)
5675 (*btm_cb.api.p_link_key_callback) (p_dev_rec->bd_addr, p_dev_rec->dev_class,
5676 p_dev_rec->sec_bd_name, p_dev_rec->link_key,
5677 p_dev_rec->link_key_type);
5678 }
5679
5680 /*******************************************************************************
5681 **
5682 ** Function BTM_ReadTrustedMask
5683 **
5684 ** Description Get trusted mask for the peer device
5685 **
5686 ** Parameters: bd_addr - Address of the device
5687 **
5688 ** Returns NULL, if the device record is not found.
5689 ** otherwise, the trusted mask
5690 **
5691 *******************************************************************************/
BTM_ReadTrustedMask(BD_ADDR bd_addr)5692 UINT32 * BTM_ReadTrustedMask (BD_ADDR bd_addr)
5693 {
5694 tBTM_SEC_DEV_REC *p_dev_rec;
5695
5696 if ((p_dev_rec = btm_find_dev (bd_addr)) != NULL)
5697 {
5698 return(p_dev_rec->trusted_mask);
5699 }
5700 else
5701 {
5702 return NULL;
5703 }
5704 }
5705
5706 /*******************************************************************************
5707 **
5708 ** Function btm_restore_mode
5709 **
5710 ** Description This function returns the security mode to previous setting
5711 ** if it was changed during bonding.
5712 **
5713 **
5714 ** Parameters: void
5715 **
5716 *******************************************************************************/
btm_restore_mode(void)5717 static void btm_restore_mode(void)
5718 {
5719 if (btm_cb.security_mode_changed)
5720 {
5721 btm_cb.security_mode_changed = FALSE;
5722 BTM_TRACE_DEBUG("btm_restore_mode: Authen Enable -> %d", (btm_cb.security_mode == BTM_SEC_MODE_LINK));
5723 btsnd_hcic_write_auth_enable ((UINT8)(btm_cb.security_mode == BTM_SEC_MODE_LINK));
5724 }
5725
5726 if (btm_cb.pin_type_changed)
5727 {
5728 btm_cb.pin_type_changed = FALSE;
5729 btsnd_hcic_write_pin_type (btm_cb.cfg.pin_type);
5730 }
5731 }
5732
5733
5734 /*******************************************************************************
5735 **
5736 ** Function btm_sec_find_dev_by_sec_state
5737 **
5738 ** Description Look for the record in the device database for the device
5739 ** which is being authenticated or encrypted
5740 **
5741 ** Returns Pointer to the record or NULL
5742 **
5743 *******************************************************************************/
btm_sec_find_dev_by_sec_state(UINT8 state)5744 tBTM_SEC_DEV_REC *btm_sec_find_dev_by_sec_state (UINT8 state)
5745 {
5746 tBTM_SEC_DEV_REC *p_dev_rec = &btm_cb.sec_dev_rec[0];
5747 int i;
5748
5749 for (i = 0; i < BTM_SEC_MAX_DEVICE_RECORDS; i++, p_dev_rec++)
5750 {
5751 if ((p_dev_rec->sec_flags & BTM_SEC_IN_USE)
5752 && (p_dev_rec->sec_state == state))
5753 return(p_dev_rec);
5754 }
5755 return(NULL);
5756 }
5757
5758 /*******************************************************************************
5759 **
5760 ** Function BTM_snd_conn_encrypt
5761 **
5762 ** Description This function is called to start/stop encryption
5763 ** Used by JSR-82
5764 **
5765 ** Returns TRUE if request started
5766 **
5767 *******************************************************************************/
BTM_snd_conn_encrypt(UINT16 handle,BOOLEAN enable)5768 BOOLEAN BTM_snd_conn_encrypt (UINT16 handle, BOOLEAN enable)
5769 {
5770 tBTM_SEC_DEV_REC *p_dev_rec = btm_find_dev_by_handle (handle);
5771
5772 BTM_TRACE_EVENT ("BTM_snd_conn_encrypt Security Manager: encrypt_change p_dev_rec : 0x%x, enable = %s", p_dev_rec, (enable == TRUE) ? "TRUE" : "FALSE");
5773
5774 if (!p_dev_rec)
5775 {
5776 BTM_TRACE_EVENT ("BTM_snd_conn_encrypt Error no p_dev_rec : 0x%x\n", p_dev_rec);
5777 return(FALSE);
5778 }
5779
5780 if ( p_dev_rec->sec_state == BTM_SEC_STATE_IDLE)
5781 {
5782 if (!btsnd_hcic_set_conn_encrypt (handle, enable))
5783 return(FALSE);
5784
5785 p_dev_rec->sec_state = BTM_SEC_STATE_ENCRYPTING;
5786
5787 return(TRUE);
5788 }
5789 else
5790 return(FALSE);
5791 }
5792
5793 /*******************************************************************************
5794 **
5795 ** Function btm_sec_change_pairing_state
5796 **
5797 ** Description This function is called to change pairing state
5798 **
5799 *******************************************************************************/
btm_sec_change_pairing_state(tBTM_PAIRING_STATE new_state)5800 static void btm_sec_change_pairing_state (tBTM_PAIRING_STATE new_state)
5801 {
5802 tBTM_PAIRING_STATE old_state = btm_cb.pairing_state;
5803
5804 BTM_TRACE_EVENT ("btm_sec_change_pairing_state Old: %s", btm_pair_state_descr(btm_cb.pairing_state));
5805 BTM_TRACE_EVENT ("btm_sec_change_pairing_state New: %s pairing_flags:0x%x",btm_pair_state_descr(new_state), btm_cb.pairing_flags);
5806
5807 btm_cb.pairing_state = new_state;
5808
5809 if (new_state == BTM_PAIR_STATE_IDLE)
5810 {
5811 btu_stop_timer (&btm_cb.pairing_tle);
5812
5813 btm_cb.pairing_flags = 0;
5814 btm_cb.pin_code_len = 0;
5815
5816 /* Make sure the the lcb shows we are not bonding */
5817 l2cu_update_lcb_4_bonding (btm_cb.pairing_bda, FALSE);
5818
5819 btm_restore_mode();
5820 btm_sec_check_pending_reqs();
5821 btm_inq_clear_ssp();
5822
5823 memset (btm_cb.pairing_bda, 0xFF, BD_ADDR_LEN);
5824 }
5825 else
5826 {
5827 /* If transitionng out of idle, mark the lcb as bonding */
5828 if (old_state == BTM_PAIR_STATE_IDLE)
5829 l2cu_update_lcb_4_bonding (btm_cb.pairing_bda, TRUE);
5830
5831 btm_cb.pairing_tle.param = (TIMER_PARAM_TYPE)btm_sec_pairing_timeout;
5832
5833 btu_start_timer (&btm_cb.pairing_tle, BTU_TTYPE_USER_FUNC, BTM_SEC_TIMEOUT_VALUE);
5834 }
5835 }
5836
5837
5838 /*******************************************************************************
5839 **
5840 ** Function btm_pair_state_descr
5841 **
5842 ** Description Return state description for tracing
5843 **
5844 *******************************************************************************/
5845 #if (BT_USE_TRACES == TRUE)
btm_pair_state_descr(tBTM_PAIRING_STATE state)5846 static char *btm_pair_state_descr (tBTM_PAIRING_STATE state)
5847 {
5848 #if (BT_TRACE_VERBOSE == TRUE)
5849 switch (state)
5850 {
5851 case BTM_PAIR_STATE_IDLE: return("IDLE");
5852 case BTM_PAIR_STATE_GET_REM_NAME: return("GET_REM_NAME");
5853 case BTM_PAIR_STATE_WAIT_PIN_REQ: return("WAIT_PIN_REQ");
5854 case BTM_PAIR_STATE_WAIT_LOCAL_PIN: return("WAIT_LOCAL_PIN");
5855 case BTM_PAIR_STATE_WAIT_NUMERIC_CONFIRM: return("WAIT_NUM_CONFIRM");
5856 case BTM_PAIR_STATE_KEY_ENTRY: return("KEY_ENTRY");
5857 case BTM_PAIR_STATE_WAIT_LOCAL_OOB_RSP: return("WAIT_LOCAL_OOB_RSP");
5858 case BTM_PAIR_STATE_WAIT_LOCAL_IOCAPS: return("WAIT_LOCAL_IOCAPS");
5859 case BTM_PAIR_STATE_INCOMING_SSP: return("INCOMING_SSP");
5860 case BTM_PAIR_STATE_WAIT_AUTH_COMPLETE: return("WAIT_AUTH_COMPLETE");
5861 case BTM_PAIR_STATE_WAIT_DISCONNECT: return("WAIT_DISCONNECT");
5862 }
5863
5864 return("???");
5865 #else
5866 sprintf(btm_cb.state_temp_buffer,"%hu",state);
5867
5868 return(btm_cb.state_temp_buffer);
5869 #endif
5870 }
5871 #endif
5872
5873
5874 /*******************************************************************************
5875 **
5876 ** Function btm_sec_dev_rec_cback_event
5877 **
5878 ** Description This function calls the callback function with the given
5879 ** result and clear the callback function.
5880 **
5881 ** Parameters: void
5882 **
5883 *******************************************************************************/
btm_sec_dev_rec_cback_event(tBTM_SEC_DEV_REC * p_dev_rec,UINT8 res,BOOLEAN is_le_transport)5884 void btm_sec_dev_rec_cback_event (tBTM_SEC_DEV_REC *p_dev_rec, UINT8 res, BOOLEAN is_le_transport)
5885 {
5886 tBTM_SEC_CALLBACK *p_callback = p_dev_rec->p_callback;
5887 tBT_TRANSPORT transport = is_le_transport ? BT_TRANSPORT_LE : BT_TRANSPORT_BR_EDR;
5888
5889 if (p_dev_rec->p_callback)
5890 {
5891 p_dev_rec->p_callback = NULL;
5892
5893 (*p_callback) (p_dev_rec->bd_addr, transport, p_dev_rec->p_ref_data, res);
5894
5895 }
5896 btm_sec_check_pending_reqs();
5897 }
5898
5899 /*******************************************************************************
5900 **
5901 ** Function btm_sec_queue_mx_request
5902 **
5903 ** Description Return state description for tracing
5904 **
5905 *******************************************************************************/
btm_sec_queue_mx_request(BD_ADDR bd_addr,UINT16 psm,BOOLEAN is_orig,UINT32 mx_proto_id,UINT32 mx_chan_id,tBTM_SEC_CALLBACK * p_callback,void * p_ref_data)5906 static BOOLEAN btm_sec_queue_mx_request (BD_ADDR bd_addr, UINT16 psm, BOOLEAN is_orig,
5907 UINT32 mx_proto_id, UINT32 mx_chan_id,
5908 tBTM_SEC_CALLBACK *p_callback, void *p_ref_data)
5909 {
5910 tBTM_SEC_QUEUE_ENTRY *p_e;
5911
5912 p_e = (tBTM_SEC_QUEUE_ENTRY *)GKI_getbuf (sizeof(tBTM_SEC_QUEUE_ENTRY));
5913
5914 if (p_e)
5915 {
5916 p_e->psm = psm;
5917 p_e->is_orig = is_orig;
5918 p_e->p_callback = p_callback;
5919 p_e->p_ref_data = p_ref_data;
5920 p_e->mx_proto_id = mx_proto_id;
5921 p_e->mx_chan_id = mx_chan_id;
5922
5923 memcpy (p_e->bd_addr, bd_addr, BD_ADDR_LEN);
5924
5925 BTM_TRACE_EVENT ("btm_sec_queue_mx_request() PSM: 0x%04x Is_Orig: %u mx_proto_id: %u mx_chan_id: %u",
5926 psm, is_orig, mx_proto_id, mx_chan_id);
5927
5928 GKI_enqueue (&btm_cb.sec_pending_q, p_e);
5929
5930 return(TRUE);
5931 }
5932
5933 return(FALSE);
5934 }
5935
btm_sec_check_prefetch_pin(tBTM_SEC_DEV_REC * p_dev_rec)5936 static BOOLEAN btm_sec_check_prefetch_pin (tBTM_SEC_DEV_REC *p_dev_rec)
5937 {
5938 UINT8 major = (UINT8)(p_dev_rec->dev_class[1] & BTM_COD_MAJOR_CLASS_MASK);
5939 UINT8 minor = (UINT8)(p_dev_rec->dev_class[2] & BTM_COD_MINOR_CLASS_MASK);
5940 BOOLEAN rv = FALSE;
5941
5942 if ((major == BTM_COD_MAJOR_AUDIO)
5943 && ((minor == BTM_COD_MINOR_CONFM_HANDSFREE) || (minor == BTM_COD_MINOR_CAR_AUDIO)) )
5944 {
5945 BTM_TRACE_EVENT ("btm_sec_check_prefetch_pin: Skipping pre-fetch PIN for carkit COD Major: 0x%02x Minor: 0x%02x", major, minor);
5946
5947 if (btm_cb.security_mode_changed == FALSE)
5948 {
5949 btm_cb.security_mode_changed = TRUE;
5950 #ifdef APPL_AUTH_WRITE_EXCEPTION
5951 if(!(APPL_AUTH_WRITE_EXCEPTION)(p_dev_rec->bd_addr))
5952 #endif
5953 btsnd_hcic_write_auth_enable (TRUE);
5954 }
5955 }
5956 else
5957 {
5958 btm_sec_change_pairing_state (BTM_PAIR_STATE_WAIT_LOCAL_PIN);
5959
5960 /* If we got a PIN, use that, else try to get one */
5961 if (btm_cb.pin_code_len)
5962 {
5963 BTM_PINCodeReply (p_dev_rec->bd_addr, BTM_SUCCESS, btm_cb.pin_code_len, btm_cb.pin_code, p_dev_rec->trusted_mask);
5964 }
5965 else
5966 {
5967 /* pin was not supplied - pre-fetch pin code now */
5968 if (btm_cb.api.p_pin_callback && ((btm_cb.pairing_flags & BTM_PAIR_FLAGS_PIN_REQD) == 0))
5969 {
5970 BTM_TRACE_DEBUG("btm_sec_check_prefetch_pin: PIN code callback called");
5971 if (btm_bda_to_acl(p_dev_rec->bd_addr, BT_TRANSPORT_BR_EDR) == NULL)
5972 btm_cb.pairing_flags |= BTM_PAIR_FLAGS_PIN_REQD;
5973 (btm_cb.api.p_pin_callback) (p_dev_rec->bd_addr, p_dev_rec->dev_class, p_dev_rec->sec_bd_name);
5974 }
5975 }
5976
5977 rv = TRUE;
5978 }
5979
5980 return rv;
5981 }
5982
5983 #if (BLE_INCLUDED == TRUE)
5984 /*******************************************************************************
5985 **
5986 ** Function btm_sec_clear_ble_keys
5987 **
5988 ** Description This function is called to clear out the BLE keys.
5989 ** Typically when devices are removed in BTM_SecDeleteDevice,
5990 ** or when a new BT Link key is generated.
5991 **
5992 ** Returns void
5993 **
5994 *******************************************************************************/
btm_sec_clear_ble_keys(tBTM_SEC_DEV_REC * p_dev_rec)5995 void btm_sec_clear_ble_keys (tBTM_SEC_DEV_REC *p_dev_rec)
5996 {
5997
5998 BTM_TRACE_DEBUG ("btm_sec_clear_ble_keys: Clearing BLE Keys");
5999 #if (SMP_INCLUDED== TRUE)
6000 p_dev_rec->ble.key_type = 0;
6001 memset (&p_dev_rec->ble.keys, 0, sizeof(tBTM_SEC_BLE_KEYS));
6002 #endif
6003 gatt_delete_dev_from_srv_chg_clt_list(p_dev_rec->bd_addr);
6004 }
6005
6006
6007 /*******************************************************************************
6008 **
6009 ** Function btm_sec_is_a_bonded_dev
6010 **
6011 ** Description Is the specified device is a bonded device
6012 **
6013 ** Returns TRUE - dev is bonded
6014 **
6015 *******************************************************************************/
btm_sec_is_a_bonded_dev(BD_ADDR bda)6016 BOOLEAN btm_sec_is_a_bonded_dev (BD_ADDR bda)
6017 {
6018
6019 tBTM_SEC_DEV_REC *p_dev_rec= btm_find_dev (bda);
6020 BOOLEAN is_bonded= FALSE;
6021
6022 if (p_dev_rec &&
6023 #if (SMP_INCLUDED== TRUE)
6024 ((p_dev_rec->ble.key_type && (p_dev_rec->sec_flags & BTM_SEC_LE_LINK_KEY_KNOWN))||
6025 #endif
6026 (p_dev_rec->sec_flags & BTM_SEC_LINK_KEY_KNOWN)))
6027 {
6028 is_bonded = TRUE;
6029 }
6030 BTM_TRACE_DEBUG ("btm_sec_is_a_bonded_dev is_bonded=%d", is_bonded);
6031 return(is_bonded);
6032 }
6033
6034 /*******************************************************************************
6035 **
6036 ** Function btm_sec_is_le_capable_dev
6037 **
6038 ** Description Is the specified device is dual mode or LE only device
6039 **
6040 ** Returns TRUE - dev is a dual mode
6041 **
6042 *******************************************************************************/
btm_sec_is_le_capable_dev(BD_ADDR bda)6043 BOOLEAN btm_sec_is_le_capable_dev (BD_ADDR bda)
6044 {
6045 tBTM_SEC_DEV_REC *p_dev_rec= btm_find_dev (bda);
6046 BOOLEAN le_capable = FALSE;
6047
6048 #if (BLE_INCLUDED== TRUE)
6049 if (p_dev_rec && ((p_dev_rec->device_type == BT_DEVICE_TYPE_DUMO) ||
6050 (p_dev_rec->device_type == BT_DEVICE_TYPE_BLE) ) )
6051 {
6052 le_capable = TRUE;
6053 }
6054 #endif
6055 return le_capable;
6056 }
6057
6058 /*******************************************************************************
6059 **
6060 ** Function btm_sec_find_bonded_dev
6061 **
6062 ** Description Find a bonded device starting from the specified index
6063 **
6064 ** Returns TRUE - found a bonded device
6065 **
6066 *******************************************************************************/
btm_sec_find_bonded_dev(UINT8 start_idx,UINT8 * p_found_idx,tBTM_SEC_DEV_REC ** p_rec)6067 BOOLEAN btm_sec_find_bonded_dev (UINT8 start_idx, UINT8 *p_found_idx, tBTM_SEC_DEV_REC **p_rec)
6068 {
6069 BOOLEAN found= FALSE;
6070
6071 #if (SMP_INCLUDED== TRUE)
6072 tBTM_SEC_DEV_REC *p_dev_rec;
6073 int i;
6074 if (start_idx >= BTM_SEC_MAX_DEVICE_RECORDS)
6075 {
6076 BTM_TRACE_DEBUG ("LE bonded device not found");
6077 return found;
6078 }
6079
6080 p_dev_rec = &btm_cb.sec_dev_rec[start_idx];
6081 for (i = start_idx; i < BTM_SEC_MAX_DEVICE_RECORDS; i++, p_dev_rec++)
6082 {
6083 if (p_dev_rec->ble.key_type || (p_dev_rec->sec_flags & BTM_SEC_LINK_KEY_KNOWN))
6084 {
6085 *p_found_idx = i;
6086 *p_rec = p_dev_rec;
6087 break;
6088 }
6089 }
6090 BTM_TRACE_DEBUG ("btm_sec_find_bonded_dev=%d", found);
6091 #endif
6092 return(found);
6093 }
6094 #endif /* BLE_INCLUDED */
6095
6096