• Home
  • Line#
  • Scopes#
  • Navigate#
  • Raw
  • Download
1 /******************************************************************************
2  *
3  *  Copyright (C) 1999-2012 Broadcom Corporation
4  *
5  *  Licensed under the Apache License, Version 2.0 (the "License");
6  *  you may not use this file except in compliance with the License.
7  *  You may obtain a copy of the License at:
8  *
9  *  http://www.apache.org/licenses/LICENSE-2.0
10  *
11  *  Unless required by applicable law or agreed to in writing, software
12  *  distributed under the License is distributed on an "AS IS" BASIS,
13  *  WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
14  *  See the License for the specific language governing permissions and
15  *  limitations under the License.
16  *
17  ******************************************************************************/
18 
19 /******************************************************************************
20  *
21  *  This file contains functions for the Bluetooth Security Manager
22  *
23  ******************************************************************************/
24 
25 #define LOG_TAG "bt_btm_sec"
26 
27 #include <stdarg.h>
28 #include <string.h>
29 
30 #include "bt_types.h"
31 #include "device/include/controller.h"
32 #include "hcimsgs.h"
33 #include "btu.h"
34 #include "btm_int.h"
35 #include "l2c_int.h"
36 #include "bt_utils.h"
37 #include "osi/include/log.h"
38 
39 #if (BT_USE_TRACES == TRUE && BT_TRACE_VERBOSE == FALSE)
40 /* needed for sprintf() */
41 #include <stdio.h>
42 #endif
43 
44 #if BLE_INCLUDED == TRUE
45     #include "gatt_int.h"
46 #endif
47 
48 #define BTM_SEC_MAX_COLLISION_DELAY     (5000)
49 
50 #ifdef APPL_AUTH_WRITE_EXCEPTION
51 BOOLEAN (APPL_AUTH_WRITE_EXCEPTION)(BD_ADDR bd_addr);
52 #endif
53 
54 
55 /********************************************************************************
56 **              L O C A L    F U N C T I O N     P R O T O T Y P E S            *
57 *********************************************************************************/
58 static tBTM_SEC_SERV_REC *btm_sec_find_first_serv (BOOLEAN is_originator, UINT16 psm);
59 static tBTM_SEC_SERV_REC *btm_sec_find_next_serv (tBTM_SEC_SERV_REC *p_cur);
60 static tBTM_SEC_SERV_REC *btm_sec_find_mx_serv (UINT8 is_originator, UINT16 psm,
61                                                 UINT32 mx_proto_id,
62                                                 UINT32 mx_chan_id);
63 
64 static tBTM_STATUS btm_sec_execute_procedure (tBTM_SEC_DEV_REC *p_dev_rec);
65 static BOOLEAN  btm_sec_start_get_name (tBTM_SEC_DEV_REC *p_dev_rec);
66 static BOOLEAN  btm_sec_start_authentication (tBTM_SEC_DEV_REC *p_dev_rec);
67 static BOOLEAN  btm_sec_start_encryption (tBTM_SEC_DEV_REC *p_dev_rec);
68 static void     btm_sec_collision_timeout (TIMER_LIST_ENT *p_tle);
69 static void     btm_restore_mode(void);
70 static void     btm_sec_pairing_timeout (TIMER_LIST_ENT *p_tle);
71 static tBTM_STATUS btm_sec_dd_create_conn (tBTM_SEC_DEV_REC *p_dev_rec);
72 static void     btm_sec_change_pairing_state (tBTM_PAIRING_STATE new_state);
73 
74 #if (BT_USE_TRACES == TRUE)
75 static char     *btm_pair_state_descr (tBTM_PAIRING_STATE state);
76 #endif
77 
78 static void     btm_sec_check_pending_reqs(void);
79 static BOOLEAN  btm_sec_queue_mx_request (BD_ADDR bd_addr,  UINT16 psm,  BOOLEAN is_orig,
80                                           UINT32 mx_proto_id, UINT32 mx_chan_id,
81                                           tBTM_SEC_CALLBACK *p_callback, void *p_ref_data);
82 static void     btm_sec_bond_cancel_complete (void);
83 static void     btm_send_link_key_notif (tBTM_SEC_DEV_REC *p_dev_rec);
84 static BOOLEAN  btm_sec_check_prefetch_pin (tBTM_SEC_DEV_REC  *p_dev_rec);
85 
86 static UINT8    btm_sec_start_authorization (tBTM_SEC_DEV_REC *p_dev_rec);
87 BOOLEAN         btm_sec_are_all_trusted(UINT32 p_mask[]);
88 
89 static tBTM_STATUS btm_sec_send_hci_disconnect (tBTM_SEC_DEV_REC *p_dev_rec, UINT8 reason, UINT16 conn_handle);
90 UINT8           btm_sec_start_role_switch (tBTM_SEC_DEV_REC *p_dev_rec);
91 tBTM_SEC_DEV_REC *btm_sec_find_dev_by_sec_state (UINT8 state);
92 
93 static BOOLEAN  btm_sec_set_security_level ( CONNECTION_TYPE conn_type, char *p_name, UINT8 service_id,
94                                             UINT16 sec_level, UINT16 psm, UINT32 mx_proto_id,
95                                             UINT32 mx_chan_id);
96 
97 static BOOLEAN btm_dev_authenticated(tBTM_SEC_DEV_REC *p_dev_rec);
98 static BOOLEAN btm_dev_encrypted(tBTM_SEC_DEV_REC *p_dev_rec);
99 static BOOLEAN btm_dev_authorized(tBTM_SEC_DEV_REC *p_dev_rec);
100 static BOOLEAN btm_serv_trusted(tBTM_SEC_DEV_REC *p_dev_rec, tBTM_SEC_SERV_REC *p_serv_rec);
101 static BOOLEAN btm_sec_is_serv_level0 (UINT16 psm);
102 static UINT16  btm_sec_set_serv_level4_flags (UINT16 cur_security, BOOLEAN is_originator);
103 
104 static BOOLEAN btm_sec_queue_encrypt_request  (BD_ADDR bd_addr, tBT_TRANSPORT transport,
105                                          tBTM_SEC_CALLBACK *p_callback, void *p_ref_data);
106 static void btm_sec_clean_pending_req_queue (BD_ADDR remote_bda, tBT_TRANSPORT transport) ;
107 static void btm_sec_check_pending_enc_req (tBTM_SEC_DEV_REC  *p_dev_rec, tBT_TRANSPORT transport,
108                                             UINT8 encr_enable);
109 static BOOLEAN btm_sec_acceptor_rejects_bonding (tBTM_SEC_DEV_REC *p_dev_rec);
110 
111 static BOOLEAN btm_sec_use_smp_br_chnl(tBTM_SEC_DEV_REC *p_dev_rec);
112 static BOOLEAN btm_sec_is_master(tBTM_SEC_DEV_REC *p_dev_rec);
113 
114 /* TRUE - authenticated link key is possible */
115 static const BOOLEAN btm_sec_io_map [BTM_IO_CAP_MAX][BTM_IO_CAP_MAX] =
116 {
117     /*   OUT,    IO,     IN,     NONE */
118 /* OUT  */ {FALSE,  FALSE,  TRUE,   FALSE},
119 /* IO   */ {FALSE,  TRUE,   TRUE,   FALSE},
120 /* IN   */ {TRUE,   TRUE,   TRUE,   FALSE},
121 /* NONE */ {FALSE,  FALSE,  FALSE,  FALSE}
122 };
123 /*  BTM_IO_CAP_OUT      0   DisplayOnly */
124 /*  BTM_IO_CAP_IO       1   DisplayYesNo */
125 /*  BTM_IO_CAP_IN       2   KeyboardOnly */
126 /*  BTM_IO_CAP_NONE     3   NoInputNoOutput */
127 
128 /*******************************************************************************
129 **
130 ** Function         btm_dev_authenticated
131 **
132 ** Description      check device is authenticated
133 **
134 ** Returns          BOOLEAN TRUE or FALSE
135 **
136 *******************************************************************************/
btm_dev_authenticated(tBTM_SEC_DEV_REC * p_dev_rec)137 static BOOLEAN btm_dev_authenticated (tBTM_SEC_DEV_REC *p_dev_rec)
138 {
139     if(p_dev_rec->sec_flags & BTM_SEC_AUTHENTICATED)
140     {
141         return(TRUE);
142     }
143     return(FALSE);
144 }
145 
146 /*******************************************************************************
147 **
148 ** Function         btm_dev_encrypted
149 **
150 ** Description      check device is encrypted
151 **
152 ** Returns          BOOLEAN TRUE or FALSE
153 **
154 *******************************************************************************/
btm_dev_encrypted(tBTM_SEC_DEV_REC * p_dev_rec)155 static BOOLEAN btm_dev_encrypted (tBTM_SEC_DEV_REC *p_dev_rec)
156 {
157     if(p_dev_rec->sec_flags & BTM_SEC_ENCRYPTED)
158     {
159         return(TRUE);
160     }
161     return(FALSE);
162 }
163 
164 /*******************************************************************************
165 **
166 ** Function         btm_dev_authorized
167 **
168 ** Description      check device is authorized
169 **
170 ** Returns          BOOLEAN TRUE or FALSE
171 **
172 *******************************************************************************/
btm_dev_authorized(tBTM_SEC_DEV_REC * p_dev_rec)173 static BOOLEAN btm_dev_authorized (tBTM_SEC_DEV_REC *p_dev_rec)
174 {
175     if(p_dev_rec->sec_flags & BTM_SEC_AUTHORIZED)
176     {
177         return(TRUE);
178     }
179     return(FALSE);
180 }
181 
182 /*******************************************************************************
183 **
184 ** Function         btm_dev_16_digit_authenticated
185 **
186 ** Description      check device is authenticated by using 16 digit pin or MITM
187 **
188 ** Returns          BOOLEAN TRUE or FALSE
189 **
190 *******************************************************************************/
btm_dev_16_digit_authenticated(tBTM_SEC_DEV_REC * p_dev_rec)191 static BOOLEAN btm_dev_16_digit_authenticated(tBTM_SEC_DEV_REC *p_dev_rec)
192 {
193     // BTM_SEC_16_DIGIT_PIN_AUTHED is set if MITM or 16 digit pin is used
194     if(p_dev_rec->sec_flags & BTM_SEC_16_DIGIT_PIN_AUTHED)
195     {
196         return(TRUE);
197     }
198     return(FALSE);
199 }
200 
201 /*******************************************************************************
202 **
203 ** Function         btm_serv_trusted
204 **
205 ** Description      check service is trusted
206 **
207 ** Returns          BOOLEAN TRUE or FALSE
208 **
209 *******************************************************************************/
btm_serv_trusted(tBTM_SEC_DEV_REC * p_dev_rec,tBTM_SEC_SERV_REC * p_serv_rec)210 static BOOLEAN btm_serv_trusted(tBTM_SEC_DEV_REC *p_dev_rec, tBTM_SEC_SERV_REC *p_serv_rec)
211 {
212     if(BTM_SEC_IS_SERVICE_TRUSTED(p_dev_rec->trusted_mask, p_serv_rec->service_id))
213     {
214         return(TRUE);
215     }
216     return(FALSE);
217 }
218 
219 /*******************************************************************************
220 **
221 ** Function         BTM_SecRegister
222 **
223 ** Description      Application manager calls this function to register for
224 **                  security services.  There can be one and only one application
225 **                  saving link keys.  BTM allows only first registration.
226 **
227 ** Returns          TRUE if registered OK, else FALSE
228 **
229 *******************************************************************************/
BTM_SecRegister(tBTM_APPL_INFO * p_cb_info)230 BOOLEAN BTM_SecRegister(tBTM_APPL_INFO *p_cb_info)
231 {
232 #if BLE_INCLUDED == TRUE
233     BT_OCTET16      temp_value = {0};
234 #endif
235 
236     BTM_TRACE_EVENT("%s application registered", __func__);
237 
238 #if BLE_INCLUDED == TRUE && SMP_INCLUDED == TRUE
239     LOG_INFO("%s p_cb_info->p_le_callback == 0x%p", __func__, p_cb_info->p_le_callback);
240     if (p_cb_info->p_le_callback)
241     {
242 #if SMP_INCLUDED == TRUE
243       BTM_TRACE_EVENT("%s SMP_Register( btm_proc_smp_cback )", __func__);
244       SMP_Register(btm_proc_smp_cback);
245 #endif
246       /* if no IR is loaded, need to regenerate all the keys */
247       if (memcmp(btm_cb.devcb.id_keys.ir, &temp_value, sizeof(BT_OCTET16)) == 0)
248       {
249         btm_ble_reset_id();
250       }
251     }
252     else
253     {
254       LOG_WARN("%s p_cb_info->p_le_callback == NULL", __func__);
255     }
256 #endif
257 
258     btm_cb.api = *p_cb_info;
259 #if BLE_INCLUDED == TRUE && SMP_INCLUDED == TRUE
260      LOG_INFO("%s btm_cb.api.p_le_callback = 0x%p ", __func__, btm_cb.api.p_le_callback);
261 #endif
262     BTM_TRACE_EVENT("%s application registered", __func__);
263     return(TRUE);
264 }
265 
266 /*******************************************************************************
267 **
268 ** Function         BTM_SecRegisterLinkKeyNotificationCallback
269 **
270 ** Description      Application manager calls this function to register for
271 **                  link key notification.  When there is nobody registered
272 **                  we should avoid changing link key
273 **
274 ** Returns          TRUE if registered OK, else FALSE
275 **
276 *******************************************************************************/
BTM_SecRegisterLinkKeyNotificationCallback(tBTM_LINK_KEY_CALLBACK * p_callback)277 BOOLEAN BTM_SecRegisterLinkKeyNotificationCallback (tBTM_LINK_KEY_CALLBACK *p_callback)
278 {
279     btm_cb.api.p_link_key_callback = p_callback;
280     return TRUE;
281 }
282 
283 /*******************************************************************************
284 **
285 ** Function         BTM_SecAddRmtNameNotifyCallback
286 **
287 ** Description      Any profile can register to be notified when name of the
288 **                  remote device is resolved.
289 **
290 ** Returns          TRUE if registered OK, else FALSE
291 **
292 *******************************************************************************/
BTM_SecAddRmtNameNotifyCallback(tBTM_RMT_NAME_CALLBACK * p_callback)293 BOOLEAN  BTM_SecAddRmtNameNotifyCallback (tBTM_RMT_NAME_CALLBACK *p_callback)
294 {
295     int i;
296 
297     for (i = 0; i < BTM_SEC_MAX_RMT_NAME_CALLBACKS; i++)
298     {
299         if (btm_cb.p_rmt_name_callback[i] == NULL)
300         {
301             btm_cb.p_rmt_name_callback[i] = p_callback;
302             return(TRUE);
303         }
304     }
305 
306     return(FALSE);
307 }
308 
309 
310 /*******************************************************************************
311 **
312 ** Function         BTM_SecDeleteRmtNameNotifyCallback
313 **
314 ** Description      Any profile can deregister notification when a new Link Key
315 **                  is generated per connection.
316 **
317 ** Returns          TRUE if OK, else FALSE
318 **
319 *******************************************************************************/
BTM_SecDeleteRmtNameNotifyCallback(tBTM_RMT_NAME_CALLBACK * p_callback)320 BOOLEAN  BTM_SecDeleteRmtNameNotifyCallback (tBTM_RMT_NAME_CALLBACK *p_callback)
321 {
322     int i;
323 
324     for (i = 0; i < BTM_SEC_MAX_RMT_NAME_CALLBACKS; i++)
325     {
326         if (btm_cb.p_rmt_name_callback[i] == p_callback)
327         {
328             btm_cb.p_rmt_name_callback[i] = NULL;
329             return(TRUE);
330         }
331     }
332 
333     return(FALSE);
334 }
335 
336 /*******************************************************************************
337 **
338 ** Function         BTM_GetSecurityFlags
339 **
340 ** Description      Get security flags for the device
341 **
342 ** Returns          BOOLEAN TRUE or FALSE is device found
343 **
344 *******************************************************************************/
BTM_GetSecurityFlags(BD_ADDR bd_addr,UINT8 * p_sec_flags)345 BOOLEAN BTM_GetSecurityFlags (BD_ADDR bd_addr, UINT8 * p_sec_flags)
346 {
347     tBTM_SEC_DEV_REC *p_dev_rec;
348 
349     if ((p_dev_rec = btm_find_dev (bd_addr)) != NULL)
350     {
351         *p_sec_flags = (UINT8) p_dev_rec->sec_flags;
352         return(TRUE);
353     }
354     BTM_TRACE_ERROR ("BTM_GetSecurityFlags false");
355     return(FALSE);
356 }
357 
358 /*******************************************************************************
359 **
360 ** Function         BTM_GetSecurityFlagsByTransport
361 **
362 ** Description      Get security flags for the device on a particular transport
363 **
364 ** Returns          BOOLEAN TRUE or FALSE is device found
365 **
366 *******************************************************************************/
BTM_GetSecurityFlagsByTransport(BD_ADDR bd_addr,UINT8 * p_sec_flags,tBT_TRANSPORT transport)367 BOOLEAN BTM_GetSecurityFlagsByTransport (BD_ADDR bd_addr, UINT8 * p_sec_flags,
368                                                 tBT_TRANSPORT transport)
369 {
370     tBTM_SEC_DEV_REC *p_dev_rec;
371 
372     if ((p_dev_rec = btm_find_dev (bd_addr)) != NULL)
373     {
374         if (transport == BT_TRANSPORT_BR_EDR)
375             *p_sec_flags = (UINT8) p_dev_rec->sec_flags;
376         else
377             *p_sec_flags = (UINT8) (p_dev_rec->sec_flags >> 8);
378 
379         return(TRUE);
380     }
381     BTM_TRACE_ERROR ("BTM_GetSecurityFlags false");
382     return(FALSE);
383 }
384 
385 /*******************************************************************************
386 **
387 ** Function         BTM_SetPinType
388 **
389 ** Description      Set PIN type for the device.
390 **
391 ** Returns          void
392 **
393 *******************************************************************************/
BTM_SetPinType(UINT8 pin_type,PIN_CODE pin_code,UINT8 pin_code_len)394 void BTM_SetPinType (UINT8 pin_type, PIN_CODE pin_code, UINT8 pin_code_len)
395 {
396     BTM_TRACE_API ("BTM_SetPinType: pin type %d [variable-0, fixed-1], code %s, length %d",
397                     pin_type, (char *) pin_code, pin_code_len);
398 
399     /* If device is not up security mode will be set as a part of startup */
400     if ( (btm_cb.cfg.pin_type != pin_type)
401          && controller_get_interface()->get_is_ready() )
402     {
403         btsnd_hcic_write_pin_type (pin_type);
404     }
405 
406     btm_cb.cfg.pin_type     = pin_type;
407     btm_cb.cfg.pin_code_len = pin_code_len;
408     memcpy (btm_cb.cfg.pin_code, pin_code, pin_code_len);
409 }
410 
411 /*******************************************************************************
412 **
413 ** Function         BTM_SetPairableMode
414 **
415 ** Description      Enable or disable pairing
416 **
417 ** Parameters       allow_pairing - (TRUE or FALSE) whether or not the device
418 **                      allows pairing.
419 **                  connect_only_paired - (TRUE or FALSE) whether or not to
420 **                      only allow paired devices to connect.
421 **
422 ** Returns          void
423 **
424 *******************************************************************************/
BTM_SetPairableMode(BOOLEAN allow_pairing,BOOLEAN connect_only_paired)425 void BTM_SetPairableMode (BOOLEAN allow_pairing, BOOLEAN connect_only_paired)
426 {
427     BTM_TRACE_API ("BTM_SetPairableMode()  allow_pairing: %u   connect_only_paired: %u", allow_pairing, connect_only_paired);
428 
429     btm_cb.pairing_disabled    = !allow_pairing;
430     btm_cb.connect_only_paired = connect_only_paired;
431 }
432 
433 /*******************************************************************************
434 **
435 ** Function         BTM_SetSecureConnectionsOnly
436 **
437 ** Description      Enable or disable default treatment for Mode 4 Level 0 services
438 **
439 ** Parameter        secure_connections_only_mode - (TRUE or FALSE) whether or not the device
440 **                  TRUE means that the device should treat Mode 4 Level 0 services as
441 **                  services of other levels. (Secure_connections_only_mode)
442 **                  FALSE means that the device should provide default treatment for
443 **                  Mode 4 Level 0 services.
444 **
445 ** Returns          void
446 **
447 *******************************************************************************/
BTM_SetSecureConnectionsOnly(BOOLEAN secure_connections_only_mode)448 void BTM_SetSecureConnectionsOnly (BOOLEAN secure_connections_only_mode)
449 {
450     BTM_TRACE_API("%s: Mode : %u", __FUNCTION__,
451                    secure_connections_only_mode);
452 
453     btm_cb.devcb.secure_connections_only = secure_connections_only_mode;
454     btm_cb.security_mode = BTM_SEC_MODE_SC;
455 }
456 #define BTM_NO_AVAIL_SEC_SERVICES   ((UINT16) 0xffff)
457 
458 /*******************************************************************************
459 **
460 ** Function         BTM_SetSecurityLevel
461 **
462 ** Description      Register service security level with Security Manager
463 **
464 ** Parameters:      is_originator - TRUE if originating the connection, FALSE if not
465 **                  p_name      - Name of the service relevant only if
466 **                                authorization will show this name to user. ignored
467 **                                if BTM_SEC_SERVICE_NAME_LEN is 0.
468 **                  service_id  - service ID for the service passed to authorization callback
469 **                  sec_level   - bit mask of the security features
470 **                  psm         - L2CAP PSM
471 **                  mx_proto_id - protocol ID of multiplexing proto below
472 **                  mx_chan_id  - channel ID of multiplexing proto below
473 **
474 ** Returns          TRUE if registered OK, else FALSE
475 **
476 *******************************************************************************/
BTM_SetSecurityLevel(BOOLEAN is_originator,char * p_name,UINT8 service_id,UINT16 sec_level,UINT16 psm,UINT32 mx_proto_id,UINT32 mx_chan_id)477 BOOLEAN BTM_SetSecurityLevel (BOOLEAN is_originator, char *p_name, UINT8 service_id,
478                               UINT16 sec_level, UINT16 psm, UINT32 mx_proto_id,
479                               UINT32 mx_chan_id)
480 {
481 #if (L2CAP_UCD_INCLUDED == TRUE)
482     CONNECTION_TYPE conn_type;
483 
484     if (is_originator)
485         conn_type = CONN_ORIENT_ORIG;
486     else
487         conn_type = CONN_ORIENT_TERM;
488 
489     return(btm_sec_set_security_level (conn_type, p_name, service_id,
490                                        sec_level, psm, mx_proto_id, mx_chan_id));
491 #else
492     return(btm_sec_set_security_level (is_originator, p_name, service_id,
493                                        sec_level, psm, mx_proto_id, mx_chan_id));
494 #endif
495 }
496 
497 /*******************************************************************************
498 **
499 ** Function         btm_sec_set_security_level
500 **
501 ** Description      Register service security level with Security Manager
502 **
503 ** Parameters:      conn_type   - TRUE if originating the connection, FALSE if not
504 **                  p_name      - Name of the service relevant only if
505 **                                authorization will show this name to user. ignored
506 **                                if BTM_SEC_SERVICE_NAME_LEN is 0.
507 **                  service_id  - service ID for the service passed to authorization callback
508 **                  sec_level   - bit mask of the security features
509 **                  psm         - L2CAP PSM
510 **                  mx_proto_id - protocol ID of multiplexing proto below
511 **                  mx_chan_id  - channel ID of multiplexing proto below
512 **
513 ** Returns          TRUE if registered OK, else FALSE
514 **
515 *******************************************************************************/
btm_sec_set_security_level(CONNECTION_TYPE conn_type,char * p_name,UINT8 service_id,UINT16 sec_level,UINT16 psm,UINT32 mx_proto_id,UINT32 mx_chan_id)516 static BOOLEAN btm_sec_set_security_level (CONNECTION_TYPE conn_type, char *p_name, UINT8 service_id,
517                                            UINT16 sec_level, UINT16 psm, UINT32 mx_proto_id,
518                                            UINT32 mx_chan_id)
519 {
520     tBTM_SEC_SERV_REC   *p_srec;
521     UINT16               index;
522     UINT16               first_unused_record = BTM_NO_AVAIL_SEC_SERVICES;
523     BOOLEAN              record_allocated = FALSE;
524     BOOLEAN              is_originator;
525 #if (L2CAP_UCD_INCLUDED == TRUE)
526     BOOLEAN              is_ucd;
527 
528     if (conn_type & CONNECTION_TYPE_ORIG_MASK)
529         is_originator = TRUE;
530     else
531         is_originator = FALSE;
532 
533     if (conn_type & CONNECTION_TYPE_CONNLESS_MASK )
534     {
535         is_ucd = TRUE;
536     }
537     else
538     {
539         is_ucd = FALSE;
540     }
541 #else
542     is_originator = conn_type;
543 #endif
544 
545     BTM_TRACE_API("%s : sec: 0x%x", __func__, sec_level);
546 
547     /* See if the record can be reused (same service name, psm, mx_proto_id,
548        service_id, and mx_chan_id), or obtain the next unused record */
549 
550     p_srec = &btm_cb.sec_serv_rec[0];
551 
552 
553     for (index = 0; index < BTM_SEC_MAX_SERVICE_RECORDS; index++, p_srec++)
554     {
555         /* Check if there is already a record for this service */
556         if (p_srec->security_flags & BTM_SEC_IN_USE)
557         {
558 #if BTM_SEC_SERVICE_NAME_LEN > 0
559             if (p_srec->psm == psm                  &&
560                 p_srec->mx_proto_id == mx_proto_id  &&
561                 service_id == p_srec->service_id    &&
562                 (!strncmp (p_name, (char *) p_srec->orig_service_name,
563                            BTM_SEC_SERVICE_NAME_LEN) ||
564                  !strncmp (p_name, (char *) p_srec->term_service_name,
565                            BTM_SEC_SERVICE_NAME_LEN)))
566 #else
567             if (p_srec->psm == psm                  &&
568                 p_srec->mx_proto_id == mx_proto_id  &&
569                 service_id == p_srec->service_id)
570 #endif
571             {
572                 record_allocated = TRUE;
573                 break;
574             }
575         }
576         /* Mark the first available service record */
577         else if (!record_allocated)
578         {
579             memset (p_srec, 0, sizeof(tBTM_SEC_SERV_REC));
580             record_allocated = TRUE;
581             first_unused_record = index;
582         }
583     }
584 
585     if (!record_allocated)
586     {
587         BTM_TRACE_WARNING("BTM_SEC_REG: Out of Service Records (%d)",  BTM_SEC_MAX_SERVICE_RECORDS);
588         return(record_allocated);
589     }
590 
591     /* Process the request if service record is valid */
592     /* If a duplicate service wasn't found, use the first available */
593     if (index >= BTM_SEC_MAX_SERVICE_RECORDS)
594     {
595         index = first_unused_record;
596         p_srec = &btm_cb.sec_serv_rec[index];
597     }
598 
599     p_srec->psm         = psm;
600     p_srec->service_id  = service_id;
601     p_srec->mx_proto_id = mx_proto_id;
602 
603     if (is_originator)
604     {
605         p_srec->orig_mx_chan_id = mx_chan_id;
606 #if BTM_SEC_SERVICE_NAME_LEN > 0
607         BCM_STRNCPY_S ((char *)p_srec->orig_service_name, sizeof(p_srec->orig_service_name), p_name, BTM_SEC_SERVICE_NAME_LEN);
608 #endif
609         /* clear out the old setting, just in case it exists */
610 #if (L2CAP_UCD_INCLUDED == TRUE)
611         if ( is_ucd )
612         {
613             p_srec->ucd_security_flags &=
614             ~(BTM_SEC_OUT_AUTHORIZE | BTM_SEC_OUT_ENCRYPT    | BTM_SEC_OUT_AUTHENTICATE | BTM_SEC_OUT_MITM |
615               BTM_SEC_FORCE_MASTER | BTM_SEC_ATTEMPT_MASTER | BTM_SEC_FORCE_SLAVE | BTM_SEC_ATTEMPT_SLAVE);
616         }
617         else
618 #endif
619         {
620             p_srec->security_flags &=
621             ~(BTM_SEC_OUT_AUTHORIZE | BTM_SEC_OUT_ENCRYPT    | BTM_SEC_OUT_AUTHENTICATE | BTM_SEC_OUT_MITM |
622               BTM_SEC_FORCE_MASTER | BTM_SEC_ATTEMPT_MASTER | BTM_SEC_FORCE_SLAVE | BTM_SEC_ATTEMPT_SLAVE);
623         }
624 
625         /* Parameter validation.  Originator should not set requirements for incoming connections */
626         sec_level &= ~(BTM_SEC_IN_AUTHORIZE | BTM_SEC_IN_ENCRYPT | BTM_SEC_IN_AUTHENTICATE
627                 | BTM_SEC_IN_MITM | BTM_SEC_IN_MIN_16_DIGIT_PIN );
628 
629         if (btm_cb.security_mode == BTM_SEC_MODE_SP ||
630             btm_cb.security_mode == BTM_SEC_MODE_SP_DEBUG ||
631             btm_cb.security_mode == BTM_SEC_MODE_SC)
632         {
633             if (sec_level & BTM_SEC_OUT_AUTHENTICATE)
634                 sec_level |= BTM_SEC_OUT_MITM;
635         }
636 
637         /* Make sure the authenticate bit is set, when encrypt bit is set */
638         if (sec_level & BTM_SEC_OUT_ENCRYPT)
639             sec_level |= BTM_SEC_OUT_AUTHENTICATE;
640 
641         /* outgoing connections usually set the security level right before
642          * the connection is initiated.
643          * set it to be the outgoing service */
644 #if (L2CAP_UCD_INCLUDED == TRUE)
645         if ( is_ucd == FALSE )
646 #endif
647         {
648             btm_cb.p_out_serv = p_srec;
649         }
650     }
651     else
652     {
653         p_srec->term_mx_chan_id = mx_chan_id;
654 #if BTM_SEC_SERVICE_NAME_LEN > 0
655         BCM_STRNCPY_S ((char *)p_srec->term_service_name, sizeof(p_srec->term_service_name), p_name, BTM_SEC_SERVICE_NAME_LEN);
656 #endif
657         /* clear out the old setting, just in case it exists */
658 #if (L2CAP_UCD_INCLUDED == TRUE)
659         if ( is_ucd )
660         {
661             p_srec->ucd_security_flags &=
662             ~(BTM_SEC_IN_AUTHORIZE | BTM_SEC_IN_ENCRYPT     | BTM_SEC_IN_AUTHENTICATE | BTM_SEC_IN_MITM |
663               BTM_SEC_FORCE_MASTER | BTM_SEC_ATTEMPT_MASTER | BTM_SEC_FORCE_SLAVE | BTM_SEC_ATTEMPT_SLAVE
664               | BTM_SEC_IN_MIN_16_DIGIT_PIN);
665         }
666         else
667 #endif
668         {
669             p_srec->security_flags &=
670             ~(BTM_SEC_IN_AUTHORIZE | BTM_SEC_IN_ENCRYPT     | BTM_SEC_IN_AUTHENTICATE | BTM_SEC_IN_MITM |
671               BTM_SEC_FORCE_MASTER | BTM_SEC_ATTEMPT_MASTER | BTM_SEC_FORCE_SLAVE | BTM_SEC_ATTEMPT_SLAVE
672               | BTM_SEC_IN_MIN_16_DIGIT_PIN);
673         }
674 
675         /* Parameter validation.  Acceptor should not set requirements for outgoing connections */
676         sec_level &= ~(BTM_SEC_OUT_AUTHORIZE | BTM_SEC_OUT_ENCRYPT | BTM_SEC_OUT_AUTHENTICATE | BTM_SEC_OUT_MITM);
677 
678         if (btm_cb.security_mode == BTM_SEC_MODE_SP ||
679             btm_cb.security_mode == BTM_SEC_MODE_SP_DEBUG ||
680             btm_cb.security_mode == BTM_SEC_MODE_SC)
681         {
682             if (sec_level & BTM_SEC_IN_AUTHENTICATE)
683                 sec_level |= BTM_SEC_IN_MITM;
684         }
685 
686         /* Make sure the authenticate bit is set, when encrypt bit is set */
687         if (sec_level & BTM_SEC_IN_ENCRYPT)
688             sec_level |= BTM_SEC_IN_AUTHENTICATE;
689     }
690 
691 #if (L2CAP_UCD_INCLUDED == TRUE)
692     if ( is_ucd )
693     {
694         p_srec->security_flags     |= (UINT16)(BTM_SEC_IN_USE);
695         p_srec->ucd_security_flags |= (UINT16)(sec_level | BTM_SEC_IN_USE);
696     }
697     else
698     {
699         p_srec->security_flags |= (UINT16)(sec_level | BTM_SEC_IN_USE);
700     }
701 
702     BTM_TRACE_API("BTM_SEC_REG[%d]: id %d, conn_type 0x%x, psm 0x%04x, proto_id %d, chan_id %d",
703                    index, service_id, conn_type, psm, mx_proto_id, mx_chan_id);
704 
705     BTM_TRACE_API("               : security_flags: 0x%04x, ucd_security_flags: 0x%04x",
706                    p_srec->security_flags, p_srec->ucd_security_flags);
707 
708 #if BTM_SEC_SERVICE_NAME_LEN > 0
709     BTM_TRACE_API("               : service name [%s] (up to %d chars saved)",
710                    p_name, BTM_SEC_SERVICE_NAME_LEN);
711 #endif
712 #else
713     p_srec->security_flags |= (UINT16)(sec_level | BTM_SEC_IN_USE);
714 
715     BTM_TRACE_API("BTM_SEC_REG[%d]: id %d, is_orig %d, psm 0x%04x, proto_id %d, chan_id %d",
716                    index, service_id, is_originator, psm, mx_proto_id, mx_chan_id);
717 
718 #if BTM_SEC_SERVICE_NAME_LEN > 0
719     BTM_TRACE_API("               : sec: 0x%x, service name [%s] (up to %d chars saved)",
720                    p_srec->security_flags, p_name, BTM_SEC_SERVICE_NAME_LEN);
721 #endif
722 #endif
723 
724 
725     return(record_allocated);
726 }
727 
728 /*******************************************************************************
729 **
730 ** Function         BTM_SecClrService
731 **
732 ** Description      Removes specified service record(s) from the security database.
733 **                  All service records with the specified name are removed.
734 **                  Typically used only by devices with limited RAM so that it can
735 **                  reuse an old security service record.
736 **
737 **                  Note: Unpredictable results may occur if a service is cleared
738 **                      that is still in use by an application/profile.
739 **
740 ** Parameters       Service ID - Id of the service to remove. ('0' removes all service
741 **                          records (except SDP).
742 **
743 ** Returns          Number of records that were freed.
744 **
745 *******************************************************************************/
BTM_SecClrService(UINT8 service_id)746 UINT8 BTM_SecClrService (UINT8 service_id)
747 {
748     tBTM_SEC_SERV_REC   *p_srec = &btm_cb.sec_serv_rec[0];
749     UINT8   num_freed = 0;
750     int     i;
751 
752     for (i = 0; i < BTM_SEC_MAX_SERVICE_RECORDS; i++, p_srec++)
753     {
754         /* Delete services with specified name (if in use and not SDP) */
755         if ((p_srec->security_flags & BTM_SEC_IN_USE) && (p_srec->psm != BT_PSM_SDP) &&
756             (!service_id || (service_id == p_srec->service_id)))
757         {
758             BTM_TRACE_API("BTM_SEC_CLR[%d]: id %d", i, service_id);
759             p_srec->security_flags = 0;
760 #if (L2CAP_UCD_INCLUDED == TRUE)
761             p_srec->ucd_security_flags = 0;
762 #endif
763             num_freed++;
764         }
765     }
766 
767     return(num_freed);
768 }
769 
770 /*******************************************************************************
771 **
772 ** Function         btm_sec_clr_service_by_psm
773 **
774 ** Description      Removes specified service record from the security database.
775 **                  All service records with the specified psm are removed.
776 **                  Typically used by L2CAP to free up the service record used
777 **                  by dynamic PSM clients when the channel is closed.
778 **                  The given psm must be a virtual psm.
779 **
780 ** Parameters       Service ID - Id of the service to remove. ('0' removes all service
781 **                          records (except SDP).
782 **
783 ** Returns          Number of records that were freed.
784 **
785 *******************************************************************************/
btm_sec_clr_service_by_psm(UINT16 psm)786 UINT8 btm_sec_clr_service_by_psm (UINT16 psm)
787 {
788     tBTM_SEC_SERV_REC   *p_srec = &btm_cb.sec_serv_rec[0];
789     UINT8   num_freed = 0;
790     int     i;
791 
792     for (i = 0; i < BTM_SEC_MAX_SERVICE_RECORDS; i++, p_srec++)
793     {
794         /* Delete services with specified name (if in use and not SDP) */
795         if ((p_srec->security_flags & BTM_SEC_IN_USE) && (p_srec->psm == psm) )
796         {
797             BTM_TRACE_API("BTM_SEC_CLR[%d]: id %d ", i, p_srec->service_id);
798             p_srec->security_flags = 0;
799             num_freed++;
800         }
801     }
802     BTM_TRACE_API("btm_sec_clr_service_by_psm psm:0x%x num_freed:%d", psm, num_freed);
803 
804     return(num_freed);
805 }
806 
807 /*******************************************************************************
808 **
809 ** Function         btm_sec_clr_temp_auth_service
810 **
811 ** Description      Removes specified device record's temporary authorization
812 **                  flag from the security database.
813 **
814 ** Parameters       Device address to be cleared
815 **
816 ** Returns          void.
817 **
818 *******************************************************************************/
btm_sec_clr_temp_auth_service(BD_ADDR bda)819 void btm_sec_clr_temp_auth_service (BD_ADDR bda)
820 {
821     tBTM_SEC_DEV_REC   *p_dev_rec;
822 
823     if ((p_dev_rec = btm_find_dev (bda)) == NULL)
824     {
825         BTM_TRACE_WARNING ("btm_sec_clr_temp_auth_service() - no dev CB");
826         return;
827     }
828 
829     /* Reset the temporary authorized flag so that next time (untrusted) service is accessed autorization will take place */
830     if (p_dev_rec->last_author_service_id != BTM_SEC_NO_LAST_SERVICE_ID && p_dev_rec->p_cur_service)
831     {
832         BTM_TRACE_DEBUG ("btm_sec_clr_auth_service_by_psm [clearing device: %02x:%02x:%02x:%02x:%02x:%02x]",
833                     bda[0], bda[1], bda[2], bda[3], bda[4], bda[5]);
834 
835         p_dev_rec->last_author_service_id = BTM_SEC_NO_LAST_SERVICE_ID;
836     }
837 }
838 
839 /*******************************************************************************
840 **
841 ** Function         BTM_PINCodeReply
842 **
843 ** Description      This function is called after Security Manager submitted
844 **                  PIN code request to the UI.
845 **
846 ** Parameters:      bd_addr      - Address of the device for which PIN was requested
847 **                  res          - result of the operation BTM_SUCCESS if success
848 **                  pin_len      - length in bytes of the PIN Code
849 **                  p_pin        - pointer to array with the PIN Code
850 **                  trusted_mask - bitwise OR of trusted services (array of UINT32)
851 **
852 *******************************************************************************/
BTM_PINCodeReply(BD_ADDR bd_addr,UINT8 res,UINT8 pin_len,UINT8 * p_pin,UINT32 trusted_mask[])853 void BTM_PINCodeReply (BD_ADDR bd_addr, UINT8 res, UINT8 pin_len, UINT8 *p_pin, UINT32 trusted_mask[])
854 {
855     tBTM_SEC_DEV_REC *p_dev_rec;
856 
857     BTM_TRACE_API ("BTM_PINCodeReply(): PairState: %s   PairFlags: 0x%02x  PinLen:%d  Result:%d",
858                     btm_pair_state_descr(btm_cb.pairing_state), btm_cb.pairing_flags, pin_len, res);
859 
860     /* If timeout already expired or has been canceled, ignore the reply */
861     if (btm_cb.pairing_state != BTM_PAIR_STATE_WAIT_LOCAL_PIN)
862     {
863         BTM_TRACE_WARNING ("BTM_PINCodeReply() - Wrong State: %d", btm_cb.pairing_state);
864         return;
865     }
866 
867     if (memcmp (bd_addr, btm_cb.pairing_bda, BD_ADDR_LEN) != 0)
868     {
869         BTM_TRACE_ERROR ("BTM_PINCodeReply() - Wrong BD Addr");
870         return;
871     }
872 
873     if ((p_dev_rec = btm_find_dev (bd_addr)) == NULL)
874     {
875         BTM_TRACE_ERROR ("BTM_PINCodeReply() - no dev CB");
876         return;
877     }
878 
879     if ( (pin_len > PIN_CODE_LEN) || (pin_len == 0) || (p_pin == NULL) )
880         res = BTM_ILLEGAL_VALUE;
881 
882     if (res != BTM_SUCCESS)
883     {
884         /* if peer started dd OR we started dd and pre-fetch pin was not used send negative reply */
885         if ((btm_cb.pairing_flags & BTM_PAIR_FLAGS_PEER_STARTED_DD) ||
886             ((btm_cb.pairing_flags & BTM_PAIR_FLAGS_WE_STARTED_DD) &&
887             (btm_cb.pairing_flags & BTM_PAIR_FLAGS_DISC_WHEN_DONE)) )
888         {
889             /* use BTM_PAIR_STATE_WAIT_AUTH_COMPLETE to report authentication failed event */
890             btm_sec_change_pairing_state (BTM_PAIR_STATE_WAIT_AUTH_COMPLETE);
891             btm_cb.acl_disc_reason = HCI_ERR_HOST_REJECT_SECURITY;
892 
893             btsnd_hcic_pin_code_neg_reply (bd_addr);
894         }
895         else
896         {
897             p_dev_rec->security_required = BTM_SEC_NONE;
898             btm_sec_change_pairing_state (BTM_PAIR_STATE_IDLE);
899         }
900         return;
901     }
902     if (trusted_mask)
903         BTM_SEC_COPY_TRUSTED_DEVICE(trusted_mask, p_dev_rec->trusted_mask);
904     p_dev_rec->sec_flags   |= BTM_SEC_LINK_KEY_AUTHED;
905     if (pin_len >= 16) {
906         p_dev_rec->sec_flags |= BTM_SEC_16_DIGIT_PIN_AUTHED;
907     }
908 
909     if ( (btm_cb.pairing_flags & BTM_PAIR_FLAGS_WE_STARTED_DD)
910          &&  (p_dev_rec->hci_handle == BTM_SEC_INVALID_HANDLE)
911          &&  (btm_cb.security_mode_changed == FALSE) )
912     {
913         /* This is start of the dedicated bonding if local device is 2.0 */
914         btm_cb.pin_code_len = pin_len;
915         p_dev_rec->pin_code_length = pin_len;
916         memcpy (btm_cb.pin_code, p_pin, pin_len);
917 
918         btm_cb.security_mode_changed = TRUE;
919 #ifdef APPL_AUTH_WRITE_EXCEPTION
920         if(!(APPL_AUTH_WRITE_EXCEPTION)(p_dev_rec->bd_addr))
921 #endif
922         btsnd_hcic_write_auth_enable (TRUE);
923 
924         btm_cb.acl_disc_reason = 0xff ;
925 
926         /* if we rejected incoming connection request, we have to wait HCI_Connection_Complete event */
927         /*  before originating  */
928         if (btm_cb.pairing_flags & BTM_PAIR_FLAGS_REJECTED_CONNECT)
929         {
930             BTM_TRACE_WARNING ("BTM_PINCodeReply(): waiting HCI_Connection_Complete after rejected incoming connection");
931             /* we change state little bit early so btm_sec_connected() will originate connection */
932             /*   when existing ACL link is down completely */
933             btm_sec_change_pairing_state (BTM_PAIR_STATE_WAIT_PIN_REQ);
934         }
935         /* if we already accepted incoming connection from pairing device */
936         else if (p_dev_rec->sm4 & BTM_SM4_CONN_PEND)
937         {
938             BTM_TRACE_WARNING ("BTM_PINCodeReply(): link is connecting so wait pin code request from peer");
939             btm_sec_change_pairing_state (BTM_PAIR_STATE_WAIT_PIN_REQ);
940         }
941         else if (btm_sec_dd_create_conn(p_dev_rec) != BTM_CMD_STARTED)
942         {
943             btm_sec_change_pairing_state (BTM_PAIR_STATE_IDLE);
944             p_dev_rec->sec_flags &= ~BTM_SEC_LINK_KEY_AUTHED;
945 
946             if (btm_cb.api.p_auth_complete_callback)
947                 (*btm_cb.api.p_auth_complete_callback) (p_dev_rec->bd_addr,  p_dev_rec->dev_class,
948                                                     p_dev_rec->sec_bd_name, HCI_ERR_AUTH_FAILURE);
949         }
950         return;
951     }
952 
953     btm_sec_change_pairing_state (BTM_PAIR_STATE_WAIT_AUTH_COMPLETE);
954     btm_cb.acl_disc_reason = HCI_SUCCESS;
955 
956     btsnd_hcic_pin_code_req_reply (bd_addr, pin_len, p_pin);
957 }
958 
959 /*******************************************************************************
960 **
961 ** Function         btm_sec_bond_by_transport
962 **
963 ** Description      this is the bond function that will start either SSP or SMP.
964 **
965 ** Parameters:      bd_addr      - Address of the device to bond
966 **                  pin_len      - length in bytes of the PIN Code
967 **                  p_pin        - pointer to array with the PIN Code
968 **                  trusted_mask - bitwise OR of trusted services (array of UINT32)
969 **
970 **  Note: After 2.1 parameters are not used and preserved here not to change API
971 *******************************************************************************/
btm_sec_bond_by_transport(BD_ADDR bd_addr,tBT_TRANSPORT transport,UINT8 pin_len,UINT8 * p_pin,UINT32 trusted_mask[])972 tBTM_STATUS btm_sec_bond_by_transport (BD_ADDR bd_addr, tBT_TRANSPORT transport,
973                                        UINT8 pin_len, UINT8 *p_pin, UINT32 trusted_mask[])
974 {
975     tBTM_SEC_DEV_REC *p_dev_rec;
976     tBTM_STATUS      status;
977     UINT8            *p_features;
978     UINT8            ii;
979     tACL_CONN        *p= btm_bda_to_acl(bd_addr, transport);
980     BTM_TRACE_API ("btm_sec_bond_by_transport BDA: %02x:%02x:%02x:%02x:%02x:%02x",
981                     bd_addr[0], bd_addr[1], bd_addr[2], bd_addr[3], bd_addr[4], bd_addr[5]);
982 
983     BTM_TRACE_DEBUG("btm_sec_bond_by_transport: Transport used %d" , transport);
984 
985 
986     /* Other security process is in progress */
987     if (btm_cb.pairing_state != BTM_PAIR_STATE_IDLE)
988     {
989         BTM_TRACE_ERROR ("BTM_SecBond: already busy in state: %s", btm_pair_state_descr(btm_cb.pairing_state));
990         return(BTM_WRONG_MODE);
991     }
992 
993     if ((p_dev_rec = btm_find_or_alloc_dev (bd_addr)) == NULL)
994     {
995         return(BTM_NO_RESOURCES);
996     }
997 
998     BTM_TRACE_DEBUG ("before update sec_flags=0x%x", p_dev_rec->sec_flags);
999 
1000     /* Finished if connection is active and already paired */
1001     if ( ((p_dev_rec->hci_handle != BTM_SEC_INVALID_HANDLE) && transport == BT_TRANSPORT_BR_EDR
1002          &&  (p_dev_rec->sec_flags & BTM_SEC_AUTHENTICATED))
1003 #if (BLE_INCLUDED == TRUE)
1004         ||((p_dev_rec->ble_hci_handle != BTM_SEC_INVALID_HANDLE) && transport == BT_TRANSPORT_LE
1005          &&  (p_dev_rec->sec_flags & BTM_SEC_LE_AUTHENTICATED))
1006 #endif
1007 
1008          )
1009     {
1010         BTM_TRACE_WARNING("BTM_SecBond -> Already Paired");
1011         return(BTM_SUCCESS);
1012     }
1013 
1014     /* Tell controller to get rid of the link key if it has one stored */
1015     if ((BTM_DeleteStoredLinkKey (bd_addr, NULL)) != BTM_SUCCESS)
1016         return(BTM_NO_RESOURCES);
1017 
1018     /* Save the PIN code if we got a valid one */
1019     if (p_pin && (pin_len <= PIN_CODE_LEN) && (pin_len != 0))
1020     {
1021         btm_cb.pin_code_len = pin_len;
1022         p_dev_rec->pin_code_length = pin_len;
1023         memcpy (btm_cb.pin_code, p_pin, PIN_CODE_LEN);
1024     }
1025 
1026     memcpy (btm_cb.pairing_bda, bd_addr, BD_ADDR_LEN);
1027 
1028     btm_cb.pairing_flags = BTM_PAIR_FLAGS_WE_STARTED_DD;
1029 
1030     p_dev_rec->security_required = BTM_SEC_OUT_AUTHENTICATE;
1031     p_dev_rec->is_originator     = TRUE;
1032     if (trusted_mask)
1033         BTM_SEC_COPY_TRUSTED_DEVICE(trusted_mask, p_dev_rec->trusted_mask);
1034 
1035 #if BLE_INCLUDED == TRUE && SMP_INCLUDED == TRUE
1036     if (transport == BT_TRANSPORT_LE)
1037     {
1038         btm_ble_init_pseudo_addr (p_dev_rec, bd_addr);
1039         p_dev_rec->sec_flags &= ~ BTM_SEC_LE_MASK;
1040 
1041         if (SMP_Pair(bd_addr) == SMP_STARTED)
1042         {
1043             btm_cb.pairing_flags |= BTM_PAIR_FLAGS_LE_ACTIVE;
1044             p_dev_rec->sec_state = BTM_SEC_STATE_AUTHENTICATING;
1045             btm_sec_change_pairing_state (BTM_PAIR_STATE_WAIT_AUTH_COMPLETE);
1046             return BTM_CMD_STARTED;
1047         }
1048 
1049         btm_cb.pairing_flags = 0;
1050         return(BTM_NO_RESOURCES);
1051     }
1052 #endif
1053 
1054     p_dev_rec->sec_flags &= ~(BTM_SEC_LINK_KEY_KNOWN | BTM_SEC_AUTHENTICATED | BTM_SEC_ENCRYPTED
1055                                   | BTM_SEC_ROLE_SWITCHED  | BTM_SEC_LINK_KEY_AUTHED);
1056 
1057 
1058     BTM_TRACE_DEBUG ("after update sec_flags=0x%x", p_dev_rec->sec_flags);
1059     if (!controller_get_interface()->supports_simple_pairing())
1060     {
1061         /* The special case when we authenticate keyboard.  Set pin type to fixed */
1062         /* It would be probably better to do it from the application, but it is */
1063         /* complicated */
1064         if (((p_dev_rec->dev_class[1] & BTM_COD_MAJOR_CLASS_MASK) == BTM_COD_MAJOR_PERIPHERAL)
1065             && (p_dev_rec->dev_class[2] & BTM_COD_MINOR_KEYBOARD)
1066             && (btm_cb.cfg.pin_type != HCI_PIN_TYPE_FIXED))
1067         {
1068             btm_cb.pin_type_changed = TRUE;
1069             btsnd_hcic_write_pin_type (HCI_PIN_TYPE_FIXED);
1070         }
1071     }
1072 
1073     for (ii = 0; ii <= HCI_EXT_FEATURES_PAGE_MAX; ii++)
1074     {
1075         p_features = p_dev_rec->features[ii];
1076         BTM_TRACE_EVENT("  remote_features page[%1d] = %02x-%02x-%02x-%02x",
1077                          ii, p_features[0], p_features[1], p_features[2], p_features[3]);
1078         BTM_TRACE_EVENT("                              %02x-%02x-%02x-%02x",
1079                              p_features[4], p_features[5], p_features[6], p_features[7]);
1080     }
1081 
1082     BTM_TRACE_EVENT ("BTM_SecBond: Remote sm4: 0x%x  HCI Handle: 0x%04x", p_dev_rec->sm4, p_dev_rec->hci_handle);
1083 
1084 #if BTM_SEC_FORCE_RNR_FOR_DBOND == TRUE
1085     p_dev_rec->sec_flags &= ~BTM_SEC_NAME_KNOWN;
1086 #endif
1087 
1088     /* If connection already exists... */
1089     if (p && p->hci_handle != BTM_SEC_INVALID_HANDLE)
1090     {
1091         if (!btm_sec_start_authentication (p_dev_rec))
1092             return(BTM_NO_RESOURCES);
1093 
1094         btm_sec_change_pairing_state (BTM_PAIR_STATE_WAIT_PIN_REQ);
1095 
1096         /* Mark lcb as bonding */
1097         l2cu_update_lcb_4_bonding (bd_addr, TRUE);
1098         return(BTM_CMD_STARTED);
1099     }
1100 
1101     BTM_TRACE_DEBUG ("sec mode: %d sm4:x%x", btm_cb.security_mode, p_dev_rec->sm4);
1102     if (!controller_get_interface()->supports_simple_pairing()
1103         || (p_dev_rec->sm4 == BTM_SM4_KNOWN))
1104     {
1105         if ( btm_sec_check_prefetch_pin (p_dev_rec) )
1106             return (BTM_CMD_STARTED);
1107     }
1108     if ((btm_cb.security_mode == BTM_SEC_MODE_SP ||
1109          btm_cb.security_mode == BTM_SEC_MODE_SP_DEBUG ||
1110          btm_cb.security_mode == BTM_SEC_MODE_SC) &&
1111          BTM_SEC_IS_SM4_UNKNOWN(p_dev_rec->sm4))
1112     {
1113         /* local is 2.1 and peer is unknown */
1114         if ((p_dev_rec->sm4 & BTM_SM4_CONN_PEND) == 0)
1115         {
1116             /* we are not accepting connection request from peer
1117              * -> RNR (to learn if peer is 2.1)
1118              * RNR when no ACL causes HCI_RMT_HOST_SUP_FEAT_NOTIFY_EVT */
1119             btm_sec_change_pairing_state (BTM_PAIR_STATE_GET_REM_NAME);
1120             BTM_ReadRemoteDeviceName(bd_addr, NULL, BT_TRANSPORT_BR_EDR);
1121         }
1122         else
1123         {
1124             /* We are accepting connection request from peer */
1125             btm_sec_change_pairing_state (BTM_PAIR_STATE_WAIT_PIN_REQ);
1126         }
1127         BTM_TRACE_DEBUG ("State:%s sm4: 0x%x sec_state:%d",
1128             btm_pair_state_descr (btm_cb.pairing_state), p_dev_rec->sm4, p_dev_rec->sec_state);
1129         return BTM_CMD_STARTED;
1130     }
1131 
1132     /* both local and peer are 2.1  */
1133     status = btm_sec_dd_create_conn(p_dev_rec);
1134 
1135     if (status != BTM_CMD_STARTED)
1136     {
1137         btm_sec_change_pairing_state (BTM_PAIR_STATE_IDLE);
1138     }
1139 
1140     return status;
1141 }
1142 
1143 /*******************************************************************************
1144 **
1145 ** Function         BTM_SecBondByTransport
1146 **
1147 ** Description      This function is called to perform bonding with peer device.
1148 **                  If the connection is already up, but not secure, pairing
1149 **                  is attempted.  If already paired BTM_SUCCESS is returned.
1150 **
1151 ** Parameters:      bd_addr      - Address of the device to bond
1152 **                  transport    - doing SSP over BR/EDR or SMP over LE
1153 **                  pin_len      - length in bytes of the PIN Code
1154 **                  p_pin        - pointer to array with the PIN Code
1155 **                  trusted_mask - bitwise OR of trusted services (array of UINT32)
1156 **
1157 **  Note: After 2.1 parameters are not used and preserved here not to change API
1158 *******************************************************************************/
BTM_SecBondByTransport(BD_ADDR bd_addr,tBT_TRANSPORT transport,UINT8 pin_len,UINT8 * p_pin,UINT32 trusted_mask[])1159 tBTM_STATUS BTM_SecBondByTransport (BD_ADDR bd_addr, tBT_TRANSPORT transport,
1160                                     UINT8 pin_len, UINT8 *p_pin, UINT32 trusted_mask[])
1161 {
1162 #if SMP_INCLUDED == TRUE
1163     tBT_DEVICE_TYPE     dev_type;
1164     tBLE_ADDR_TYPE      addr_type;
1165 
1166     BTM_ReadDevInfo(bd_addr, &dev_type, &addr_type);
1167     /* LE device, do SMP pairing */
1168     if ((transport == BT_TRANSPORT_LE && (dev_type & BT_DEVICE_TYPE_BLE) == 0) ||
1169         (transport == BT_TRANSPORT_BR_EDR && (dev_type & BT_DEVICE_TYPE_BREDR) == 0))
1170     {
1171         return BTM_ILLEGAL_ACTION;
1172     }
1173 #endif
1174     return btm_sec_bond_by_transport(bd_addr, transport, pin_len, p_pin, trusted_mask);
1175 }
1176 
1177 /*******************************************************************************
1178 **
1179 ** Function         BTM_SecBond
1180 **
1181 ** Description      This function is called to perform bonding with peer device.
1182 **                  If the connection is already up, but not secure, pairing
1183 **                  is attempted.  If already paired BTM_SUCCESS is returned.
1184 **
1185 ** Parameters:      bd_addr      - Address of the device to bond
1186 **                  pin_len      - length in bytes of the PIN Code
1187 **                  p_pin        - pointer to array with the PIN Code
1188 **                  trusted_mask - bitwise OR of trusted services (array of UINT32)
1189 **
1190 **  Note: After 2.1 parameters are not used and preserved here not to change API
1191 *******************************************************************************/
BTM_SecBond(BD_ADDR bd_addr,UINT8 pin_len,UINT8 * p_pin,UINT32 trusted_mask[])1192 tBTM_STATUS BTM_SecBond (BD_ADDR bd_addr, UINT8 pin_len, UINT8 *p_pin, UINT32 trusted_mask[])
1193 {
1194     tBT_TRANSPORT   transport = BT_TRANSPORT_BR_EDR;
1195 #if BLE_INCLUDED == TRUE
1196     if (BTM_UseLeLink(bd_addr))
1197         transport = BT_TRANSPORT_LE;
1198 #endif
1199     return btm_sec_bond_by_transport(bd_addr, transport, pin_len, p_pin, trusted_mask);
1200 }
1201 /*******************************************************************************
1202 **
1203 ** Function         BTM_SecBondCancel
1204 **
1205 ** Description      This function is called to cancel ongoing bonding process
1206 **                  with peer device.
1207 **
1208 ** Parameters:      bd_addr      - Address of the peer device
1209 **                         transport    - FALSE for BR/EDR link; TRUE for LE link
1210 **
1211 *******************************************************************************/
BTM_SecBondCancel(BD_ADDR bd_addr)1212 tBTM_STATUS BTM_SecBondCancel (BD_ADDR bd_addr)
1213 {
1214     tBTM_SEC_DEV_REC *p_dev_rec;
1215 
1216     BTM_TRACE_API ("BTM_SecBondCancel()  State: %s flags:0x%x",
1217                     btm_pair_state_descr (btm_cb.pairing_state), btm_cb.pairing_flags);
1218 
1219     if (((p_dev_rec = btm_find_dev (bd_addr)) == NULL)
1220         ||  (memcmp (btm_cb.pairing_bda, bd_addr, BD_ADDR_LEN) != 0) )
1221         return BTM_UNKNOWN_ADDR;
1222 
1223 #if SMP_INCLUDED == TRUE
1224     if (btm_cb.pairing_flags & BTM_PAIR_FLAGS_LE_ACTIVE)
1225     {
1226         if (p_dev_rec->sec_state == BTM_SEC_STATE_AUTHENTICATING)
1227         {
1228             BTM_TRACE_DEBUG ("Cancel LE pairing");
1229             if (SMP_PairCancel(bd_addr))
1230             {
1231                 return BTM_CMD_STARTED;
1232             }
1233         }
1234         return BTM_WRONG_MODE;
1235     }
1236 
1237 #endif
1238     BTM_TRACE_DEBUG ("hci_handle:0x%x sec_state:%d", p_dev_rec->hci_handle, p_dev_rec->sec_state );
1239     if (BTM_PAIR_STATE_WAIT_LOCAL_PIN == btm_cb.pairing_state &&
1240         BTM_PAIR_FLAGS_WE_STARTED_DD & btm_cb.pairing_flags)
1241     {
1242         /* pre-fetching pin for dedicated bonding */
1243         btm_sec_bond_cancel_complete();
1244         return BTM_SUCCESS;
1245     }
1246 
1247     /* If this BDA is in a bonding procedure */
1248     if ( (btm_cb.pairing_state != BTM_PAIR_STATE_IDLE)
1249          &&  (btm_cb.pairing_flags & BTM_PAIR_FLAGS_WE_STARTED_DD))
1250     {
1251         /* If the HCI link is up */
1252         if (p_dev_rec->hci_handle != BTM_SEC_INVALID_HANDLE)
1253         {
1254             /* If some other thread disconnecting, we do not send second command */
1255             if ((p_dev_rec->sec_state == BTM_SEC_STATE_DISCONNECTING) ||
1256                 (p_dev_rec->sec_state == BTM_SEC_STATE_DISCONNECTING_BOTH))
1257                 return(BTM_CMD_STARTED);
1258 
1259             /* If the HCI link was set up by Bonding process */
1260             if (btm_cb.pairing_flags & BTM_PAIR_FLAGS_DISC_WHEN_DONE)
1261                 return btm_sec_send_hci_disconnect(p_dev_rec, HCI_ERR_PEER_USER, p_dev_rec->hci_handle);
1262             else
1263                 l2cu_update_lcb_4_bonding(bd_addr, FALSE);
1264 
1265             return BTM_NOT_AUTHORIZED;
1266         }
1267         else /*HCI link is not up */
1268         {
1269             /* If the HCI link creation was started by Bonding process */
1270             if (btm_cb.pairing_flags & BTM_PAIR_FLAGS_DISC_WHEN_DONE)
1271             {
1272                 if (btsnd_hcic_create_conn_cancel(bd_addr))
1273                     return BTM_CMD_STARTED;
1274 
1275                 return BTM_NO_RESOURCES;
1276             }
1277             if (btm_cb.pairing_state == BTM_PAIR_STATE_GET_REM_NAME)
1278             {
1279                 BTM_CancelRemoteDeviceName();
1280                 btm_cb.pairing_flags |= BTM_PAIR_FLAGS_WE_CANCEL_DD;
1281                 return BTM_CMD_STARTED;
1282             }
1283             return BTM_NOT_AUTHORIZED;
1284         }
1285     }
1286 
1287     return BTM_WRONG_MODE;
1288 }
1289 
1290 /*******************************************************************************
1291 **
1292 ** Function         BTM_SecGetDeviceLinkKey
1293 **
1294 ** Description      This function is called to obtain link key for the device
1295 **                  it returns BTM_SUCCESS if link key is available, or
1296 **                  BTM_UNKNOWN_ADDR if Security Manager does not know about
1297 **                  the device or device record does not contain link key info
1298 **
1299 ** Parameters:      bd_addr      - Address of the device
1300 **                  link_key     - Link Key is copied into this array
1301 **
1302 *******************************************************************************/
BTM_SecGetDeviceLinkKey(BD_ADDR bd_addr,LINK_KEY link_key)1303 tBTM_STATUS BTM_SecGetDeviceLinkKey (BD_ADDR bd_addr, LINK_KEY link_key)
1304 {
1305     tBTM_SEC_DEV_REC *p_dev_rec;
1306 
1307     if (((p_dev_rec = btm_find_dev (bd_addr)) != NULL)
1308         && (p_dev_rec->sec_flags & BTM_SEC_LINK_KEY_KNOWN))
1309     {
1310         memcpy (link_key, p_dev_rec->link_key, LINK_KEY_LEN);
1311         return(BTM_SUCCESS);
1312     }
1313     return(BTM_UNKNOWN_ADDR);
1314 }
1315 
1316 /*******************************************************************************
1317 **
1318 ** Function         BTM_SecGetDeviceLinkKeyType
1319 **
1320 ** Description      This function is called to obtain link key type for the
1321 **                  device.
1322 **                  it returns BTM_SUCCESS if link key is available, or
1323 **                  BTM_UNKNOWN_ADDR if Security Manager does not know about
1324 **                  the device or device record does not contain link key info
1325 **
1326 ** Returns          BTM_LKEY_TYPE_IGNORE if link key is unknown, link type
1327 **                  otherwise.
1328 **
1329 *******************************************************************************/
BTM_SecGetDeviceLinkKeyType(BD_ADDR bd_addr)1330 tBTM_LINK_KEY_TYPE BTM_SecGetDeviceLinkKeyType (BD_ADDR bd_addr)
1331 {
1332     tBTM_SEC_DEV_REC *p_dev_rec = btm_find_dev (bd_addr);
1333 
1334     if ((p_dev_rec != NULL) && (p_dev_rec->sec_flags & BTM_SEC_LINK_KEY_KNOWN))
1335     {
1336         return p_dev_rec->link_key_type;
1337     }
1338     return BTM_LKEY_TYPE_IGNORE;
1339 }
1340 
1341 /*******************************************************************************
1342 **
1343 ** Function         BTM_SetEncryption
1344 **
1345 ** Description      This function is called to ensure that connection is
1346 **                  encrypted.  Should be called only on an open connection.
1347 **                  Typically only needed for connections that first want to
1348 **                  bring up unencrypted links, then later encrypt them.
1349 **
1350 ** Parameters:      bd_addr       - Address of the peer device
1351 **                  p_callback    - Pointer to callback function called if
1352 **                                  this function returns PENDING after required
1353 **                                  procedures are completed.  Can be set to NULL
1354 **                                  if status is not desired.
1355 **                  p_ref_data    - pointer to any data the caller wishes to receive
1356 **                                  in the callback function upon completion.
1357 *                                   can be set to NULL if not used.
1358 **                  transport  -    TRUE to encryption the link over LE transport
1359 **                                  or FALSE for BR/EDR transport
1360 **
1361 ** Returns          BTM_SUCCESS   - already encrypted
1362 **                  BTM_PENDING   - command will be returned in the callback
1363 **                  BTM_WRONG_MODE- connection not up.
1364 **                  BTM_BUSY      - security procedures are currently active
1365 **                  BTM_MODE_UNSUPPORTED - if security manager not linked in.
1366 **
1367 *******************************************************************************/
BTM_SetEncryption(BD_ADDR bd_addr,tBT_TRANSPORT transport,tBTM_SEC_CBACK * p_callback,void * p_ref_data)1368 tBTM_STATUS BTM_SetEncryption (BD_ADDR bd_addr, tBT_TRANSPORT transport, tBTM_SEC_CBACK *p_callback,
1369                                void *p_ref_data)
1370 {
1371     tBTM_STATUS rc = 0;
1372 
1373     tBTM_SEC_DEV_REC  *p_dev_rec = btm_find_dev (bd_addr);
1374     if (!p_dev_rec ||
1375         (transport == BT_TRANSPORT_BR_EDR && p_dev_rec->hci_handle == BTM_SEC_INVALID_HANDLE)
1376 #if BLE_INCLUDED == TRUE
1377         || (transport == BT_TRANSPORT_LE && p_dev_rec->ble_hci_handle == BTM_SEC_INVALID_HANDLE)
1378 #endif
1379         )
1380     {
1381         /* Connection should be up and runnning */
1382         BTM_TRACE_WARNING ("Security Manager: BTM_SetEncryption not connected");
1383 
1384         if (p_callback)
1385             (*p_callback) (bd_addr, transport, p_ref_data, BTM_WRONG_MODE);
1386 
1387         return(BTM_WRONG_MODE);
1388     }
1389 
1390     if ((transport == BT_TRANSPORT_BR_EDR &&
1391          (p_dev_rec->sec_flags &  BTM_SEC_ENCRYPTED))
1392 #if BLE_INCLUDED == TRUE && SMP_INCLUDED == TRUE
1393          || (transport == BT_TRANSPORT_LE &&
1394            (p_dev_rec->sec_flags & BTM_SEC_LE_ENCRYPTED))
1395 #endif
1396           )
1397     {
1398         BTM_TRACE_EVENT ("Security Manager: BTM_SetEncryption already encrypted");
1399 
1400         if (p_callback)
1401             (*p_callback) (bd_addr, transport, p_ref_data, BTM_SUCCESS);
1402 
1403         return(BTM_SUCCESS);
1404     }
1405 
1406     /* enqueue security request if security is active */
1407     if (p_dev_rec->p_callback || (p_dev_rec->sec_state != BTM_SEC_STATE_IDLE))
1408     {
1409         BTM_TRACE_WARNING ("Security Manager: BTM_SetEncryption busy, enqueue request");
1410 
1411         if (btm_sec_queue_encrypt_request(bd_addr, transport, p_callback, p_ref_data))
1412         {
1413             return BTM_CMD_STARTED;
1414         }
1415         else
1416         {
1417             if (p_callback)
1418                 (*p_callback) (bd_addr, transport, p_ref_data, BTM_NO_RESOURCES);
1419             return BTM_NO_RESOURCES;
1420         }
1421     }
1422 
1423     p_dev_rec->p_callback        = p_callback;
1424     p_dev_rec->p_ref_data        = p_ref_data;
1425     p_dev_rec->security_required |= (BTM_SEC_IN_AUTHENTICATE | BTM_SEC_IN_ENCRYPT);
1426     p_dev_rec->is_originator     = FALSE;
1427 
1428     BTM_TRACE_API ("Security Manager: BTM_SetEncryption Handle:%d State:%d Flags:0x%x Required:0x%x",
1429                     p_dev_rec->hci_handle, p_dev_rec->sec_state, p_dev_rec->sec_flags,
1430                     p_dev_rec->security_required);
1431 
1432 #if BLE_INCLUDED == TRUE && SMP_INCLUDED == TRUE
1433     if (transport == BT_TRANSPORT_LE)
1434     {
1435         tACL_CONN *p = btm_bda_to_acl(bd_addr, transport);
1436         if (p)
1437         {
1438            rc = btm_ble_set_encryption(bd_addr, p_ref_data, p->link_role);
1439         }
1440         else
1441         {
1442             rc = BTM_WRONG_MODE;
1443             BTM_TRACE_WARNING("%s: cannot call btm_ble_set_encryption, p is NULL", __FUNCTION__);
1444         }
1445     }
1446     else
1447 #endif
1448         rc = btm_sec_execute_procedure (p_dev_rec);
1449 
1450     if (rc != BTM_CMD_STARTED && rc != BTM_BUSY)
1451     {
1452         if (p_callback)
1453         {
1454             p_dev_rec->p_callback = NULL;
1455             (*p_callback) (bd_addr, transport, p_dev_rec->p_ref_data, rc);
1456         }
1457     }
1458 
1459     return(rc);
1460 }
1461 
1462 /*******************************************************************************
1463  * disconnect the ACL link, if it's not done yet.
1464 *******************************************************************************/
btm_sec_send_hci_disconnect(tBTM_SEC_DEV_REC * p_dev_rec,UINT8 reason,UINT16 conn_handle)1465 static tBTM_STATUS btm_sec_send_hci_disconnect (tBTM_SEC_DEV_REC *p_dev_rec, UINT8 reason, UINT16 conn_handle)
1466 {
1467     UINT8       old_state = p_dev_rec->sec_state;
1468     tBTM_STATUS status = BTM_CMD_STARTED;
1469 
1470     BTM_TRACE_EVENT ("btm_sec_send_hci_disconnect:  handle:0x%x, reason=0x%x",
1471                       conn_handle, reason);
1472 
1473     /* send HCI_Disconnect on a transport only once */
1474     switch (old_state)
1475     {
1476         case BTM_SEC_STATE_DISCONNECTING:
1477             if (conn_handle == p_dev_rec->hci_handle)
1478                 return status;
1479 
1480             p_dev_rec->sec_state = BTM_SEC_STATE_DISCONNECTING_BOTH;
1481             break;
1482 
1483 #if BLE_INCLUDED == TRUE && SMP_INCLUDED == TRUE
1484         case BTM_SEC_STATE_DISCONNECTING_BLE:
1485             if (conn_handle == p_dev_rec->ble_hci_handle)
1486                 return status;
1487 
1488             p_dev_rec->sec_state = BTM_SEC_STATE_DISCONNECTING_BOTH;
1489             break;
1490 
1491         case BTM_SEC_STATE_DISCONNECTING_BOTH:
1492             return status;
1493 #endif
1494 
1495         default:
1496             p_dev_rec->sec_state = (conn_handle == p_dev_rec->hci_handle) ?
1497                     BTM_SEC_STATE_DISCONNECTING : BTM_SEC_STATE_DISCONNECTING_BLE;
1498 
1499             break;
1500     }
1501 
1502     /* If a role switch is in progress, delay the HCI Disconnect to avoid controller problem */
1503     if (p_dev_rec->rs_disc_pending == BTM_SEC_RS_PENDING && p_dev_rec->hci_handle == conn_handle)
1504     {
1505         BTM_TRACE_DEBUG("RS in progress - Set DISC Pending flag in btm_sec_send_hci_disconnect to delay disconnect");
1506               p_dev_rec->rs_disc_pending = BTM_SEC_DISC_PENDING;
1507         status = BTM_SUCCESS;
1508     }
1509     /* Tear down the HCI link */
1510     else if (!btsnd_hcic_disconnect (conn_handle, reason))
1511     {
1512          /* could not send disconnect. restore old state */
1513          p_dev_rec->sec_state = old_state;
1514          status = BTM_NO_RESOURCES;
1515     }
1516 
1517     return status;
1518 }
1519 
1520 /*******************************************************************************
1521 **
1522 ** Function         BTM_ConfirmReqReply
1523 **
1524 ** Description      This function is called to confirm the numeric value for
1525 **                  Simple Pairing in response to BTM_SP_CFM_REQ_EVT
1526 **
1527 ** Parameters:      res           - result of the operation BTM_SUCCESS if success
1528 **                  bd_addr       - Address of the peer device
1529 **
1530 *******************************************************************************/
BTM_ConfirmReqReply(tBTM_STATUS res,BD_ADDR bd_addr)1531 void BTM_ConfirmReqReply(tBTM_STATUS res, BD_ADDR bd_addr)
1532 {
1533     tBTM_SEC_DEV_REC *p_dev_rec;
1534 
1535     BTM_TRACE_EVENT ("BTM_ConfirmReqReply() State: %s  Res: %u",
1536                       btm_pair_state_descr(btm_cb.pairing_state), res);
1537 
1538     /* If timeout already expired or has been canceled, ignore the reply */
1539     if ( (btm_cb.pairing_state != BTM_PAIR_STATE_WAIT_NUMERIC_CONFIRM)
1540          ||  (memcmp (btm_cb.pairing_bda, bd_addr, BD_ADDR_LEN) != 0) )
1541         return;
1542 
1543     btm_sec_change_pairing_state (BTM_PAIR_STATE_WAIT_AUTH_COMPLETE);
1544 
1545     if ( (res == BTM_SUCCESS) || (res == BTM_SUCCESS_NO_SECURITY) )
1546     {
1547         btm_cb.acl_disc_reason = HCI_SUCCESS;
1548 
1549         if (res == BTM_SUCCESS)
1550         {
1551             if ((p_dev_rec = btm_find_dev (bd_addr)) != NULL)
1552                 p_dev_rec->sec_flags |= BTM_SEC_LINK_KEY_AUTHED;
1553                 p_dev_rec->sec_flags |= BTM_SEC_16_DIGIT_PIN_AUTHED;
1554         }
1555 
1556         btsnd_hcic_user_conf_reply (bd_addr, TRUE);
1557     }
1558     else
1559     {
1560         /* Report authentication failed event from state BTM_PAIR_STATE_WAIT_AUTH_COMPLETE */
1561         btm_cb.acl_disc_reason = HCI_ERR_HOST_REJECT_SECURITY;
1562         btsnd_hcic_user_conf_reply (bd_addr, FALSE);
1563     }
1564 }
1565 
1566 /*******************************************************************************
1567 **
1568 ** Function         BTM_PasskeyReqReply
1569 **
1570 ** Description      This function is called to provide the passkey for
1571 **                  Simple Pairing in response to BTM_SP_KEY_REQ_EVT
1572 **
1573 ** Parameters:      res     - result of the operation BTM_SUCCESS if success
1574 **                  bd_addr - Address of the peer device
1575 **                  passkey - numeric value in the range of
1576 **                  BTM_MIN_PASSKEY_VAL(0) - BTM_MAX_PASSKEY_VAL(999999(0xF423F)).
1577 **
1578 *******************************************************************************/
1579 #if (BTM_LOCAL_IO_CAPS != BTM_IO_CAP_NONE)
BTM_PasskeyReqReply(tBTM_STATUS res,BD_ADDR bd_addr,UINT32 passkey)1580 void BTM_PasskeyReqReply(tBTM_STATUS res, BD_ADDR bd_addr, UINT32 passkey)
1581 {
1582     BTM_TRACE_API ("BTM_PasskeyReqReply: State: %s  res:%d",
1583                     btm_pair_state_descr(btm_cb.pairing_state), res);
1584 
1585     if ( (btm_cb.pairing_state == BTM_PAIR_STATE_IDLE)
1586          ||  (memcmp (btm_cb.pairing_bda, bd_addr, BD_ADDR_LEN) != 0) )
1587     {
1588         return;
1589     }
1590 
1591     /* If timeout already expired or has been canceled, ignore the reply */
1592     if ( (btm_cb.pairing_state == BTM_PAIR_STATE_WAIT_AUTH_COMPLETE) && (res != BTM_SUCCESS) )
1593     {
1594         tBTM_SEC_DEV_REC *p_dev_rec = btm_find_dev (bd_addr);
1595         if (p_dev_rec != NULL)
1596         {
1597             btm_cb.acl_disc_reason = HCI_ERR_HOST_REJECT_SECURITY;
1598 
1599             if (p_dev_rec->hci_handle != BTM_SEC_INVALID_HANDLE)
1600                 btm_sec_send_hci_disconnect (p_dev_rec, HCI_ERR_AUTH_FAILURE, p_dev_rec->hci_handle);
1601             else
1602                 BTM_SecBondCancel(bd_addr);
1603 
1604             p_dev_rec->sec_flags &= ~(BTM_SEC_LINK_KEY_AUTHED | BTM_SEC_LINK_KEY_KNOWN);
1605 
1606             btm_sec_change_pairing_state (BTM_PAIR_STATE_IDLE);
1607             return;
1608         }
1609     }
1610     else if (btm_cb.pairing_state != BTM_PAIR_STATE_KEY_ENTRY)
1611         return;
1612 
1613     if (passkey > BTM_MAX_PASSKEY_VAL)
1614         res = BTM_ILLEGAL_VALUE;
1615 
1616     btm_sec_change_pairing_state (BTM_PAIR_STATE_WAIT_AUTH_COMPLETE);
1617 
1618     if (res != BTM_SUCCESS)
1619     {
1620         /* use BTM_PAIR_STATE_WAIT_AUTH_COMPLETE to report authentication failed event */
1621         btm_cb.acl_disc_reason = HCI_ERR_HOST_REJECT_SECURITY;
1622         btsnd_hcic_user_passkey_neg_reply (bd_addr);
1623     } else {
1624         btm_cb.acl_disc_reason = HCI_SUCCESS;
1625         btsnd_hcic_user_passkey_reply (bd_addr, passkey);
1626     }
1627 }
1628 #endif
1629 
1630 /*******************************************************************************
1631 **
1632 ** Function         BTM_SendKeypressNotif
1633 **
1634 ** Description      This function is used during the passkey entry model
1635 **                  by a device with KeyboardOnly IO capabilities
1636 **                  (very likely to be a HID Device).
1637 **                  It is called by a HID Device to inform the remote device when
1638 **                  a key has been entered or erased.
1639 **
1640 ** Parameters:      bd_addr - Address of the peer device
1641 **                  type - notification type
1642 **
1643 *******************************************************************************/
1644 #if (BTM_LOCAL_IO_CAPS != BTM_IO_CAP_NONE)
BTM_SendKeypressNotif(BD_ADDR bd_addr,tBTM_SP_KEY_TYPE type)1645 void BTM_SendKeypressNotif(BD_ADDR bd_addr, tBTM_SP_KEY_TYPE type)
1646 {
1647     /* This API only make sense between PASSKEY_REQ and SP complete */
1648     if (btm_cb.pairing_state == BTM_PAIR_STATE_KEY_ENTRY)
1649         btsnd_hcic_send_keypress_notif (bd_addr, type);
1650 }
1651 #endif
1652 
1653 #if BTM_OOB_INCLUDED == TRUE
1654 /*******************************************************************************
1655 **
1656 ** Function         BTM_IoCapRsp
1657 **
1658 ** Description      This function is called in response to BTM_SP_IO_REQ_EVT
1659 **                  When the event data io_req.oob_data is set to BTM_OOB_UNKNOWN
1660 **                  by the tBTM_SP_CALLBACK implementation, this function is
1661 **                  called to provide the actual response
1662 **
1663 ** Parameters:      bd_addr - Address of the peer device
1664 **                  io_cap  - The IO capability of local device.
1665 **                  oob     - BTM_OOB_NONE or BTM_OOB_PRESENT.
1666 **                  auth_req- MITM protection required or not.
1667 **
1668 *******************************************************************************/
BTM_IoCapRsp(BD_ADDR bd_addr,tBTM_IO_CAP io_cap,tBTM_OOB_DATA oob,tBTM_AUTH_REQ auth_req)1669 void BTM_IoCapRsp(BD_ADDR bd_addr, tBTM_IO_CAP io_cap, tBTM_OOB_DATA oob, tBTM_AUTH_REQ auth_req)
1670 {
1671     BTM_TRACE_EVENT ("BTM_IoCapRsp: state: %s  oob: %d io_cap: %d",
1672                       btm_pair_state_descr(btm_cb.pairing_state), oob, io_cap);
1673 
1674     if ( (btm_cb.pairing_state != BTM_PAIR_STATE_WAIT_LOCAL_IOCAPS)
1675          ||  (memcmp (btm_cb.pairing_bda, bd_addr, BD_ADDR_LEN) != 0) )
1676         return;
1677 
1678     if (oob < BTM_OOB_UNKNOWN && io_cap < BTM_IO_CAP_MAX)
1679     {
1680         btm_cb.devcb.loc_auth_req   = auth_req;
1681         btm_cb.devcb.loc_io_caps    = io_cap;
1682 
1683         if (btm_cb.pairing_flags & BTM_PAIR_FLAGS_WE_STARTED_DD)
1684             auth_req = (BTM_AUTH_DD_BOND | (auth_req&BTM_AUTH_YN_BIT));
1685 
1686         btsnd_hcic_io_cap_req_reply (bd_addr, io_cap, oob, auth_req);
1687     }
1688 }
1689 
1690 /*******************************************************************************
1691 **
1692 ** Function         BTM_ReadLocalOobData
1693 **
1694 ** Description      This function is called to read the local OOB data from
1695 **                  LM
1696 **
1697 *******************************************************************************/
BTM_ReadLocalOobData(void)1698 tBTM_STATUS BTM_ReadLocalOobData(void)
1699 {
1700     tBTM_STATUS status = BTM_SUCCESS;
1701 
1702     if (btsnd_hcic_read_local_oob_data() == FALSE)
1703         status = BTM_NO_RESOURCES;
1704 
1705     return status;
1706 }
1707 
1708 /*******************************************************************************
1709 **
1710 ** Function         BTM_RemoteOobDataReply
1711 **
1712 ** Description      This function is called to provide the remote OOB data for
1713 **                  Simple Pairing in response to BTM_SP_RMT_OOB_EVT
1714 **
1715 ** Parameters:      bd_addr     - Address of the peer device
1716 **                  c           - simple pairing Hash C.
1717 **                  r           - simple pairing Randomizer  C.
1718 **
1719 *******************************************************************************/
BTM_RemoteOobDataReply(tBTM_STATUS res,BD_ADDR bd_addr,BT_OCTET16 c,BT_OCTET16 r)1720 void BTM_RemoteOobDataReply(tBTM_STATUS res, BD_ADDR bd_addr, BT_OCTET16 c, BT_OCTET16 r)
1721 {
1722     BTM_TRACE_EVENT ("%s() - State: %s res: %d", __func__,
1723                       btm_pair_state_descr(btm_cb.pairing_state), res);
1724 
1725     /* If timeout already expired or has been canceled, ignore the reply */
1726     if (btm_cb.pairing_state != BTM_PAIR_STATE_WAIT_LOCAL_OOB_RSP)
1727         return;
1728 
1729     btm_sec_change_pairing_state (BTM_PAIR_STATE_WAIT_AUTH_COMPLETE);
1730 
1731     if (res != BTM_SUCCESS)
1732     {
1733         /* use BTM_PAIR_STATE_WAIT_AUTH_COMPLETE to report authentication failed event */
1734         btm_cb.acl_disc_reason = HCI_ERR_HOST_REJECT_SECURITY;
1735         btsnd_hcic_rem_oob_neg_reply (bd_addr);
1736     } else {
1737         btm_cb.acl_disc_reason = HCI_SUCCESS;
1738         btsnd_hcic_rem_oob_reply (bd_addr, c, r);
1739     }
1740 }
1741 
1742 /*******************************************************************************
1743 **
1744 ** Function         BTM_BuildOobData
1745 **
1746 ** Description      This function is called to build the OOB data payload to
1747 **                  be sent over OOB (non-Bluetooth) link
1748 **
1749 ** Parameters:      p_data  - the location for OOB data
1750 **                  max_len - p_data size.
1751 **                  c       - simple pairing Hash C.
1752 **                  r       - simple pairing Randomizer  C.
1753 **                  name_len- 0, local device name would not be included.
1754 **                            otherwise, the local device name is included for
1755 **                            up to this specified length
1756 **
1757 ** Returns          Number of bytes in p_data.
1758 **
1759 *******************************************************************************/
BTM_BuildOobData(UINT8 * p_data,UINT16 max_len,BT_OCTET16 c,BT_OCTET16 r,UINT8 name_len)1760 UINT16 BTM_BuildOobData(UINT8 *p_data, UINT16 max_len, BT_OCTET16 c,
1761                         BT_OCTET16 r, UINT8 name_len)
1762 {
1763     UINT8   *p = p_data;
1764     UINT16  len = 0;
1765 #if BTM_MAX_LOC_BD_NAME_LEN > 0
1766     UINT16  name_size;
1767     UINT8   name_type = BTM_EIR_SHORTENED_LOCAL_NAME_TYPE;
1768 #endif
1769 
1770     if (p_data && max_len >= BTM_OOB_MANDATORY_SIZE)
1771     {
1772         /* add mandatory part */
1773         UINT16_TO_STREAM(p, len);
1774         BDADDR_TO_STREAM(p, controller_get_interface()->get_address()->address);
1775 
1776         len = BTM_OOB_MANDATORY_SIZE;
1777         max_len -= len;
1778 
1779         /* now optional part */
1780 
1781         /* add Hash C */
1782         UINT16 delta = BTM_OOB_HASH_C_SIZE + 2;
1783         if (max_len >= delta)
1784         {
1785             *p++ = BTM_OOB_HASH_C_SIZE + 1;
1786             *p++ = BTM_EIR_OOB_SSP_HASH_C_TYPE;
1787             ARRAY_TO_STREAM(p, c, BTM_OOB_HASH_C_SIZE);
1788             len     += delta;
1789             max_len -= delta;
1790         }
1791 
1792         /* add Rand R */
1793         delta = BTM_OOB_RAND_R_SIZE + 2;
1794         if (max_len >= delta)
1795         {
1796             *p++ = BTM_OOB_RAND_R_SIZE + 1;
1797             *p++ = BTM_EIR_OOB_SSP_RAND_R_TYPE;
1798             ARRAY_TO_STREAM(p, r, BTM_OOB_RAND_R_SIZE);
1799             len     += delta;
1800             max_len -= delta;
1801         }
1802 
1803         /* add class of device */
1804         delta = BTM_OOB_COD_SIZE + 2;
1805         if (max_len >= delta)
1806         {
1807             *p++ = BTM_OOB_COD_SIZE + 1;
1808             *p++ = BTM_EIR_OOB_COD_TYPE;
1809             DEVCLASS_TO_STREAM(p, btm_cb.devcb.dev_class);
1810             len     += delta;
1811             max_len -= delta;
1812         }
1813 #if BTM_MAX_LOC_BD_NAME_LEN > 0
1814         name_size = name_len;
1815         if (name_size > strlen(btm_cb.cfg.bd_name))
1816         {
1817             name_type = BTM_EIR_COMPLETE_LOCAL_NAME_TYPE;
1818             name_size = (UINT16)strlen(btm_cb.cfg.bd_name);
1819         }
1820         delta = name_size + 2;
1821         if (max_len >= delta)
1822         {
1823             *p++ = name_size + 1;
1824             *p++ = name_type;
1825             ARRAY_TO_STREAM (p, btm_cb.cfg.bd_name, name_size);
1826             len     += delta;
1827             max_len -= delta;
1828         }
1829 #endif
1830         /* update len */
1831         p = p_data;
1832         UINT16_TO_STREAM(p, len);
1833     }
1834     return len;
1835 }
1836 
1837 /*******************************************************************************
1838 **
1839 ** Function         BTM_BothEndsSupportSecureConnections
1840 **
1841 ** Description      This function is called to check if both the local device and the peer device
1842 **                  specified by bd_addr support BR/EDR Secure Connections.
1843 **
1844 ** Parameters:      bd_addr - address of the peer
1845 **
1846 ** Returns          TRUE if BR/EDR Secure Connections are supported by both local
1847 **                  and the remote device.
1848 **                  else FALSE.
1849 **
1850 *******************************************************************************/
BTM_BothEndsSupportSecureConnections(BD_ADDR bd_addr)1851 BOOLEAN BTM_BothEndsSupportSecureConnections(BD_ADDR bd_addr)
1852 {
1853     return ((controller_get_interface()->supports_secure_connections()) &&
1854             (BTM_PeerSupportsSecureConnections(bd_addr)));
1855 }
1856 
1857 /*******************************************************************************
1858 **
1859 ** Function         BTM_PeerSupportsSecureConnections
1860 **
1861 ** Description      This function is called to check if the peer supports
1862 **                  BR/EDR Secure Connections.
1863 **
1864 ** Parameters:      bd_addr - address of the peer
1865 **
1866 ** Returns          TRUE if BR/EDR Secure Connections are supported by the peer,
1867 **                  else FALSE.
1868 **
1869 *******************************************************************************/
BTM_PeerSupportsSecureConnections(BD_ADDR bd_addr)1870 BOOLEAN BTM_PeerSupportsSecureConnections(BD_ADDR bd_addr)
1871 {
1872     tBTM_SEC_DEV_REC    *p_dev_rec;
1873 
1874     if ((p_dev_rec = btm_find_dev(bd_addr)) == NULL)
1875     {
1876         BTM_TRACE_WARNING("%s: unknown BDA: %08x%04x", __FUNCTION__,
1877             (bd_addr[0]<<24) + (bd_addr[1]<<16) + (bd_addr[2]<<8) + bd_addr[3],
1878             (bd_addr[4]<< 8) + bd_addr[5]);
1879         return FALSE;
1880     }
1881 
1882     return (p_dev_rec->remote_supports_secure_connections);
1883 }
1884 
1885 /*******************************************************************************
1886 **
1887 ** Function         BTM_ReadOobData
1888 **
1889 ** Description      This function is called to parse the OOB data payload
1890 **                  received over OOB (non-Bluetooth) link
1891 **
1892 ** Parameters:      p_data  - the location for OOB data
1893 **                  eir_tag - The associated EIR tag to read the data.
1894 **                  *p_len(output) - the length of the data with the given tag.
1895 **
1896 ** Returns          the beginning of the data with the given tag.
1897 **                  NULL, if the tag is not found.
1898 **
1899 *******************************************************************************/
BTM_ReadOobData(UINT8 * p_data,UINT8 eir_tag,UINT8 * p_len)1900 UINT8 * BTM_ReadOobData(UINT8 *p_data, UINT8 eir_tag, UINT8 *p_len)
1901 {
1902     UINT8   *p = p_data;
1903     UINT16  max_len;
1904     UINT8   len, type;
1905     UINT8   *p_ret = NULL;
1906     UINT8   ret_len = 0;
1907 
1908     if (p_data)
1909     {
1910         STREAM_TO_UINT16(max_len, p);
1911         if (max_len >= BTM_OOB_MANDATORY_SIZE)
1912         {
1913             if (BTM_EIR_OOB_BD_ADDR_TYPE == eir_tag)
1914             {
1915                 p_ret = p; /* the location for bd_addr */
1916                 ret_len = BTM_OOB_BD_ADDR_SIZE;
1917             }
1918             else
1919             {
1920                 p += BD_ADDR_LEN;
1921                 max_len -= BTM_OOB_MANDATORY_SIZE;
1922                 /* now the optional data in EIR format */
1923                 while (max_len > 0)
1924                 {
1925                     len     = *p++; /* tag data len + 1 */
1926                     type    = *p++;
1927                     if (eir_tag == type)
1928                     {
1929                         p_ret = p;
1930                         ret_len = len - 1;
1931                         break;
1932                     }
1933                     /* the data size of this tag is len + 1 (tag data len + 2) */
1934                     if (max_len > len)
1935                     {
1936                         max_len -= len;
1937                         max_len--;
1938                         len--;
1939                         p += len;
1940                     }
1941                     else
1942                         max_len = 0;
1943                 }
1944             }
1945         }
1946     }
1947 
1948     if (p_len)
1949         *p_len = ret_len;
1950 
1951     return p_ret;
1952 }
1953 #endif
1954 
1955 /*******************************************************************************
1956 **
1957 ** Function         BTM_SetOutService
1958 **
1959 ** Description      This function is called to set the service for
1960 **                  outgoing connections.
1961 **
1962 **                  If the profile/application calls BTM_SetSecurityLevel
1963 **                  before initiating a connection, this function does not
1964 **                  need to be called.
1965 **
1966 ** Returns          void
1967 **
1968 *******************************************************************************/
BTM_SetOutService(BD_ADDR bd_addr,UINT8 service_id,UINT32 mx_chan_id)1969 void BTM_SetOutService(BD_ADDR bd_addr, UINT8 service_id, UINT32 mx_chan_id)
1970 {
1971     tBTM_SEC_DEV_REC *p_dev_rec;
1972     tBTM_SEC_SERV_REC *p_serv_rec = &btm_cb.sec_serv_rec[0];
1973 
1974     btm_cb.p_out_serv = p_serv_rec;
1975     p_dev_rec = btm_find_dev (bd_addr);
1976 
1977     for (int i = 0; i < BTM_SEC_MAX_SERVICE_RECORDS; i++, p_serv_rec++)
1978     {
1979         if ((p_serv_rec->security_flags & BTM_SEC_IN_USE)
1980             && (p_serv_rec->service_id == service_id)
1981             && (p_serv_rec->orig_mx_chan_id == mx_chan_id))
1982         {
1983             BTM_TRACE_API("BTM_SetOutService p_out_serv id %d, psm 0x%04x, proto_id %d, chan_id %d",
1984                            p_serv_rec->service_id, p_serv_rec->psm, p_serv_rec->mx_proto_id, p_serv_rec->orig_mx_chan_id);
1985             btm_cb.p_out_serv = p_serv_rec;
1986             if (p_dev_rec)
1987                 p_dev_rec->p_cur_service = p_serv_rec;
1988             break;
1989         }
1990     }
1991 }
1992 
1993 /************************************************************************
1994 **              I N T E R N A L     F U N C T I O N S
1995 *************************************************************************/
1996 /*******************************************************************************
1997 **
1998 ** Function         btm_sec_is_upgrade_possible
1999 **
2000 ** Description      This function returns TRUE if the existing link key
2001 **                  can be upgraded or if the link key does not exist.
2002 **
2003 ** Returns          BOOLEAN
2004 **
2005 *******************************************************************************/
btm_sec_is_upgrade_possible(tBTM_SEC_DEV_REC * p_dev_rec,BOOLEAN is_originator)2006 static BOOLEAN btm_sec_is_upgrade_possible(tBTM_SEC_DEV_REC  *p_dev_rec, BOOLEAN is_originator)
2007 {
2008     UINT16              mtm_check = is_originator ? BTM_SEC_OUT_MITM : BTM_SEC_IN_MITM;
2009     BOOLEAN             is_possible = TRUE;
2010 
2011     if (p_dev_rec->sec_flags & BTM_SEC_LINK_KEY_KNOWN)
2012     {
2013         is_possible = FALSE;
2014         if(p_dev_rec->p_cur_service)
2015         {
2016             BTM_TRACE_DEBUG ("%s() id: %d, link_key_typet: %d, rmt_io_caps: %d, chk flags: 0x%x, flags: 0x%x",
2017                           __func__, p_dev_rec->p_cur_service->service_id, p_dev_rec->link_key_type,
2018                           p_dev_rec->rmt_io_caps, mtm_check, p_dev_rec->p_cur_service->security_flags);
2019         }
2020         else
2021         {
2022             BTM_TRACE_DEBUG ("%s() link_key_typet: %d, rmt_io_caps: %d, chk flags: 0x%x",
2023                           __func__, p_dev_rec->link_key_type, p_dev_rec->rmt_io_caps, mtm_check);
2024         }
2025         /* Already have a link key to the connected peer. Is the link key secure enough?
2026         ** Is a link key upgrade even possible?
2027         */
2028         if ((p_dev_rec->security_required & mtm_check)    /* needs MITM */
2029             && ((p_dev_rec->link_key_type == BTM_LKEY_TYPE_UNAUTH_COMB) ||
2030                 (p_dev_rec->link_key_type == BTM_LKEY_TYPE_UNAUTH_COMB_P_256))
2031                                                           /* has unauthenticated
2032                                                           link key */
2033             && (p_dev_rec->rmt_io_caps < BTM_IO_CAP_MAX)  /* a valid peer IO cap */
2034             && (btm_sec_io_map[p_dev_rec->rmt_io_caps][btm_cb.devcb.loc_io_caps]))
2035                                                           /* authenticated
2036                                                           link key is possible */
2037         {
2038             /* upgrade is possible: check if the application wants the upgrade.
2039              * If the application is configured to use a global MITM flag,
2040              * it probably would not want to upgrade the link key based on the security level database */
2041             is_possible = TRUE;
2042         }
2043     }
2044     BTM_TRACE_DEBUG ("%s() is_possible: %d sec_flags: 0x%x", __func__, is_possible, p_dev_rec->sec_flags);
2045     return is_possible;
2046 }
2047 
2048 /*******************************************************************************
2049 **
2050 ** Function         btm_sec_check_upgrade
2051 **
2052 ** Description      This function is called to check if the existing link key
2053 **                  needs to be upgraded.
2054 **
2055 ** Returns          void
2056 **
2057 *******************************************************************************/
btm_sec_check_upgrade(tBTM_SEC_DEV_REC * p_dev_rec,BOOLEAN is_originator)2058 static void btm_sec_check_upgrade(tBTM_SEC_DEV_REC  *p_dev_rec, BOOLEAN is_originator)
2059 {
2060 
2061     BTM_TRACE_DEBUG ("%s()", __func__);
2062 
2063     /* Only check if link key already exists */
2064     if (!(p_dev_rec->sec_flags & BTM_SEC_LINK_KEY_KNOWN))
2065         return;
2066 
2067     if (btm_sec_is_upgrade_possible (p_dev_rec, is_originator) == TRUE)
2068     {
2069         BTM_TRACE_DEBUG ("need upgrade!! sec_flags:0x%x", p_dev_rec->sec_flags);
2070         /* upgrade is possible: check if the application wants the upgrade.
2071          * If the application is configured to use a global MITM flag,
2072          * it probably would not want to upgrade the link key based on the security level database */
2073         tBTM_SP_UPGRADE evt_data;
2074         memcpy (evt_data.bd_addr, p_dev_rec->bd_addr, BD_ADDR_LEN);
2075         evt_data.upgrade = TRUE;
2076         if (btm_cb.api.p_sp_callback)
2077             (*btm_cb.api.p_sp_callback) (BTM_SP_UPGRADE_EVT, (tBTM_SP_EVT_DATA *)&evt_data);
2078 
2079         BTM_TRACE_DEBUG ("evt_data.upgrade:0x%x", evt_data.upgrade);
2080         if (evt_data.upgrade)
2081         {
2082             /* if the application confirms the upgrade, set the upgrade bit */
2083             p_dev_rec->sm4 |= BTM_SM4_UPGRADE;
2084 
2085             /* Clear the link key known to go through authentication/pairing again */
2086             p_dev_rec->sec_flags &= ~(BTM_SEC_LINK_KEY_KNOWN | BTM_SEC_LINK_KEY_AUTHED);
2087             p_dev_rec->sec_flags &= ~BTM_SEC_AUTHENTICATED;
2088             BTM_TRACE_DEBUG ("sec_flags:0x%x", p_dev_rec->sec_flags);
2089         }
2090     }
2091 }
2092 
2093 /*******************************************************************************
2094 **
2095 ** Function         btm_sec_l2cap_access_req
2096 **
2097 ** Description      This function is called by the L2CAP to grant permission to
2098 **                  establish L2CAP connection to or from the peer device.
2099 **
2100 ** Parameters:      bd_addr       - Address of the peer device
2101 **                  psm           - L2CAP PSM
2102 **                  is_originator - TRUE if protocol above L2CAP originates
2103 **                                  connection
2104 **                  p_callback    - Pointer to callback function called if
2105 **                                  this function returns PENDING after required
2106 **                                  procedures are complete. MUST NOT BE NULL.
2107 **
2108 ** Returns          tBTM_STATUS
2109 **
2110 *******************************************************************************/
2111 #define BTM_SEC_OUT_FLAGS   (BTM_SEC_OUT_AUTHENTICATE | BTM_SEC_OUT_ENCRYPT | BTM_SEC_OUT_AUTHORIZE)
2112 #define BTM_SEC_IN_FLAGS    (BTM_SEC_IN_AUTHENTICATE | BTM_SEC_IN_ENCRYPT | BTM_SEC_IN_AUTHORIZE)
2113 
2114 #define BTM_SEC_OUT_LEVEL4_FLAGS   (BTM_SEC_OUT_AUTHENTICATE | BTM_SEC_OUT_ENCRYPT | \
2115                                     BTM_SEC_OUT_MITM | BTM_SEC_MODE4_LEVEL4)
2116 
2117 #define BTM_SEC_IN_LEVEL4_FLAGS    (BTM_SEC_IN_AUTHENTICATE | BTM_SEC_IN_ENCRYPT | \
2118                                     BTM_SEC_IN_MITM | BTM_SEC_MODE4_LEVEL4)
2119 
btm_sec_l2cap_access_req(BD_ADDR bd_addr,UINT16 psm,UINT16 handle,CONNECTION_TYPE conn_type,tBTM_SEC_CALLBACK * p_callback,void * p_ref_data)2120 tBTM_STATUS btm_sec_l2cap_access_req (BD_ADDR bd_addr, UINT16 psm, UINT16 handle,
2121                                       CONNECTION_TYPE conn_type,
2122                                       tBTM_SEC_CALLBACK *p_callback,
2123                                       void *p_ref_data)
2124 {
2125     tBTM_SEC_DEV_REC  *p_dev_rec;
2126     tBTM_SEC_SERV_REC *p_serv_rec;
2127     UINT16         security_required;
2128     UINT16         old_security_required;
2129     BOOLEAN       old_is_originator;
2130     tBTM_STATUS   rc = BTM_SUCCESS;
2131     BOOLEAN       chk_acp_auth_done = FALSE;
2132     BOOLEAN is_originator;
2133     BOOLEAN     transport = FALSE; /* should check PSM range in LE connection oriented L2CAP connection */
2134 
2135 #if (L2CAP_UCD_INCLUDED == TRUE)
2136     if (conn_type & CONNECTION_TYPE_ORIG_MASK)
2137         is_originator = TRUE;
2138     else
2139         is_originator = FALSE;
2140 
2141     BTM_TRACE_DEBUG ("%s() conn_type: 0x%x, 0x%x", __func__, conn_type, p_ref_data);
2142 #else
2143     is_originator = conn_type;
2144 
2145     BTM_TRACE_DEBUG ("%s() is_originator:%d, 0x%x", __func__, is_originator, p_ref_data);
2146 #endif
2147 
2148     /* Find or get oldest record */
2149     p_dev_rec = btm_find_or_alloc_dev (bd_addr);
2150 
2151     p_dev_rec->hci_handle = handle;
2152 
2153     /* Find the service record for the PSM */
2154     p_serv_rec = btm_sec_find_first_serv (conn_type, psm);
2155 
2156     /* If there is no application registered with this PSM do not allow connection */
2157     if (!p_serv_rec)
2158     {
2159         BTM_TRACE_WARNING ("%s() PSM: %d no application registerd", __func__, psm);
2160         (*p_callback) (bd_addr, transport, p_ref_data, BTM_MODE_UNSUPPORTED);
2161         return(BTM_MODE_UNSUPPORTED);
2162     }
2163 
2164     /* Services level0 by default have no security */
2165     if ((btm_sec_is_serv_level0(psm)) && (!btm_cb.devcb.secure_connections_only))
2166     {
2167         (*p_callback) (bd_addr,transport, p_ref_data, BTM_SUCCESS_NO_SECURITY);
2168         return(BTM_SUCCESS);
2169     }
2170 #if (L2CAP_UCD_INCLUDED == TRUE)
2171     if ( conn_type & CONNECTION_TYPE_CONNLESS_MASK )
2172     {
2173         if (btm_cb.security_mode == BTM_SEC_MODE_SC)
2174         {
2175             security_required = btm_sec_set_serv_level4_flags (p_serv_rec->ucd_security_flags,
2176                                                                is_originator);
2177         }
2178         else
2179         {
2180             security_required = p_serv_rec->ucd_security_flags;
2181         }
2182 
2183         rc = BTM_CMD_STARTED;
2184         if (is_originator)
2185         {
2186             if (((security_required & BTM_SEC_OUT_FLAGS) == 0) ||
2187                 ((((security_required & BTM_SEC_OUT_FLAGS) == BTM_SEC_OUT_AUTHENTICATE) && (p_dev_rec->sec_flags & BTM_SEC_AUTHENTICATED))) ||
2188                 ((((security_required & BTM_SEC_OUT_FLAGS) == (BTM_SEC_OUT_AUTHENTICATE | BTM_SEC_OUT_ENCRYPT)) && (p_dev_rec->sec_flags & BTM_SEC_ENCRYPTED))) ||
2189                 ((((security_required & BTM_SEC_OUT_FLAGS) == BTM_SEC_OUT_FLAGS) && (p_dev_rec->sec_flags & BTM_SEC_AUTHORIZED))) )
2190             {
2191                 rc = BTM_SUCCESS;
2192             }
2193         }
2194         else
2195         {
2196             if (((security_required & BTM_SEC_IN_FLAGS) == 0) ||
2197                 ((((security_required & BTM_SEC_IN_FLAGS) == BTM_SEC_IN_AUTHENTICATE) && (p_dev_rec->sec_flags & BTM_SEC_AUTHENTICATED))) ||
2198                 ((((security_required & BTM_SEC_IN_FLAGS) == (BTM_SEC_IN_AUTHENTICATE | BTM_SEC_IN_ENCRYPT)) && (p_dev_rec->sec_flags & BTM_SEC_ENCRYPTED))) ||
2199                 ((((security_required & BTM_SEC_IN_FLAGS) == BTM_SEC_IN_FLAGS) && (p_dev_rec->sec_flags & BTM_SEC_AUTHORIZED))) )
2200             {
2201                 // Check for 16 digits (or MITM)
2202                 if (((security_required & BTM_SEC_IN_MIN_16_DIGIT_PIN) == 0) ||
2203                     (((security_required & BTM_SEC_IN_MIN_16_DIGIT_PIN) == BTM_SEC_IN_MIN_16_DIGIT_PIN) &&
2204                      btm_dev_16_digit_authenticated(p_dev_rec))) {
2205                     rc = BTM_SUCCESS;
2206                 }
2207             }
2208         }
2209 
2210         if ((rc == BTM_SUCCESS) && (security_required & BTM_SEC_MODE4_LEVEL4) &&
2211             (p_dev_rec->link_key_type != BTM_LKEY_TYPE_AUTH_COMB_P_256))
2212         {
2213             rc = BTM_CMD_STARTED;
2214         }
2215 
2216         if (rc == BTM_SUCCESS)
2217         {
2218             if (p_callback)
2219                 (*p_callback) (bd_addr, transport, (void *)p_ref_data, BTM_SUCCESS);
2220 
2221             return(BTM_SUCCESS);
2222         }
2223     }
2224     else
2225 #endif
2226     {
2227         if (btm_cb.security_mode == BTM_SEC_MODE_SC)
2228         {
2229             security_required = btm_sec_set_serv_level4_flags (p_serv_rec->security_flags,
2230                                                                 is_originator);
2231         }
2232         else
2233         {
2234             security_required = p_serv_rec->security_flags;
2235         }
2236     }
2237 
2238     BTM_TRACE_DEBUG("%s: security_required 0x%04x, is_originator 0x%02x, psm  0x%04x",
2239                     __FUNCTION__, security_required, is_originator, psm);
2240 
2241     if ((!is_originator) && (security_required & BTM_SEC_MODE4_LEVEL4))
2242     {
2243         BOOLEAN local_supports_sc = controller_get_interface()->supports_secure_connections();
2244         /* acceptor receives L2CAP Channel Connect Request for Secure Connections Only service */
2245         if (!(local_supports_sc) || !(p_dev_rec->remote_supports_secure_connections))
2246         {
2247             BTM_TRACE_DEBUG("%s: SC only service, local_support_for_sc %d",
2248                             "rmt_support_for_sc : %d -> fail pairing", __FUNCTION__,
2249                             local_supports_sc,
2250                             p_dev_rec->remote_supports_secure_connections);
2251             if (p_callback)
2252                 (*p_callback) (bd_addr, transport, (void *)p_ref_data,
2253                                                     BTM_MODE4_LEVEL4_NOT_SUPPORTED);
2254 
2255             return (BTM_MODE4_LEVEL4_NOT_SUPPORTED);
2256         }
2257     }
2258 
2259     /* there are some devices (moto KRZR) which connects to several services at the same time */
2260     /* we will process one after another */
2261     if ( (p_dev_rec->p_callback) || (btm_cb.pairing_state != BTM_PAIR_STATE_IDLE) )
2262     {
2263         BTM_TRACE_EVENT ("%s() - busy - PSM:%d delayed  state: %s mode:%d, sm4:0x%x", __func__,
2264                           psm, btm_pair_state_descr(btm_cb.pairing_state), btm_cb.security_mode, p_dev_rec->sm4);
2265         BTM_TRACE_EVENT ("security_flags:x%x, sec_flags:x%x", security_required, p_dev_rec->sec_flags);
2266         rc = BTM_CMD_STARTED;
2267         if ((btm_cb.security_mode == BTM_SEC_MODE_UNDEFINED ||
2268              btm_cb.security_mode == BTM_SEC_MODE_NONE ||
2269              btm_cb.security_mode == BTM_SEC_MODE_SERVICE ||
2270              btm_cb.security_mode == BTM_SEC_MODE_LINK) ||
2271             (BTM_SM4_KNOWN == p_dev_rec->sm4) || (BTM_SEC_IS_SM4(p_dev_rec->sm4) &&
2272             (btm_sec_is_upgrade_possible(p_dev_rec, is_originator) == FALSE)))
2273         {
2274             /* legacy mode - local is legacy or local is lisbon/peer is legacy
2275              * or SM4 with no possibility of link key upgrade */
2276             if (is_originator)
2277             {
2278                 if (((security_required & BTM_SEC_OUT_FLAGS) == 0) ||
2279                     ((((security_required & BTM_SEC_OUT_FLAGS) == BTM_SEC_OUT_AUTHENTICATE) && btm_dev_authenticated(p_dev_rec))) ||
2280                     ((((security_required & BTM_SEC_OUT_FLAGS) == (BTM_SEC_OUT_AUTHENTICATE | BTM_SEC_OUT_ENCRYPT)) && btm_dev_encrypted(p_dev_rec))) ||
2281                     ((((security_required & BTM_SEC_OUT_FLAGS) == BTM_SEC_OUT_FLAGS) && btm_dev_authorized(p_dev_rec)  && btm_dev_encrypted(p_dev_rec))) )
2282                 {
2283                     rc = BTM_SUCCESS;
2284                 }
2285             }
2286             else
2287             {
2288                 if (((security_required & BTM_SEC_IN_FLAGS) == 0) ||
2289                 (((security_required & BTM_SEC_IN_FLAGS) == BTM_SEC_IN_AUTHENTICATE) && btm_dev_authenticated(p_dev_rec)) ||
2290                 (((security_required & BTM_SEC_IN_FLAGS) == (BTM_SEC_IN_AUTHENTICATE | BTM_SEC_IN_ENCRYPT)) && btm_dev_encrypted(p_dev_rec)) ||
2291                 (((security_required & BTM_SEC_IN_FLAGS) == BTM_SEC_IN_AUTHORIZE) && (btm_dev_authorized(p_dev_rec)||btm_serv_trusted(p_dev_rec, p_serv_rec))) ||
2292                 (((security_required & BTM_SEC_IN_FLAGS) == (BTM_SEC_IN_AUTHENTICATE | BTM_SEC_IN_AUTHORIZE)) && ((btm_dev_authorized(p_dev_rec)||btm_serv_trusted(p_dev_rec, p_serv_rec)) && btm_dev_authenticated(p_dev_rec))) ||
2293                 (((security_required & BTM_SEC_IN_FLAGS) == (BTM_SEC_IN_ENCRYPT | BTM_SEC_IN_AUTHORIZE)) && ((btm_dev_authorized(p_dev_rec)||btm_serv_trusted(p_dev_rec, p_serv_rec)) && btm_dev_encrypted(p_dev_rec))) ||
2294                 (((security_required & BTM_SEC_IN_FLAGS) == BTM_SEC_IN_FLAGS)  && btm_dev_encrypted(p_dev_rec) && (btm_dev_authorized(p_dev_rec)||btm_serv_trusted(p_dev_rec, p_serv_rec))))
2295                 {
2296                     // Check for 16 digits (or MITM)
2297                     if (((security_required & BTM_SEC_IN_MIN_16_DIGIT_PIN) == 0) ||
2298                        (((security_required & BTM_SEC_IN_MIN_16_DIGIT_PIN) == BTM_SEC_IN_MIN_16_DIGIT_PIN) && btm_dev_16_digit_authenticated(p_dev_rec))) {
2299                         rc = BTM_SUCCESS;
2300                     }
2301                 }
2302             }
2303 
2304             if ((rc == BTM_SUCCESS) && (security_required & BTM_SEC_MODE4_LEVEL4) &&
2305                 (p_dev_rec->link_key_type != BTM_LKEY_TYPE_AUTH_COMB_P_256))
2306             {
2307                 rc = BTM_CMD_STARTED;
2308             }
2309 
2310             if (rc == BTM_SUCCESS)
2311             {
2312                 if (p_callback)
2313                     (*p_callback) (bd_addr, transport, (void *)p_ref_data, BTM_SUCCESS);
2314                 return(BTM_SUCCESS);
2315             }
2316         }
2317 
2318         btm_cb.sec_req_pending = TRUE;
2319         return(BTM_CMD_STARTED);
2320     }
2321 
2322     /* Save pointer to service record */
2323     p_dev_rec->p_cur_service = p_serv_rec;
2324 
2325     /* Modify security_required in btm_sec_l2cap_access_req for Lisbon */
2326     if (btm_cb.security_mode == BTM_SEC_MODE_SP ||
2327         btm_cb.security_mode == BTM_SEC_MODE_SP_DEBUG ||
2328         btm_cb.security_mode == BTM_SEC_MODE_SC)
2329     {
2330         if (BTM_SEC_IS_SM4(p_dev_rec->sm4))
2331         {
2332             if (is_originator)
2333             {
2334                 /* SM4 to SM4 -> always authenticate & encrypt */
2335                 security_required |= (BTM_SEC_OUT_AUTHENTICATE | BTM_SEC_OUT_ENCRYPT);
2336             }
2337             else /* acceptor */
2338             {
2339                 /* SM4 to SM4: the acceptor needs to make sure the authentication is already done */
2340                 chk_acp_auth_done = TRUE;
2341                 /* SM4 to SM4 -> always authenticate & encrypt */
2342                 security_required |= (BTM_SEC_IN_AUTHENTICATE | BTM_SEC_IN_ENCRYPT);
2343            }
2344         }
2345         else if (!(BTM_SM4_KNOWN & p_dev_rec->sm4))
2346         {
2347             /* the remote features are not known yet */
2348             BTM_TRACE_DEBUG("%s: (%s) remote features unknown!!sec_flags:0x%02x", __FUNCTION__,
2349                             (is_originator) ? "initiator" : "acceptor", p_dev_rec->sec_flags);
2350 
2351             p_dev_rec->sm4 |= BTM_SM4_REQ_PEND;
2352             return (BTM_CMD_STARTED);
2353         }
2354     }
2355 
2356     BTM_TRACE_DEBUG ("%s()  sm4:0x%x, sec_flags:0x%x, security_required:0x%x chk:%d", __func__,
2357                       p_dev_rec->sm4, p_dev_rec->sec_flags, security_required, chk_acp_auth_done);
2358 
2359     old_security_required        = p_dev_rec->security_required;
2360     old_is_originator            = p_dev_rec->is_originator;
2361     p_dev_rec->security_required = security_required;
2362     p_dev_rec->p_ref_data        = p_ref_data;
2363     p_dev_rec->is_originator     = is_originator;
2364 
2365 #if (L2CAP_UCD_INCLUDED == TRUE)
2366     if ( conn_type & CONNECTION_TYPE_CONNLESS_MASK )
2367         p_dev_rec->is_ucd = TRUE;
2368     else
2369         p_dev_rec->is_ucd = FALSE;
2370 #endif
2371 
2372     /* If there are multiple service records used through the same PSM */
2373     /* leave security decision for the multiplexor on the top */
2374 #if (L2CAP_UCD_INCLUDED == TRUE)
2375     if (((btm_sec_find_next_serv (p_serv_rec)) != NULL)
2376         &&(!( conn_type & CONNECTION_TYPE_CONNLESS_MASK ))) /* if not UCD */
2377 #else
2378     if ((btm_sec_find_next_serv (p_serv_rec)) != NULL)
2379 #endif
2380     {
2381         BTM_TRACE_DEBUG ("no next_serv sm4:0x%x, chk:%d", p_dev_rec->sm4, chk_acp_auth_done);
2382         if (!BTM_SEC_IS_SM4(p_dev_rec->sm4))
2383         {
2384             BTM_TRACE_EVENT ("Security Manager: l2cap_access_req PSM:%d postponed for multiplexer", psm);
2385             /* pre-Lisbon: restore the old settings */
2386             p_dev_rec->security_required = old_security_required;
2387             p_dev_rec->is_originator     = old_is_originator;
2388 
2389             (*p_callback) (bd_addr, transport, p_ref_data, BTM_SUCCESS);
2390 
2391             return(BTM_SUCCESS);
2392         }
2393     }
2394 
2395     /* if the originator is using dynamic PSM in legacy mode, do not start any security process now
2396      * The layer above L2CAP needs to carry out the security requirement after L2CAP connect
2397      * response is received */
2398     if (is_originator &&
2399         ((btm_cb.security_mode == BTM_SEC_MODE_UNDEFINED ||
2400           btm_cb.security_mode == BTM_SEC_MODE_NONE ||
2401           btm_cb.security_mode == BTM_SEC_MODE_SERVICE ||
2402           btm_cb.security_mode == BTM_SEC_MODE_LINK) ||
2403          !BTM_SEC_IS_SM4(p_dev_rec->sm4)) && (psm >= 0x1001))
2404     {
2405         BTM_TRACE_EVENT ("dynamic PSM:0x%x in legacy mode - postponed for upper layer", psm);
2406         /* restore the old settings */
2407         p_dev_rec->security_required = old_security_required;
2408         p_dev_rec->is_originator     = old_is_originator;
2409 
2410         (*p_callback) (bd_addr, transport, p_ref_data, BTM_SUCCESS);
2411 
2412         return(BTM_SUCCESS);
2413     }
2414 
2415     if (chk_acp_auth_done)
2416     {
2417         BTM_TRACE_DEBUG ("(SM4 to SM4) btm_sec_l2cap_access_req rspd. authenticated: x%x, enc: x%x",
2418                           (p_dev_rec->sec_flags & BTM_SEC_AUTHENTICATED), (p_dev_rec->sec_flags & BTM_SEC_ENCRYPTED));
2419         /* SM4, but we do not know for sure which level of security we need.
2420          * as long as we have a link key, it's OK */
2421         if ((0 == (p_dev_rec->sec_flags & BTM_SEC_AUTHENTICATED))
2422             ||(0 == (p_dev_rec->sec_flags & BTM_SEC_ENCRYPTED)))
2423         {
2424             rc = BTM_DELAY_CHECK;
2425             /*
2426             2046 may report HCI_Encryption_Change and L2C Connection Request out of sequence
2427             because of data path issues. Delay this disconnect a little bit
2428             */
2429             LOG_INFO("%s peer should have initiated security process by now (SM4 to SM4)", __func__);
2430             p_dev_rec->p_callback        = p_callback;
2431             p_dev_rec->sec_state         = BTM_SEC_STATE_DELAY_FOR_ENC;
2432             (*p_callback) (bd_addr, transport, p_ref_data, rc);
2433 
2434             return BTM_SUCCESS;
2435         }
2436     }
2437 
2438     p_dev_rec->p_callback        = p_callback;
2439 
2440     if (p_dev_rec->last_author_service_id == BTM_SEC_NO_LAST_SERVICE_ID
2441         || p_dev_rec->last_author_service_id != p_dev_rec->p_cur_service->service_id)
2442     {
2443         /* Although authentication and encryption are per connection
2444         ** authorization is per access request.  For example when serial connection
2445         ** is up and authorized and client requests to read file (access to other
2446         ** scn), we need to request user's permission again.
2447         */
2448         p_dev_rec->sec_flags &= ~BTM_SEC_AUTHORIZED;
2449     }
2450 
2451     if (BTM_SEC_IS_SM4(p_dev_rec->sm4))
2452     {
2453         if ((p_dev_rec->security_required & BTM_SEC_MODE4_LEVEL4) &&
2454             (p_dev_rec->link_key_type != BTM_LKEY_TYPE_AUTH_COMB_P_256))
2455         {
2456             /* BTM_LKEY_TYPE_AUTH_COMB_P_256 is the only acceptable key in this case */
2457             if ((p_dev_rec->sec_flags & BTM_SEC_LINK_KEY_KNOWN) != 0)
2458             {
2459                 p_dev_rec->sm4 |= BTM_SM4_UPGRADE;
2460             }
2461             p_dev_rec->sec_flags &= ~(BTM_SEC_LINK_KEY_KNOWN | BTM_SEC_LINK_KEY_AUTHED |
2462                                       BTM_SEC_AUTHENTICATED);
2463             BTM_TRACE_DEBUG ("%s: sec_flags:0x%x", __FUNCTION__, p_dev_rec->sec_flags);
2464         }
2465         else
2466         {
2467             /* If we already have a link key to the connected peer, is it secure enough? */
2468             btm_sec_check_upgrade(p_dev_rec, is_originator);
2469         }
2470     }
2471 
2472     BTM_TRACE_EVENT ("%s() PSM:%d Handle:%d State:%d Flags: 0x%x Required: 0x%x Service ID:%d",
2473            __func__, psm, handle, p_dev_rec->sec_state, p_dev_rec->sec_flags,
2474            p_dev_rec->security_required, p_dev_rec->p_cur_service->service_id);
2475 
2476     if ((rc = btm_sec_execute_procedure (p_dev_rec)) != BTM_CMD_STARTED)
2477     {
2478         p_dev_rec->p_callback = NULL;
2479         (*p_callback) (bd_addr, transport, p_dev_rec->p_ref_data, (UINT8)rc);
2480     }
2481 
2482     return(rc);
2483 }
2484 
2485 /*******************************************************************************
2486 **
2487 ** Function         btm_sec_mx_access_request
2488 **
2489 ** Description      This function is called by all Multiplexing Protocols during
2490 **                  establishing connection to or from peer device to grant
2491 **                  permission to establish application connection.
2492 **
2493 ** Parameters:      bd_addr       - Address of the peer device
2494 **                  psm           - L2CAP PSM
2495 **                  is_originator - TRUE if protocol above L2CAP originates
2496 **                                  connection
2497 **                  mx_proto_id   - protocol ID of the multiplexer
2498 **                  mx_chan_id    - multiplexer channel to reach application
2499 **                  p_callback    - Pointer to callback function called if
2500 **                                  this function returns PENDING after required
2501 **                                  procedures are completed
2502 **                  p_ref_data    - Pointer to any reference data needed by the
2503 **                                  the callback function.
2504 **
2505 ** Returns          BTM_CMD_STARTED
2506 **
2507 *******************************************************************************/
btm_sec_mx_access_request(BD_ADDR bd_addr,UINT16 psm,BOOLEAN is_originator,UINT32 mx_proto_id,UINT32 mx_chan_id,tBTM_SEC_CALLBACK * p_callback,void * p_ref_data)2508 tBTM_STATUS btm_sec_mx_access_request (BD_ADDR bd_addr, UINT16 psm, BOOLEAN is_originator,
2509                                        UINT32 mx_proto_id, UINT32 mx_chan_id,
2510                                        tBTM_SEC_CALLBACK *p_callback, void *p_ref_data)
2511 {
2512     tBTM_SEC_DEV_REC  *p_dev_rec;
2513     tBTM_SEC_SERV_REC *p_serv_rec;
2514     tBTM_STATUS        rc;
2515     UINT16             security_required;
2516     BOOLEAN transport   = FALSE;/* should check PSM range in LE connection oriented L2CAP connection */
2517 
2518     BTM_TRACE_DEBUG ("%s() is_originator: %d", __func__, is_originator);
2519     /* Find or get oldest record */
2520     p_dev_rec = btm_find_or_alloc_dev (bd_addr);
2521 
2522     /* Find the service record for the PSM */
2523     p_serv_rec = btm_sec_find_mx_serv (is_originator, psm, mx_proto_id, mx_chan_id);
2524 
2525     /* If there is no application registered with this PSM do not allow connection */
2526     if (!p_serv_rec)
2527     {
2528         if (p_callback)
2529             (*p_callback) (bd_addr, transport, p_ref_data, BTM_MODE_UNSUPPORTED);
2530 
2531         BTM_TRACE_ERROR ("Security Manager: MX service not found PSM:%d Proto:%d SCN:%d",
2532                           psm, mx_proto_id, mx_chan_id);
2533         return BTM_NO_RESOURCES;
2534     }
2535 
2536     if ((btm_cb.security_mode == BTM_SEC_MODE_SC) && (!btm_sec_is_serv_level0(psm)))
2537     {
2538         security_required = btm_sec_set_serv_level4_flags (p_serv_rec->security_flags,
2539                                                            is_originator);
2540     }
2541     else
2542     {
2543         security_required = p_serv_rec->security_flags;
2544     }
2545 
2546     /* there are some devices (moto phone) which connects to several services at the same time */
2547     /* we will process one after another */
2548     if ( (p_dev_rec->p_callback) || (btm_cb.pairing_state != BTM_PAIR_STATE_IDLE) )
2549     {
2550         BTM_TRACE_EVENT ("%s() service PSM:%d Proto:%d SCN:%d delayed  state: %s", __func__,
2551                           psm, mx_proto_id, mx_chan_id, btm_pair_state_descr(btm_cb.pairing_state));
2552 
2553         rc = BTM_CMD_STARTED;
2554 
2555         if ((btm_cb.security_mode == BTM_SEC_MODE_UNDEFINED ||
2556              btm_cb.security_mode == BTM_SEC_MODE_NONE ||
2557              btm_cb.security_mode == BTM_SEC_MODE_SERVICE ||
2558              btm_cb.security_mode == BTM_SEC_MODE_LINK) ||
2559             (BTM_SM4_KNOWN == p_dev_rec->sm4) || (BTM_SEC_IS_SM4(p_dev_rec->sm4) &&
2560             (btm_sec_is_upgrade_possible(p_dev_rec, is_originator) == FALSE)))
2561         {
2562             /* legacy mode - local is legacy or local is lisbon/peer is legacy
2563              * or SM4 with no possibility of link key upgrade */
2564             if (is_originator)
2565             {
2566                 if (((security_required & BTM_SEC_OUT_FLAGS) == 0) ||
2567                     ((((security_required & BTM_SEC_OUT_FLAGS) == BTM_SEC_OUT_AUTHENTICATE) && btm_dev_authenticated(p_dev_rec))) ||
2568                     ((((security_required & BTM_SEC_OUT_FLAGS) == (BTM_SEC_OUT_AUTHENTICATE | BTM_SEC_OUT_ENCRYPT)) && btm_dev_encrypted(p_dev_rec)))
2569                     )
2570                 {
2571                     rc = BTM_SUCCESS;
2572                 }
2573             }
2574             else
2575             {
2576                 if (((security_required & BTM_SEC_IN_FLAGS) == 0) ||
2577                     ((((security_required & BTM_SEC_IN_FLAGS) == BTM_SEC_IN_AUTHENTICATE) && btm_dev_authenticated(p_dev_rec))) ||
2578                     (((security_required & BTM_SEC_IN_FLAGS) == BTM_SEC_IN_AUTHORIZE) && (btm_dev_authorized(p_dev_rec)||btm_serv_trusted(p_dev_rec, p_serv_rec))) ||
2579                     (((security_required & BTM_SEC_IN_FLAGS) == (BTM_SEC_IN_AUTHORIZE | BTM_SEC_IN_AUTHENTICATE)) && ((btm_dev_authorized(p_dev_rec)||btm_serv_trusted(p_dev_rec, p_serv_rec)) && btm_dev_authenticated(p_dev_rec))) ||
2580                     (((security_required & BTM_SEC_IN_FLAGS) == (BTM_SEC_IN_AUTHORIZE | BTM_SEC_IN_ENCRYPT)) && ((btm_dev_authorized(p_dev_rec)||btm_serv_trusted(p_dev_rec, p_serv_rec))&& btm_dev_encrypted(p_dev_rec))) ||
2581                     ((((security_required & BTM_SEC_IN_FLAGS) == (BTM_SEC_IN_AUTHENTICATE | BTM_SEC_IN_ENCRYPT)) && btm_dev_encrypted(p_dev_rec)))
2582                     )
2583                 {
2584                     // Check for 16 digits (or MITM)
2585                     if (((security_required & BTM_SEC_IN_MIN_16_DIGIT_PIN) == 0) ||
2586                        (((security_required & BTM_SEC_IN_MIN_16_DIGIT_PIN) == BTM_SEC_IN_MIN_16_DIGIT_PIN) && btm_dev_16_digit_authenticated(p_dev_rec))) {
2587                         rc = BTM_SUCCESS;
2588                     }
2589                 }
2590             }
2591             if ((rc == BTM_SUCCESS) && (security_required & BTM_SEC_MODE4_LEVEL4) &&
2592                 (p_dev_rec->link_key_type != BTM_LKEY_TYPE_AUTH_COMB_P_256))
2593             {
2594                 rc = BTM_CMD_STARTED;
2595             }
2596         }
2597 
2598         if (rc == BTM_SUCCESS)
2599         {
2600             BTM_TRACE_EVENT("%s: allow to bypass, checking authorization", __FUNCTION__);
2601             /* the security in BTM_SEC_IN_FLAGS is fullfilled so far, check the requirements in */
2602             /* btm_sec_execute_procedure */
2603             if ((is_originator && (p_serv_rec->security_flags & BTM_SEC_OUT_AUTHORIZE)) ||
2604                 (!is_originator && (p_serv_rec->security_flags & BTM_SEC_IN_AUTHORIZE)))
2605             {
2606                 BTM_TRACE_EVENT("%s: still need authorization", __FUNCTION__);
2607                 rc = BTM_CMD_STARTED;
2608             }
2609         }
2610 
2611         /* Check whether there is a pending security procedure, if so we should always queue */
2612         /* the new security request */
2613         if (p_dev_rec->sec_state != BTM_SEC_STATE_IDLE)
2614         {
2615             BTM_TRACE_EVENT("%s: There is a pending security procedure", __FUNCTION__);
2616             rc = BTM_CMD_STARTED;
2617         }
2618         if (rc == BTM_CMD_STARTED)
2619         {
2620             BTM_TRACE_EVENT("%s: call btm_sec_queue_mx_request", __FUNCTION__);
2621             btm_sec_queue_mx_request (bd_addr, psm,  is_originator, mx_proto_id,
2622                                       mx_chan_id, p_callback, p_ref_data);
2623         }
2624         else /* rc == BTM_SUCCESS */
2625         {
2626             /* access granted */
2627              if (p_callback)
2628             {
2629                 (*p_callback) (bd_addr, transport, p_ref_data, (UINT8)rc);
2630             }
2631         }
2632 
2633         BTM_TRACE_EVENT("%s: return with rc = 0x%02x in delayed state %s", __FUNCTION__, rc,
2634                           btm_pair_state_descr(btm_cb.pairing_state));
2635         return rc;
2636     }
2637 
2638     if ((!is_originator) && ((security_required & BTM_SEC_MODE4_LEVEL4) ||
2639         (btm_cb.security_mode == BTM_SEC_MODE_SC)))
2640     {
2641         BOOLEAN local_supports_sc = controller_get_interface()->supports_secure_connections();
2642         /* acceptor receives service connection establishment Request for */
2643         /* Secure Connections Only service */
2644         if (!(local_supports_sc) || !(p_dev_rec->remote_supports_secure_connections))
2645         {
2646             BTM_TRACE_DEBUG("%s: SC only service,local_support_for_sc %d,",
2647                             "remote_support_for_sc %d: fail pairing",__FUNCTION__,
2648                             local_supports_sc, p_dev_rec->remote_supports_secure_connections);
2649 
2650             if (p_callback)
2651                 (*p_callback) (bd_addr, transport, (void *)p_ref_data,
2652                                BTM_MODE4_LEVEL4_NOT_SUPPORTED);
2653 
2654             return (BTM_MODE4_LEVEL4_NOT_SUPPORTED);
2655         }
2656     }
2657 
2658     p_dev_rec->p_cur_service     = p_serv_rec;
2659     p_dev_rec->security_required = security_required;
2660 
2661     if (btm_cb.security_mode == BTM_SEC_MODE_SP ||
2662         btm_cb.security_mode == BTM_SEC_MODE_SP_DEBUG ||
2663         btm_cb.security_mode == BTM_SEC_MODE_SC)
2664     {
2665         if (BTM_SEC_IS_SM4(p_dev_rec->sm4))
2666         {
2667             if ((p_dev_rec->security_required & BTM_SEC_MODE4_LEVEL4) &&
2668                 (p_dev_rec->link_key_type != BTM_LKEY_TYPE_AUTH_COMB_P_256))
2669             {
2670                 /* BTM_LKEY_TYPE_AUTH_COMB_P_256 is the only acceptable key in this case */
2671                 if ((p_dev_rec->sec_flags & BTM_SEC_LINK_KEY_KNOWN) != 0)
2672                 {
2673                     p_dev_rec->sm4 |= BTM_SM4_UPGRADE;
2674                 }
2675 
2676                 p_dev_rec->sec_flags &= ~(BTM_SEC_LINK_KEY_KNOWN | BTM_SEC_LINK_KEY_AUTHED |
2677                                           BTM_SEC_AUTHENTICATED);
2678                 BTM_TRACE_DEBUG("%s: sec_flags:0x%x", __FUNCTION__, p_dev_rec->sec_flags);
2679             }
2680             else
2681             {
2682                 /* If we already have a link key, check if that link key is good enough */
2683                 btm_sec_check_upgrade(p_dev_rec, is_originator);
2684             }
2685         }
2686     }
2687 
2688     p_dev_rec->is_originator     = is_originator;
2689     p_dev_rec->p_callback        = p_callback;
2690     p_dev_rec->p_ref_data        = p_ref_data;
2691 
2692     /* Although authentication and encryption are per connection */
2693     /* authorization is per access request.  For example when serial connection */
2694     /* is up and authorized and client requests to read file (access to other */
2695     /* scn, we need to request user's permission again. */
2696     p_dev_rec->sec_flags &= ~(BTM_SEC_AUTHORIZED);
2697 
2698     BTM_TRACE_EVENT ("%s() proto_id:%d chan_id:%d State:%d Flags:0x%x Required:0x%x Service ID:%d",
2699                       __func__, mx_proto_id, mx_chan_id, p_dev_rec->sec_state, p_dev_rec->sec_flags,
2700                       p_dev_rec->security_required, p_dev_rec->p_cur_service->service_id);
2701 
2702     if ((rc = btm_sec_execute_procedure (p_dev_rec)) != BTM_CMD_STARTED)
2703     {
2704         if (p_callback)
2705         {
2706             p_dev_rec->p_callback = NULL;
2707             (*p_callback) (bd_addr,transport, p_ref_data, (UINT8)rc);
2708         }
2709     }
2710 
2711     return rc;
2712 }
2713 
2714 /*******************************************************************************
2715 **
2716 ** Function         btm_sec_conn_req
2717 **
2718 ** Description      This function is when the peer device is requesting
2719 **                  connection
2720 **
2721 ** Returns          void
2722 **
2723 *******************************************************************************/
btm_sec_conn_req(UINT8 * bda,UINT8 * dc)2724 void btm_sec_conn_req (UINT8 *bda, UINT8 *dc)
2725 {
2726     tBTM_SEC_DEV_REC  *p_dev_rec = btm_find_dev (bda);
2727 
2728     /* Some device may request a connection before we are done with the HCI_Reset sequence */
2729     if (!controller_get_interface()->get_is_ready())
2730     {
2731         BTM_TRACE_EVENT ("Security Manager: connect request when device not ready");
2732         btsnd_hcic_reject_conn (bda, HCI_ERR_HOST_REJECT_DEVICE);
2733         return;
2734     }
2735 
2736     /* Security guys wants us not to allow connection from not paired devices */
2737 
2738     /* Check if connection is allowed for only paired devices */
2739     if (btm_cb.connect_only_paired)
2740     {
2741         if (!p_dev_rec || !(p_dev_rec->sec_flags & BTM_SEC_LINK_KEY_AUTHED))
2742         {
2743             BTM_TRACE_EVENT ("Security Manager: connect request from non-paired device");
2744             btsnd_hcic_reject_conn (bda, HCI_ERR_HOST_REJECT_DEVICE);
2745             return;
2746         }
2747     }
2748 
2749 #if BTM_ALLOW_CONN_IF_NONDISCOVER == FALSE
2750     /* If non-discoverable, only allow known devices to connect */
2751     if (btm_cb.btm_inq_vars.discoverable_mode == BTM_NON_DISCOVERABLE)
2752     {
2753         if (!p_dev_rec)
2754         {
2755             BTM_TRACE_EVENT ("Security Manager: connect request from not paired device");
2756             btsnd_hcic_reject_conn (bda, HCI_ERR_HOST_REJECT_DEVICE);
2757             return;
2758         }
2759     }
2760 #endif
2761 
2762     if ((btm_cb.pairing_state != BTM_PAIR_STATE_IDLE)
2763         &&(btm_cb.pairing_flags & BTM_PAIR_FLAGS_WE_STARTED_DD)
2764         &&(!memcmp (btm_cb.pairing_bda, bda, BD_ADDR_LEN)))
2765     {
2766         BTM_TRACE_EVENT ("Security Manager: reject connect request from bonding device");
2767 
2768         /* incoming connection from bonding device is rejected */
2769         btm_cb.pairing_flags |= BTM_PAIR_FLAGS_REJECTED_CONNECT;
2770         btsnd_hcic_reject_conn (bda, HCI_ERR_HOST_REJECT_DEVICE);
2771         return;
2772     }
2773 
2774     /* Host is not interested or approved connection.  Save BDA and DC and */
2775     /* pass request to L2CAP */
2776     memcpy (btm_cb.connecting_bda, bda, BD_ADDR_LEN);
2777     memcpy (btm_cb.connecting_dc,  dc,  DEV_CLASS_LEN);
2778 
2779     if (l2c_link_hci_conn_req (bda))
2780     {
2781         if (!p_dev_rec)
2782         {
2783             /* accept the connection -> allocate a device record */
2784             p_dev_rec = btm_sec_alloc_dev (bda);
2785         }
2786         if (p_dev_rec)
2787         {
2788             p_dev_rec->sm4 |= BTM_SM4_CONN_PEND;
2789         }
2790     }
2791 }
2792 
2793 /*******************************************************************************
2794 **
2795 ** Function         btm_sec_bond_cancel_complete
2796 **
2797 ** Description      This function is called to report bond cancel complete
2798 **                  event.
2799 **
2800 ** Returns          void
2801 **
2802 *******************************************************************************/
btm_sec_bond_cancel_complete(void)2803 static void btm_sec_bond_cancel_complete (void)
2804 {
2805     tBTM_SEC_DEV_REC *p_dev_rec;
2806 
2807     if ((btm_cb.pairing_flags & BTM_PAIR_FLAGS_DISC_WHEN_DONE) ||
2808         (BTM_PAIR_STATE_WAIT_LOCAL_PIN == btm_cb.pairing_state &&
2809          BTM_PAIR_FLAGS_WE_STARTED_DD & btm_cb.pairing_flags) ||
2810          (btm_cb.pairing_state == BTM_PAIR_STATE_GET_REM_NAME &&
2811           BTM_PAIR_FLAGS_WE_CANCEL_DD & btm_cb.pairing_flags))
2812     {
2813         /* for dedicated bonding in legacy mode, authentication happens at "link level"
2814          * btm_sec_connected is called with failed status.
2815          * In theory, the code that handles is_pairing_device/TRUE should clean out security related code.
2816          * However, this function may clean out the security related flags and btm_sec_connected would not know
2817          * this function also needs to do proper clean up.
2818          */
2819         if ((p_dev_rec = btm_find_dev (btm_cb.pairing_bda)) != NULL)
2820             p_dev_rec->security_required = BTM_SEC_NONE;
2821         btm_sec_change_pairing_state (BTM_PAIR_STATE_IDLE);
2822 
2823         /* Notify application that the cancel succeeded */
2824         if (btm_cb.api.p_bond_cancel_cmpl_callback)
2825             btm_cb.api.p_bond_cancel_cmpl_callback(BTM_SUCCESS);
2826     }
2827 }
2828 
2829 /*******************************************************************************
2830 **
2831 ** Function         btm_create_conn_cancel_complete
2832 **
2833 ** Description      This function is called when the command complete message
2834 **                  is received from the HCI for the create connection cancel
2835 **                  command.
2836 **
2837 ** Returns          void
2838 **
2839 *******************************************************************************/
btm_create_conn_cancel_complete(UINT8 * p)2840 void btm_create_conn_cancel_complete (UINT8 *p)
2841 {
2842     UINT8       status;
2843 
2844     STREAM_TO_UINT8 (status, p);
2845     BTM_TRACE_EVENT ("btm_create_conn_cancel_complete(): in State: %s  status:%d",
2846                       btm_pair_state_descr(btm_cb.pairing_state), status);
2847 
2848     /* if the create conn cancel cmd was issued by the bond cancel,
2849     ** the application needs to be notified that bond cancel succeeded
2850     */
2851     switch (status)
2852     {
2853         case HCI_SUCCESS:
2854             btm_sec_bond_cancel_complete();
2855             break;
2856         case HCI_ERR_CONNECTION_EXISTS:
2857         case HCI_ERR_NO_CONNECTION:
2858         default:
2859             /* Notify application of the error */
2860             if (btm_cb.api.p_bond_cancel_cmpl_callback)
2861                 btm_cb.api.p_bond_cancel_cmpl_callback(BTM_ERR_PROCESSING);
2862             break;
2863     }
2864 }
2865 
2866 /*******************************************************************************
2867 **
2868 ** Function         btm_sec_check_pending_reqs
2869 **
2870 ** Description      This function is called at the end of the security procedure
2871 **                  to let L2CAP and RFCOMM know to re-submit any pending requests
2872 **
2873 ** Returns          void
2874 **
2875 *******************************************************************************/
btm_sec_check_pending_reqs(void)2876 void btm_sec_check_pending_reqs (void)
2877 {
2878     tBTM_SEC_QUEUE_ENTRY    *p_e;
2879     BUFFER_Q                bq;
2880 
2881     if (btm_cb.pairing_state == BTM_PAIR_STATE_IDLE)
2882     {
2883         /* First, resubmit L2CAP requests */
2884         if (btm_cb.sec_req_pending)
2885         {
2886             btm_cb.sec_req_pending = FALSE;
2887             l2cu_resubmit_pending_sec_req (NULL);
2888         }
2889 
2890         /* Now, re-submit anything in the mux queue */
2891         bq = btm_cb.sec_pending_q;
2892 
2893         GKI_init_q (&btm_cb.sec_pending_q);
2894 
2895         while ((p_e = (tBTM_SEC_QUEUE_ENTRY *)GKI_dequeue (&bq)) != NULL)
2896         {
2897             /* Check that the ACL is still up before starting security procedures */
2898             if (btm_bda_to_acl(p_e->bd_addr, p_e->transport) != NULL)
2899             {
2900                 if (p_e->psm != 0)
2901                 {
2902                     BTM_TRACE_EVENT("%s PSM:0x%04x Is_Orig:%u mx_proto_id:%u mx_chan_id:%u",
2903                                     __FUNCTION__, p_e->psm, p_e->is_orig,
2904                                     p_e->mx_proto_id, p_e->mx_chan_id);
2905 
2906                     btm_sec_mx_access_request (p_e->bd_addr, p_e->psm, p_e->is_orig,
2907                                            p_e->mx_proto_id, p_e->mx_chan_id,
2908                                            p_e->p_callback, p_e->p_ref_data);
2909                 }
2910                 else
2911                 {
2912                     BTM_SetEncryption(p_e->bd_addr, p_e->transport, p_e->p_callback,
2913                                       p_e->p_ref_data);
2914                 }
2915             }
2916 
2917             GKI_freebuf (p_e);
2918         }
2919     }
2920 }
2921 
2922 /*******************************************************************************
2923 **
2924 ** Function         btm_sec_init
2925 **
2926 ** Description      This function is on the SEC startup
2927 **
2928 ** Returns          void
2929 **
2930 *******************************************************************************/
btm_sec_init(UINT8 sec_mode)2931 void btm_sec_init (UINT8 sec_mode)
2932 {
2933     btm_cb.security_mode = sec_mode;
2934     memset (btm_cb.pairing_bda, 0xff, BD_ADDR_LEN);
2935     btm_cb.max_collision_delay = BTM_SEC_MAX_COLLISION_DELAY;
2936 }
2937 
2938 /*******************************************************************************
2939 **
2940 ** Function         btm_sec_device_down
2941 **
2942 ** Description      This function should be called when device is disabled or
2943 **                  turned off
2944 **
2945 ** Returns          void
2946 **
2947 *******************************************************************************/
btm_sec_device_down(void)2948 void btm_sec_device_down (void)
2949 {
2950     BTM_TRACE_EVENT ("%s() State: %s", __func__, btm_pair_state_descr(btm_cb.pairing_state));
2951     btm_sec_change_pairing_state (BTM_PAIR_STATE_IDLE);
2952 }
2953 
2954 /*******************************************************************************
2955 **
2956 ** Function         btm_sec_dev_reset
2957 **
2958 ** Description      This function should be called after device reset
2959 **
2960 ** Returns          void
2961 **
2962 *******************************************************************************/
btm_sec_dev_reset(void)2963 void btm_sec_dev_reset (void)
2964 {
2965     if (controller_get_interface()->supports_simple_pairing())
2966     {
2967         /* set the default IO capabilities */
2968         btm_cb.devcb.loc_io_caps = BTM_LOCAL_IO_CAPS;
2969         /* add mx service to use no security */
2970         BTM_SetSecurityLevel(FALSE, "RFC_MUX", BTM_SEC_SERVICE_RFC_MUX,
2971                              BTM_SEC_NONE, BT_PSM_RFCOMM, BTM_SEC_PROTO_RFCOMM, 0);
2972     }
2973     else
2974     {
2975         btm_cb.security_mode = BTM_SEC_MODE_SERVICE;
2976     }
2977 
2978     BTM_TRACE_DEBUG ("btm_sec_dev_reset sec mode: %d", btm_cb.security_mode);
2979 }
2980 
2981 /*******************************************************************************
2982 **
2983 ** Function         btm_sec_abort_access_req
2984 **
2985 ** Description      This function is called by the L2CAP or RFCOMM to abort
2986 **                  the pending operation.
2987 **
2988 ** Parameters:      bd_addr       - Address of the peer device
2989 **
2990 ** Returns          void
2991 **
2992 *******************************************************************************/
btm_sec_abort_access_req(BD_ADDR bd_addr)2993 void btm_sec_abort_access_req (BD_ADDR bd_addr)
2994 {
2995     tBTM_SEC_DEV_REC  *p_dev_rec = btm_find_dev (bd_addr);
2996 
2997     if (!p_dev_rec)
2998         return;
2999 
3000     if ((p_dev_rec->sec_state != BTM_SEC_STATE_AUTHORIZING)
3001         && (p_dev_rec->sec_state != BTM_SEC_STATE_AUTHENTICATING))
3002         return;
3003 
3004     p_dev_rec->sec_state  = BTM_SEC_STATE_IDLE;
3005     p_dev_rec->p_callback = NULL;
3006 }
3007 
3008 /*******************************************************************************
3009 **
3010 ** Function         btm_sec_dd_create_conn
3011 **
3012 ** Description      This function is called to create the ACL connection for
3013 **                  the dedicated boding process
3014 **
3015 ** Returns          void
3016 **
3017 *******************************************************************************/
btm_sec_dd_create_conn(tBTM_SEC_DEV_REC * p_dev_rec)3018 static tBTM_STATUS btm_sec_dd_create_conn (tBTM_SEC_DEV_REC *p_dev_rec)
3019 {
3020     tL2C_LCB *p_lcb = l2cu_find_lcb_by_bd_addr(p_dev_rec->bd_addr, BT_TRANSPORT_BR_EDR);
3021     if (p_lcb && (p_lcb->link_state == LST_CONNECTED || p_lcb->link_state == LST_CONNECTING))
3022     {
3023        BTM_TRACE_WARNING("%s Connection already exists", __func__);
3024        return BTM_CMD_STARTED;
3025     }
3026 
3027     /* Make sure an L2cap link control block is available */
3028     if (!p_lcb && (p_lcb = l2cu_allocate_lcb (p_dev_rec->bd_addr, TRUE, BT_TRANSPORT_BR_EDR)) == NULL)
3029     {
3030         BTM_TRACE_WARNING ("Security Manager: failed allocate LCB [%02x%02x%02x%02x%02x%02x]",
3031                             p_dev_rec->bd_addr[0], p_dev_rec->bd_addr[1], p_dev_rec->bd_addr[2],
3032                             p_dev_rec->bd_addr[3], p_dev_rec->bd_addr[4], p_dev_rec->bd_addr[5]);
3033 
3034         return(BTM_NO_RESOURCES);
3035     }
3036 
3037     /* set up the control block to indicated dedicated bonding */
3038     btm_cb.pairing_flags |= BTM_PAIR_FLAGS_DISC_WHEN_DONE;
3039 
3040     if (l2cu_create_conn(p_lcb, BT_TRANSPORT_BR_EDR) == FALSE)
3041     {
3042         BTM_TRACE_WARNING ("Security Manager: failed create  [%02x%02x%02x%02x%02x%02x]",
3043                             p_dev_rec->bd_addr[0], p_dev_rec->bd_addr[1], p_dev_rec->bd_addr[2],
3044                             p_dev_rec->bd_addr[3], p_dev_rec->bd_addr[4], p_dev_rec->bd_addr[5]);
3045 
3046         l2cu_release_lcb(p_lcb);
3047         return(BTM_NO_RESOURCES);
3048     }
3049 
3050     btm_acl_update_busy_level (BTM_BLI_PAGE_EVT);
3051 
3052     BTM_TRACE_DEBUG ("Security Manager: btm_sec_dd_create_conn [%02x%02x%02x%02x%02x%02x]",
3053                       p_dev_rec->bd_addr[0], p_dev_rec->bd_addr[1], p_dev_rec->bd_addr[2],
3054                       p_dev_rec->bd_addr[3], p_dev_rec->bd_addr[4], p_dev_rec->bd_addr[5]);
3055 
3056     btm_sec_change_pairing_state (BTM_PAIR_STATE_WAIT_PIN_REQ);
3057 
3058     return(BTM_CMD_STARTED);
3059 }
3060 
3061 /*******************************************************************************
3062 **
3063 ** Function         btm_sec_rmt_name_request_complete
3064 **
3065 ** Description      This function is called when remote name was obtained from
3066 **                  the peer device
3067 **
3068 ** Returns          void
3069 **
3070 *******************************************************************************/
btm_sec_rmt_name_request_complete(UINT8 * p_bd_addr,UINT8 * p_bd_name,UINT8 status)3071 void btm_sec_rmt_name_request_complete (UINT8 *p_bd_addr, UINT8 *p_bd_name, UINT8 status)
3072 {
3073     tBTM_SEC_DEV_REC *p_dev_rec;
3074     int              i;
3075     DEV_CLASS        dev_class;
3076     UINT8            old_sec_state;
3077 
3078     BTM_TRACE_EVENT ("btm_sec_rmt_name_request_complete");
3079     if (((p_bd_addr == NULL) && !BTM_ACL_IS_CONNECTED(btm_cb.connecting_bda))
3080         || ((p_bd_addr != NULL) && !BTM_ACL_IS_CONNECTED(p_bd_addr)))
3081     {
3082         btm_acl_resubmit_page();
3083     }
3084 
3085     /* If remote name request failed, p_bd_addr is null and we need to search */
3086     /* based on state assuming that we are doing 1 at a time */
3087     if (p_bd_addr)
3088         p_dev_rec = btm_find_dev (p_bd_addr);
3089     else
3090     {
3091         p_dev_rec = &btm_cb.sec_dev_rec[0];
3092 
3093         for (i = 0; i < BTM_SEC_MAX_DEVICE_RECORDS; i++, p_dev_rec++)
3094         {
3095             if ((p_dev_rec->sec_flags & BTM_SEC_IN_USE)
3096                 && (p_dev_rec->sec_state == BTM_SEC_STATE_GETTING_NAME))
3097             {
3098                 p_bd_addr = p_dev_rec->bd_addr;
3099                 break;
3100             }
3101         }
3102 
3103         if (i == BTM_SEC_MAX_DEVICE_RECORDS)
3104             p_dev_rec = NULL;
3105     }
3106 
3107 
3108     /* Commenting out trace due to obf/compilation problems.
3109     */
3110 #if (BT_USE_TRACES == TRUE)
3111     if (!p_bd_name)
3112         p_bd_name = (UINT8 *)"";
3113 
3114     if (p_dev_rec)
3115     {
3116         BTM_TRACE_EVENT ("Security Manager: rmt_name_complete PairState: %s  RemName: %s  status: %d State:%d  p_dev_rec: 0x%08x ",
3117                           btm_pair_state_descr (btm_cb.pairing_state), p_bd_name,
3118                           status, p_dev_rec->sec_state, p_dev_rec);
3119     }
3120     else
3121     {
3122         BTM_TRACE_EVENT ("Security Manager: rmt_name_complete PairState: %s  RemName: %s  status: %d",
3123                           btm_pair_state_descr (btm_cb.pairing_state), p_bd_name,
3124                           status);
3125     }
3126 #endif
3127 
3128     if (p_dev_rec)
3129     {
3130         old_sec_state = p_dev_rec->sec_state;
3131         if (status == HCI_SUCCESS)
3132         {
3133             BCM_STRNCPY_S ((char *)p_dev_rec->sec_bd_name, sizeof (p_dev_rec->sec_bd_name), (char *)p_bd_name, BTM_MAX_REM_BD_NAME_LEN);
3134             p_dev_rec->sec_flags |= BTM_SEC_NAME_KNOWN;
3135             BTM_TRACE_EVENT ("setting BTM_SEC_NAME_KNOWN sec_flags:0x%x", p_dev_rec->sec_flags);
3136         }
3137         else
3138         {
3139             /* Notify all clients waiting for name to be resolved even if it failed so clients can continue */
3140             p_dev_rec->sec_bd_name[0] = 0;
3141         }
3142 
3143         if (p_dev_rec->sec_state == BTM_SEC_STATE_GETTING_NAME)
3144             p_dev_rec->sec_state = BTM_SEC_STATE_IDLE;
3145 
3146         /* Notify all clients waiting for name to be resolved */
3147         for (i = 0;i < BTM_SEC_MAX_RMT_NAME_CALLBACKS; i++)
3148         {
3149             if (btm_cb.p_rmt_name_callback[i] && p_bd_addr)
3150                 (*btm_cb.p_rmt_name_callback[i])(p_bd_addr, p_dev_rec->dev_class,
3151                                                  p_dev_rec->sec_bd_name);
3152         }
3153     }
3154     else
3155     {
3156         dev_class[0] = 0;
3157         dev_class[1] = 0;
3158         dev_class[2] = 0;
3159 
3160         /* Notify all clients waiting for name to be resolved even if not found so clients can continue */
3161         for (i = 0;i < BTM_SEC_MAX_RMT_NAME_CALLBACKS; i++)
3162         {
3163             if (btm_cb.p_rmt_name_callback[i] && p_bd_addr)
3164                 (*btm_cb.p_rmt_name_callback[i])(p_bd_addr, dev_class, (UINT8 *)"");
3165         }
3166 
3167         return;
3168     }
3169 
3170     /* If we were delaying asking UI for a PIN because name was not resolved, ask now */
3171     if ( (btm_cb.pairing_state == BTM_PAIR_STATE_WAIT_LOCAL_PIN) && p_bd_addr
3172          &&  (memcmp (btm_cb.pairing_bda, p_bd_addr, BD_ADDR_LEN) == 0) )
3173     {
3174         BTM_TRACE_EVENT ("btm_sec_rmt_name_request_complete() delayed pin now being requested flags:0x%x, (p_pin_callback=0x%p)", btm_cb.pairing_flags, btm_cb.api.p_pin_callback);
3175 
3176         if (((btm_cb.pairing_flags & BTM_PAIR_FLAGS_WE_STARTED_DD) == 0) &&
3177             ((btm_cb.pairing_flags & BTM_PAIR_FLAGS_PIN_REQD) == 0) &&
3178             btm_cb.api.p_pin_callback)
3179         {
3180             BTM_TRACE_EVENT ("btm_sec_rmt_name_request_complete() calling pin_callback");
3181             btm_cb.pairing_flags |= BTM_PAIR_FLAGS_PIN_REQD;
3182             (*btm_cb.api.p_pin_callback) (p_dev_rec->bd_addr, p_dev_rec->dev_class, p_bd_name,
3183                     (p_dev_rec->p_cur_service==NULL) ? FALSE
3184                      : (p_dev_rec->p_cur_service->security_flags & BTM_SEC_IN_MIN_16_DIGIT_PIN));
3185         }
3186 
3187         /* Set the same state again to force the timer to be restarted */
3188         btm_sec_change_pairing_state (BTM_PAIR_STATE_WAIT_LOCAL_PIN);
3189         return;
3190     }
3191 
3192     /* Check if we were delaying bonding because name was not resolved */
3193     if ( btm_cb.pairing_state == BTM_PAIR_STATE_GET_REM_NAME)
3194     {
3195         if (p_bd_addr && memcmp (btm_cb.pairing_bda, p_bd_addr, BD_ADDR_LEN) == 0)
3196         {
3197             BTM_TRACE_EVENT ("btm_sec_rmt_name_request_complete() continue bonding sm4: 0x%04x, status:0x%x", p_dev_rec->sm4, status);
3198             if(btm_cb.pairing_flags & BTM_PAIR_FLAGS_WE_CANCEL_DD)
3199             {
3200                 btm_sec_bond_cancel_complete();
3201                 return;
3202             }
3203 
3204             if (status != HCI_SUCCESS)
3205             {
3206                 btm_sec_change_pairing_state (BTM_PAIR_STATE_IDLE);
3207 
3208                 if (btm_cb.api.p_auth_complete_callback)
3209                     (*btm_cb.api.p_auth_complete_callback) (p_dev_rec->bd_addr,  p_dev_rec->dev_class,
3210                                                             p_dev_rec->sec_bd_name, status);
3211                 return;
3212             }
3213 
3214             /* if peer is very old legacy devices, HCI_RMT_HOST_SUP_FEAT_NOTIFY_EVT is not reported */
3215             if (BTM_SEC_IS_SM4_UNKNOWN(p_dev_rec->sm4))
3216             {
3217                 /* set the KNOWN flag only if BTM_PAIR_FLAGS_REJECTED_CONNECT is not set.*/
3218                 /* If it is set, there may be a race condition */
3219                 BTM_TRACE_DEBUG ("btm_sec_rmt_name_request_complete  IS_SM4_UNKNOWN Flags:0x%04x",
3220                                    btm_cb.pairing_flags);
3221                 if ((btm_cb.pairing_flags & BTM_PAIR_FLAGS_REJECTED_CONNECT) == 0)
3222                 {
3223                     p_dev_rec->sm4 |= BTM_SM4_KNOWN;
3224                 }
3225             }
3226 
3227             BTM_TRACE_DEBUG("%s, SM4 Value: %x, Legacy:%d,IS SM4:%d, Unknown:%d",__FUNCTION__,
3228                 p_dev_rec->sm4, BTM_SEC_IS_SM4_LEGACY(p_dev_rec->sm4),
3229                 BTM_SEC_IS_SM4(p_dev_rec->sm4),BTM_SEC_IS_SM4_UNKNOWN(p_dev_rec->sm4));
3230 
3231             /* BT 2.1 or carkit, bring up the connection to force the peer to request PIN.
3232             ** Else prefetch (btm_sec_check_prefetch_pin will do the prefetching if needed)
3233             */
3234             if ((p_dev_rec->sm4 != BTM_SM4_KNOWN) || !btm_sec_check_prefetch_pin(p_dev_rec))
3235             {
3236                 /* if we rejected incoming connection request, we have to wait HCI_Connection_Complete event */
3237                 /*  before originating  */
3238                 if (btm_cb.pairing_flags & BTM_PAIR_FLAGS_REJECTED_CONNECT)
3239                 {
3240                     BTM_TRACE_WARNING ("btm_sec_rmt_name_request_complete: waiting HCI_Connection_Complete after rejecting connection");
3241                 }
3242                 /* Both we and the peer are 2.1 - continue to create connection */
3243                 else if (btm_sec_dd_create_conn(p_dev_rec) != BTM_CMD_STARTED)
3244                 {
3245                     BTM_TRACE_WARNING ("btm_sec_rmt_name_request_complete: failed to start connection");
3246 
3247                     btm_sec_change_pairing_state (BTM_PAIR_STATE_IDLE);
3248 
3249                     if (btm_cb.api.p_auth_complete_callback)
3250                     (*btm_cb.api.p_auth_complete_callback) (p_dev_rec->bd_addr,  p_dev_rec->dev_class,
3251                                                             p_dev_rec->sec_bd_name, HCI_ERR_MEMORY_FULL);
3252                 }
3253             }
3254             return;
3255         }
3256         else
3257         {
3258             BTM_TRACE_WARNING ("btm_sec_rmt_name_request_complete: wrong BDA, retry with pairing BDA");
3259 
3260             BTM_ReadRemoteDeviceName (btm_cb.pairing_bda, NULL, BT_TRANSPORT_BR_EDR);
3261             return;
3262         }
3263     }
3264 
3265     /* check if we were delaying link_key_callback because name was not resolved */
3266     if (p_dev_rec->link_key_not_sent)
3267     {
3268         /* If HCI connection complete has not arrived, wait for it */
3269         if (p_dev_rec->hci_handle == BTM_SEC_INVALID_HANDLE)
3270             return;
3271 
3272         p_dev_rec->link_key_not_sent = FALSE;
3273         btm_send_link_key_notif(p_dev_rec);
3274 
3275         /* If its not us who perform authentication, we should tell stackserver */
3276         /* that some authentication has been completed                          */
3277         /* This is required when different entities receive link notification and auth complete */
3278         if (!(p_dev_rec->security_required & BTM_SEC_OUT_AUTHENTICATE))
3279         {
3280             if (btm_cb.api.p_auth_complete_callback)
3281                 (*btm_cb.api.p_auth_complete_callback) (p_dev_rec->bd_addr,
3282                                                         p_dev_rec->dev_class,
3283                                                         p_dev_rec->sec_bd_name, HCI_SUCCESS);
3284 
3285         }
3286     }
3287 
3288     /* If this is a bonding procedure can disconnect the link now */
3289     if ((btm_cb.pairing_flags & BTM_PAIR_FLAGS_WE_STARTED_DD)
3290         && (p_dev_rec->sec_flags & BTM_SEC_AUTHENTICATED))
3291     {
3292         BTM_TRACE_WARNING ("btm_sec_rmt_name_request_complete (none/ce)");
3293         p_dev_rec->security_required &= ~(BTM_SEC_OUT_AUTHENTICATE);
3294         l2cu_start_post_bond_timer(p_dev_rec->hci_handle);
3295         return;
3296     }
3297 
3298     if (old_sec_state != BTM_SEC_STATE_GETTING_NAME)
3299         return;
3300 
3301     /* If get name failed, notify the waiting layer */
3302     if (status != HCI_SUCCESS)
3303     {
3304         btm_sec_dev_rec_cback_event  (p_dev_rec, BTM_ERR_PROCESSING, FALSE);
3305         return;
3306     }
3307 
3308     if (p_dev_rec->sm4 & BTM_SM4_REQ_PEND)
3309     {
3310         BTM_TRACE_EVENT ("waiting for remote features!!");
3311         return;
3312     }
3313 
3314     /* Remote Name succeeded, execute the next security procedure, if any */
3315     status = (UINT8)btm_sec_execute_procedure (p_dev_rec);
3316 
3317     /* If result is pending reply from the user or from the device is pending */
3318     if (status == BTM_CMD_STARTED)
3319         return;
3320 
3321     /* There is no next procedure or start of procedure failed, notify the waiting layer */
3322     btm_sec_dev_rec_cback_event  (p_dev_rec, status, FALSE);
3323 }
3324 
3325 /*******************************************************************************
3326 **
3327 ** Function         btm_sec_rmt_host_support_feat_evt
3328 **
3329 ** Description      This function is called when the
3330 **                  HCI_RMT_HOST_SUP_FEAT_NOTIFY_EVT is received
3331 **
3332 ** Returns          void
3333 **
3334 *******************************************************************************/
btm_sec_rmt_host_support_feat_evt(UINT8 * p)3335 void btm_sec_rmt_host_support_feat_evt (UINT8 *p)
3336 {
3337     tBTM_SEC_DEV_REC *p_dev_rec;
3338     BD_ADDR         bd_addr;        /* peer address */
3339     BD_FEATURES     features;
3340 
3341     STREAM_TO_BDADDR (bd_addr, p);
3342     p_dev_rec = btm_find_or_alloc_dev (bd_addr);
3343 
3344     BTM_TRACE_EVENT ("btm_sec_rmt_host_support_feat_evt  sm4: 0x%x  p[0]: 0x%x", p_dev_rec->sm4, p[0]);
3345 
3346     if (BTM_SEC_IS_SM4_UNKNOWN(p_dev_rec->sm4))
3347     {
3348         p_dev_rec->sm4 = BTM_SM4_KNOWN;
3349         STREAM_TO_ARRAY(features, p, HCI_FEATURE_BYTES_PER_PAGE);
3350         if (HCI_SSP_HOST_SUPPORTED(features))
3351         {
3352             p_dev_rec->sm4 = BTM_SM4_TRUE;
3353         }
3354         BTM_TRACE_EVENT ("btm_sec_rmt_host_support_feat_evt sm4: 0x%x features[0]: 0x%x", p_dev_rec->sm4, features[0]);
3355     }
3356 }
3357 
3358 /*******************************************************************************
3359 **
3360 ** Function         btm_io_capabilities_req
3361 **
3362 ** Description      This function is called when LM request for the IO
3363 **                  capability of the local device and
3364 **                  if the OOB data is present for the device in the event
3365 **
3366 ** Returns          void
3367 **
3368 *******************************************************************************/
btm_io_capabilities_req(UINT8 * p)3369 void btm_io_capabilities_req (UINT8 *p)
3370 {
3371     tBTM_SP_IO_REQ  evt_data;
3372     UINT8           err_code = 0;
3373     tBTM_SEC_DEV_REC *p_dev_rec;
3374     BOOLEAN         is_orig = TRUE;
3375     UINT8           callback_rc = BTM_SUCCESS;
3376 
3377     STREAM_TO_BDADDR (evt_data.bd_addr, p);
3378 
3379     /* setup the default response according to compile options */
3380     /* assume that the local IO capability does not change
3381      * loc_io_caps is initialized with the default value */
3382     evt_data.io_cap = btm_cb.devcb.loc_io_caps;
3383     evt_data.oob_data = BTM_OOB_NONE;
3384     evt_data.auth_req = BTM_DEFAULT_AUTH_REQ;
3385 
3386     BTM_TRACE_EVENT("%s: State: %s", __FUNCTION__, btm_pair_state_descr(btm_cb.pairing_state));
3387 
3388     p_dev_rec = btm_find_or_alloc_dev (evt_data.bd_addr);
3389 
3390     BTM_TRACE_DEBUG("%s:Security mode: %d, Num Read Remote Feat pages: %d", __FUNCTION__,
3391                       btm_cb.security_mode, p_dev_rec->num_read_pages);
3392 
3393     if ((btm_cb.security_mode == BTM_SEC_MODE_SC) && (p_dev_rec->num_read_pages == 0))
3394     {
3395         BTM_TRACE_EVENT("%s: Device security mode is SC only.",
3396                          "To continue need to know remote features.", __FUNCTION__);
3397 
3398         p_dev_rec->remote_features_needed = TRUE;
3399         return;
3400     }
3401 
3402     p_dev_rec->sm4 |= BTM_SM4_TRUE;
3403 
3404     BTM_TRACE_EVENT("%s: State: %s  Flags: 0x%04x  p_cur_service: 0x%08x",
3405                      __FUNCTION__, btm_pair_state_descr(btm_cb.pairing_state),
3406                      btm_cb.pairing_flags, p_dev_rec->p_cur_service);
3407 
3408     if (p_dev_rec->p_cur_service)
3409     {
3410         BTM_TRACE_EVENT("%s: cur_service psm: 0x%04x, security_flags: 0x%04x",
3411                          __FUNCTION__, p_dev_rec->p_cur_service->psm,
3412                          p_dev_rec->p_cur_service->security_flags);
3413     }
3414 
3415     switch (btm_cb.pairing_state)
3416     {
3417         /* initiator connecting */
3418         case BTM_PAIR_STATE_IDLE:
3419             //TODO: Handle Idle pairing state
3420             //security_required = p_dev_rec->security_required;
3421             break;
3422 
3423         /* received IO capability response already->acceptor */
3424         case BTM_PAIR_STATE_INCOMING_SSP:
3425             is_orig = FALSE;
3426 
3427             if (btm_cb.pairing_flags & BTM_PAIR_FLAGS_PEER_STARTED_DD)
3428             {
3429                 /* acceptor in dedicated bonding */
3430                 evt_data.auth_req = BTM_DEFAULT_DD_AUTH_REQ;
3431             }
3432             break;
3433 
3434         /* initiator, at this point it is expected to be dedicated bonding
3435         initiated by local device */
3436         case BTM_PAIR_STATE_WAIT_PIN_REQ:
3437             if (!memcmp (evt_data.bd_addr, btm_cb.pairing_bda, BD_ADDR_LEN))
3438             {
3439                 evt_data.auth_req = BTM_DEFAULT_DD_AUTH_REQ;
3440             }
3441             else
3442             {
3443                 err_code = HCI_ERR_HOST_BUSY_PAIRING;
3444             }
3445             break;
3446 
3447         /* any other state is unexpected */
3448         default:
3449             err_code = HCI_ERR_HOST_BUSY_PAIRING;
3450             BTM_TRACE_ERROR("%s: Unexpected Pairing state received %d", __FUNCTION__,
3451                              btm_cb.pairing_state);
3452             break;
3453     }
3454 
3455     if (btm_cb.pairing_disabled)
3456     {
3457         /* pairing is not allowed */
3458         BTM_TRACE_DEBUG("%s: Pairing is not allowed -> fail pairing.", __FUNCTION__);
3459         err_code = HCI_ERR_PAIRING_NOT_ALLOWED;
3460     }
3461     else if (btm_cb.security_mode == BTM_SEC_MODE_SC)
3462     {
3463         BOOLEAN local_supports_sc = controller_get_interface()->supports_secure_connections();
3464         /* device in Secure Connections Only mode */
3465         if (!(local_supports_sc) || !(p_dev_rec->remote_supports_secure_connections))
3466         {
3467             BTM_TRACE_DEBUG("%s: SC only service, local_support_for_sc %d,",
3468                             " remote_support_for_sc 0x%02x -> fail pairing", __FUNCTION__,
3469                             local_supports_sc, p_dev_rec->remote_supports_secure_connections);
3470 
3471             err_code = HCI_ERR_PAIRING_NOT_ALLOWED;
3472         }
3473     }
3474 
3475     if (err_code != 0)
3476     {
3477 /* coverity[uninit_use_in_call]
3478 Event uninit_use_in_call: Using uninitialized element of array "evt_data.bd_addr" in call to function "memcmp"
3479 False-positive: evt_data.bd_addr is set at the beginning with:     STREAM_TO_BDADDR (evt_data.bd_addr, p);
3480 */
3481         btsnd_hcic_io_cap_req_neg_reply(evt_data.bd_addr, err_code);
3482         return;
3483     }
3484 
3485     evt_data.is_orig = is_orig;
3486 
3487     if (is_orig)
3488     {
3489         /* local device initiated the pairing non-bonding -> use p_cur_service */
3490         if (!(btm_cb.pairing_flags & BTM_PAIR_FLAGS_WE_STARTED_DD) &&
3491             p_dev_rec->p_cur_service &&
3492             (p_dev_rec->p_cur_service->security_flags & BTM_SEC_OUT_AUTHENTICATE))
3493         {
3494             if (btm_cb.security_mode == BTM_SEC_MODE_SC)
3495             {
3496                 /* SC only mode device requires MITM protection */
3497                 evt_data.auth_req = BTM_AUTH_SP_YES;
3498             }
3499             else
3500             {
3501                 evt_data.auth_req = (p_dev_rec->p_cur_service->security_flags &
3502                                      BTM_SEC_OUT_MITM)? BTM_AUTH_SP_YES : BTM_AUTH_SP_NO;
3503             }
3504         }
3505     }
3506 
3507     /* Notify L2CAP to increase timeout */
3508     l2c_pin_code_request (evt_data.bd_addr);
3509 
3510     memcpy (btm_cb.pairing_bda, evt_data.bd_addr, BD_ADDR_LEN);
3511 
3512 /* coverity[uninit_use_in_call]
3513 Event uninit_use_in_call: Using uninitialized element of array "evt_data.bd_addr" in call to function "memcmp"
3514 False-positive: False-positive: evt_data.bd_addr is set at the beginning with:     STREAM_TO_BDADDR (evt_data.bd_addr, p);
3515 */
3516     if (!memcmp (evt_data.bd_addr, btm_cb.connecting_bda, BD_ADDR_LEN))
3517         memcpy (p_dev_rec->dev_class, btm_cb.connecting_dc, DEV_CLASS_LEN);
3518 
3519     btm_sec_change_pairing_state (BTM_PAIR_STATE_WAIT_LOCAL_IOCAPS);
3520 
3521     callback_rc = BTM_SUCCESS;
3522     if (p_dev_rec->sm4 & BTM_SM4_UPGRADE)
3523     {
3524         p_dev_rec->sm4 &= ~BTM_SM4_UPGRADE;
3525 
3526         /* link key upgrade: always use SPGB_YES - assuming we want to save the link key */
3527         evt_data.auth_req = BTM_AUTH_SPGB_YES;
3528     }
3529     else if (btm_cb.api.p_sp_callback)
3530     {
3531         /* the callback function implementation may change the IO capability... */
3532         callback_rc = (*btm_cb.api.p_sp_callback) (BTM_SP_IO_REQ_EVT, (tBTM_SP_EVT_DATA *)&evt_data);
3533     }
3534 
3535 #if BTM_OOB_INCLUDED == TRUE
3536     if ((callback_rc == BTM_SUCCESS) || (BTM_OOB_UNKNOWN != evt_data.oob_data))
3537 #else
3538     if (callback_rc == BTM_SUCCESS)
3539 #endif
3540     {
3541         if ((btm_cb.pairing_flags & BTM_PAIR_FLAGS_WE_STARTED_DD))
3542         {
3543             evt_data.auth_req = (BTM_AUTH_DD_BOND | (evt_data.auth_req & BTM_AUTH_YN_BIT));
3544         }
3545 
3546         if (btm_cb.security_mode == BTM_SEC_MODE_SC)
3547         {
3548             /* At this moment we know that both sides are SC capable, device in */
3549             /* SC only mode requires MITM for any service so let's set MITM bit */
3550             evt_data.auth_req |= BTM_AUTH_YN_BIT;
3551             BTM_TRACE_DEBUG("%s: for device in \"SC only\" mode set auth_req to 0x%02x",
3552                              __FUNCTION__, evt_data.auth_req);
3553         }
3554 
3555         /* if the user does not indicate "reply later" by setting the oob_data to unknown */
3556         /* send the response right now. Save the current IO capability in the control block */
3557         btm_cb.devcb.loc_auth_req   = evt_data.auth_req;
3558         btm_cb.devcb.loc_io_caps    = evt_data.io_cap;
3559 
3560         BTM_TRACE_EVENT("%s: State: %s  IO_CAP:%d oob_data:%d auth_req:%d",
3561                          __FUNCTION__, btm_pair_state_descr(btm_cb.pairing_state), evt_data.io_cap,
3562                          evt_data.oob_data, evt_data.auth_req);
3563 
3564         btsnd_hcic_io_cap_req_reply(evt_data.bd_addr, evt_data.io_cap,
3565                                     evt_data.oob_data, evt_data.auth_req);
3566     }
3567 }
3568 
3569 /*******************************************************************************
3570 **
3571 ** Function         btm_io_capabilities_rsp
3572 **
3573 ** Description      This function is called when the IO capability of the
3574 **                  specified device is received
3575 **
3576 ** Returns          void
3577 **
3578 *******************************************************************************/
btm_io_capabilities_rsp(UINT8 * p)3579 void btm_io_capabilities_rsp (UINT8 *p)
3580 {
3581     tBTM_SEC_DEV_REC *p_dev_rec;
3582     tBTM_SP_IO_RSP evt_data;
3583 
3584     STREAM_TO_BDADDR (evt_data.bd_addr, p);
3585     STREAM_TO_UINT8 (evt_data.io_cap, p);
3586     STREAM_TO_UINT8 (evt_data.oob_data, p);
3587     STREAM_TO_UINT8 (evt_data.auth_req, p);
3588 
3589     /* Allocate a new device record or reuse the oldest one */
3590     p_dev_rec = btm_find_or_alloc_dev (evt_data.bd_addr);
3591 
3592     /* If no security is in progress, this indicates incoming security */
3593     if (btm_cb.pairing_state == BTM_PAIR_STATE_IDLE)
3594     {
3595         memcpy (btm_cb.pairing_bda, evt_data.bd_addr, BD_ADDR_LEN);
3596 
3597         btm_sec_change_pairing_state (BTM_PAIR_STATE_INCOMING_SSP);
3598 
3599         /* Make sure we reset the trusted mask to help against attacks */
3600         BTM_SEC_CLR_TRUSTED_DEVICE(p_dev_rec->trusted_mask);
3601 
3602         /* work around for FW bug */
3603         btm_inq_stop_on_ssp();
3604     }
3605 
3606     /* Notify L2CAP to increase timeout */
3607     l2c_pin_code_request (evt_data.bd_addr);
3608 
3609     /* We must have a device record here.
3610      * Use the connecting device's CoD for the connection */
3611 /* coverity[uninit_use_in_call]
3612 Event uninit_use_in_call: Using uninitialized element of array "evt_data.bd_addr" in call to function "memcmp"
3613 FALSE-POSITIVE error from Coverity test-tool. evt_data.bd_addr is set at the beginning with:     STREAM_TO_BDADDR (evt_data.bd_addr, p);
3614 */
3615     if (!memcmp (evt_data.bd_addr, btm_cb.connecting_bda, BD_ADDR_LEN))
3616         memcpy (p_dev_rec->dev_class, btm_cb.connecting_dc, DEV_CLASS_LEN);
3617 
3618     /* peer sets dedicated bonding bit and we did not initiate dedicated bonding */
3619     if (btm_cb.pairing_state == BTM_PAIR_STATE_INCOMING_SSP /* peer initiated bonding */
3620         && (evt_data.auth_req & BTM_AUTH_DD_BOND) )            /* and dedicated bonding bit is set */
3621     {
3622         btm_cb.pairing_flags |= BTM_PAIR_FLAGS_PEER_STARTED_DD;
3623     }
3624 
3625     /* save the IO capability in the device record */
3626     p_dev_rec->rmt_io_caps  = evt_data.io_cap;
3627     p_dev_rec->rmt_auth_req = evt_data.auth_req;
3628 
3629     if (btm_cb.api.p_sp_callback)
3630         (*btm_cb.api.p_sp_callback) (BTM_SP_IO_RSP_EVT, (tBTM_SP_EVT_DATA *)&evt_data);
3631 }
3632 
3633 /*******************************************************************************
3634 **
3635 ** Function         btm_proc_sp_req_evt
3636 **
3637 ** Description      This function is called to process/report
3638 **                  HCI_USER_CONFIRMATION_REQUEST_EVT
3639 **                  or HCI_USER_PASSKEY_REQUEST_EVT
3640 **                  or HCI_USER_PASSKEY_NOTIFY_EVT
3641 **
3642 ** Returns          void
3643 **
3644 *******************************************************************************/
btm_proc_sp_req_evt(tBTM_SP_EVT event,UINT8 * p)3645 void btm_proc_sp_req_evt (tBTM_SP_EVT event, UINT8 *p)
3646 {
3647     tBTM_STATUS status = BTM_ERR_PROCESSING;
3648     tBTM_SP_EVT_DATA evt_data;
3649     UINT8               *p_bda = evt_data.cfm_req.bd_addr;
3650     tBTM_SEC_DEV_REC *p_dev_rec;
3651 
3652     /* All events start with bd_addr */
3653     STREAM_TO_BDADDR (p_bda, p);
3654 
3655     BTM_TRACE_EVENT ("btm_proc_sp_req_evt() BDA: %08x%04x event: 0x%x, State: %s",
3656                       (p_bda[0]<<24) + (p_bda[1]<<16) + (p_bda[2]<<8) + p_bda[3], (p_bda[4] << 8) + p_bda[5],
3657                       event, btm_pair_state_descr(btm_cb.pairing_state));
3658 
3659     if ( ((p_dev_rec = btm_find_dev (p_bda)) != NULL)
3660          &&  (btm_cb.pairing_state != BTM_PAIR_STATE_IDLE)
3661          &&  (memcmp (btm_cb.pairing_bda, p_bda, BD_ADDR_LEN) == 0) )
3662     {
3663         memcpy (evt_data.cfm_req.bd_addr, p_dev_rec->bd_addr, BD_ADDR_LEN);
3664         memcpy (evt_data.cfm_req.dev_class, p_dev_rec->dev_class, DEV_CLASS_LEN);
3665 
3666         BCM_STRNCPY_S ((char *)evt_data.cfm_req.bd_name, sizeof(evt_data.cfm_req.bd_name), (char *)p_dev_rec->sec_bd_name, BTM_MAX_REM_BD_NAME_LEN);
3667 
3668         switch (event)
3669         {
3670             case BTM_SP_CFM_REQ_EVT:
3671                 /* Numeric confirmation. Need user to conf the passkey */
3672                 btm_sec_change_pairing_state (BTM_PAIR_STATE_WAIT_NUMERIC_CONFIRM);
3673 
3674                 /* The device record must be allocated in the "IO cap exchange" step */
3675                 STREAM_TO_UINT32 (evt_data.cfm_req.num_val, p);
3676 
3677                 evt_data.cfm_req.just_works = TRUE;
3678 
3679                 /* process user confirm req in association with the auth_req param */
3680 #if (BTM_LOCAL_IO_CAPS == BTM_IO_CAP_IO)
3681                 if ( (p_dev_rec->rmt_io_caps == BTM_IO_CAP_IO)
3682                      &&  (btm_cb.devcb.loc_io_caps == BTM_IO_CAP_IO)
3683                      &&  ((p_dev_rec->rmt_auth_req & BTM_AUTH_SP_YES) || (btm_cb.devcb.loc_auth_req & BTM_AUTH_SP_YES)) )
3684                 {
3685                     /* Both devices are DisplayYesNo and one or both devices want to authenticate
3686                        -> use authenticated link key */
3687                     evt_data.cfm_req.just_works = FALSE;
3688                 }
3689 #endif
3690                 BTM_TRACE_DEBUG ("btm_proc_sp_req_evt()  just_works:%d, io loc:%d, rmt:%d, auth loc:%d, rmt:%d",
3691                                   evt_data.cfm_req.just_works, btm_cb.devcb.loc_io_caps, p_dev_rec->rmt_io_caps,
3692                                   btm_cb.devcb.loc_auth_req, p_dev_rec->rmt_auth_req);
3693 
3694                 evt_data.cfm_req.loc_auth_req   = btm_cb.devcb.loc_auth_req;
3695                 evt_data.cfm_req.rmt_auth_req   = p_dev_rec->rmt_auth_req;
3696                 evt_data.cfm_req.loc_io_caps    = btm_cb.devcb.loc_io_caps;
3697                 evt_data.cfm_req.rmt_io_caps    = p_dev_rec->rmt_io_caps;
3698                 break;
3699 
3700             case BTM_SP_KEY_NOTIF_EVT:
3701                 /* Passkey notification (other side is a keyboard) */
3702                 STREAM_TO_UINT32 (evt_data.key_notif.passkey, p);
3703 
3704                 BTM_TRACE_DEBUG ("BTM_SP_KEY_NOTIF_EVT:  passkey: %u", evt_data.key_notif.passkey);
3705 
3706                 btm_sec_change_pairing_state (BTM_PAIR_STATE_WAIT_AUTH_COMPLETE);
3707                 break;
3708 
3709 #if (BTM_LOCAL_IO_CAPS != BTM_IO_CAP_NONE)
3710             case BTM_SP_KEY_REQ_EVT:
3711                 /* HCI_USER_PASSKEY_REQUEST_EVT */
3712                 btm_sec_change_pairing_state (BTM_PAIR_STATE_KEY_ENTRY);
3713                 break;
3714 #endif
3715         }
3716 
3717         if (btm_cb.api.p_sp_callback)
3718         {
3719             status = (*btm_cb.api.p_sp_callback) (event, (tBTM_SP_EVT_DATA *)&evt_data);
3720             if (status != BTM_NOT_AUTHORIZED)
3721             {
3722                 return;
3723             }
3724             /* else BTM_NOT_AUTHORIZED means when the app wants to reject the req right now */
3725         }
3726         else if ( (event == BTM_SP_CFM_REQ_EVT) && (evt_data.cfm_req.just_works == TRUE) )
3727         {
3728             /* automatically reply with just works if no sp_cback */
3729             status = BTM_SUCCESS;
3730         }
3731 
3732         if (event == BTM_SP_CFM_REQ_EVT)
3733         {
3734             BTM_TRACE_DEBUG ("calling BTM_ConfirmReqReply with status: %d", status);
3735             BTM_ConfirmReqReply (status, p_bda);
3736         }
3737 #if (BTM_LOCAL_IO_CAPS != BTM_IO_CAP_NONE)
3738         else if (event == BTM_SP_KEY_REQ_EVT)
3739         {
3740             BTM_PasskeyReqReply(status, p_bda, 0);
3741         }
3742 #endif
3743         return;
3744     }
3745 
3746     /* Something bad. we can only fail this connection */
3747     btm_cb.acl_disc_reason = HCI_ERR_HOST_REJECT_SECURITY;
3748 
3749     if (BTM_SP_CFM_REQ_EVT == event)
3750     {
3751         btsnd_hcic_user_conf_reply (p_bda, FALSE);
3752     }
3753     else if (BTM_SP_KEY_NOTIF_EVT == event)
3754     {
3755         /* do nothing -> it very unlikely to happen.
3756         This event is most likely to be received by a HID host when it first connects to a HID device.
3757         Usually the Host initiated the connection in this case.
3758         On Mobile platforms, if there's a security process happening,
3759         the host probably can not initiate another connection.
3760         BTW (PC) is another story.  */
3761         if (NULL != (p_dev_rec = btm_find_dev (p_bda)) )
3762         {
3763             btm_sec_disconnect (p_dev_rec->hci_handle, HCI_ERR_AUTH_FAILURE);
3764         }
3765     }
3766 #if (BTM_LOCAL_IO_CAPS != BTM_IO_CAP_NONE)
3767     else
3768     {
3769         btsnd_hcic_user_passkey_neg_reply(p_bda);
3770     }
3771 #endif
3772 }
3773 
3774 /*******************************************************************************
3775 **
3776 ** Function         btm_keypress_notif_evt
3777 **
3778 ** Description      This function is called when a key press notification is
3779 **                  received
3780 **
3781 ** Returns          void
3782 **
3783 *******************************************************************************/
btm_keypress_notif_evt(UINT8 * p)3784 void  btm_keypress_notif_evt (UINT8 *p)
3785 {
3786     tBTM_SP_KEYPRESS    evt_data;
3787     UINT8 *p_bda;
3788 
3789     /* parse & report BTM_SP_KEYPRESS_EVT */
3790     if (btm_cb.api.p_sp_callback)
3791     {
3792         p_bda = evt_data.bd_addr;
3793 
3794         STREAM_TO_BDADDR (p_bda, p);
3795         evt_data.notif_type = *p;
3796 
3797         (*btm_cb.api.p_sp_callback) (BTM_SP_KEYPRESS_EVT, (tBTM_SP_EVT_DATA *)&evt_data);
3798     }
3799 }
3800 
3801 /*******************************************************************************
3802 **
3803 ** Function         btm_simple_pair_complete
3804 **
3805 ** Description      This function is called when simple pairing process is
3806 **                  complete
3807 **
3808 ** Returns          void
3809 **
3810 *******************************************************************************/
btm_simple_pair_complete(UINT8 * p)3811 void btm_simple_pair_complete (UINT8 *p)
3812 {
3813     tBTM_SP_COMPLT  evt_data;
3814     tBTM_SEC_DEV_REC *p_dev_rec;
3815     UINT8           status;
3816     BOOLEAN         disc = FALSE;
3817 
3818     status = *p++;
3819     STREAM_TO_BDADDR (evt_data.bd_addr, p);
3820 
3821     if ((p_dev_rec = btm_find_dev (evt_data.bd_addr)) == NULL)
3822     {
3823         BTM_TRACE_ERROR ("btm_simple_pair_complete() with unknown BDA: %08x%04x",
3824                           (evt_data.bd_addr[0]<<24) + (evt_data.bd_addr[1]<<16) + (evt_data.bd_addr[2]<<8) + evt_data.bd_addr[3],
3825                           (evt_data.bd_addr[4] << 8) + evt_data.bd_addr[5]);
3826         return;
3827     }
3828 
3829     BTM_TRACE_EVENT ("btm_simple_pair_complete()  Pair State: %s  Status:%d  sec_state: %u",
3830                       btm_pair_state_descr(btm_cb.pairing_state),  status, p_dev_rec->sec_state);
3831 
3832     evt_data.status = BTM_ERR_PROCESSING;
3833     if (status == HCI_SUCCESS)
3834     {
3835         evt_data.status = BTM_SUCCESS;
3836         p_dev_rec->sec_flags |= BTM_SEC_AUTHENTICATED;
3837     }
3838     else
3839     {
3840         if (status == HCI_ERR_PAIRING_NOT_ALLOWED)
3841         {
3842             /* The test spec wants the peer device to get this failure code. */
3843             btm_sec_change_pairing_state (BTM_PAIR_STATE_WAIT_DISCONNECT);
3844 
3845             /* Change the timer to 1 second */
3846             btu_start_timer (&btm_cb.pairing_tle, BTU_TTYPE_USER_FUNC, BT_1SEC_TIMEOUT);
3847         }
3848         else if (memcmp (btm_cb.pairing_bda, evt_data.bd_addr, BD_ADDR_LEN) == 0)
3849         {
3850             /* stop the timer */
3851             btu_stop_timer (&btm_cb.pairing_tle);
3852 
3853             if (p_dev_rec->sec_state != BTM_SEC_STATE_AUTHENTICATING)
3854             {
3855                 /* the initiating side: will receive auth complete event. disconnect ACL at that time */
3856                 disc = TRUE;
3857             }
3858         }
3859         else
3860             disc = TRUE;
3861     }
3862 
3863     /* Let the pairing state stay active, p_auth_complete_callback will report the failure */
3864     memcpy (evt_data.bd_addr, p_dev_rec->bd_addr, BD_ADDR_LEN);
3865     memcpy (evt_data.dev_class, p_dev_rec->dev_class, DEV_CLASS_LEN);
3866 
3867     if (btm_cb.api.p_sp_callback)
3868         (*btm_cb.api.p_sp_callback) (BTM_SP_COMPLT_EVT, (tBTM_SP_EVT_DATA *)&evt_data);
3869 
3870     if (disc)
3871     {
3872         /* simple pairing failed */
3873         /* Avoid sending disconnect on HCI_ERR_PEER_USER */
3874         if ((status != HCI_ERR_PEER_USER) && (status != HCI_ERR_CONN_CAUSE_LOCAL_HOST))
3875         {
3876             btm_sec_send_hci_disconnect (p_dev_rec, HCI_ERR_AUTH_FAILURE, p_dev_rec->hci_handle);
3877         }
3878     }
3879 }
3880 
3881 #if BTM_OOB_INCLUDED == TRUE
3882 /*******************************************************************************
3883 **
3884 ** Function         btm_rem_oob_req
3885 **
3886 ** Description      This function is called to process/report
3887 **                  HCI_REMOTE_OOB_DATA_REQUEST_EVT
3888 **
3889 ** Returns          void
3890 **
3891 *******************************************************************************/
btm_rem_oob_req(UINT8 * p)3892 void btm_rem_oob_req (UINT8 *p)
3893 {
3894     UINT8 *p_bda;
3895     tBTM_SP_RMT_OOB  evt_data;
3896     tBTM_SEC_DEV_REC *p_dev_rec;
3897     BT_OCTET16      c;
3898     BT_OCTET16      r;
3899 
3900     p_bda = evt_data.bd_addr;
3901 
3902     STREAM_TO_BDADDR (p_bda, p);
3903 
3904     BTM_TRACE_EVENT ("btm_rem_oob_req() BDA: %02x:%02x:%02x:%02x:%02x:%02x",
3905                       p_bda[0], p_bda[1], p_bda[2], p_bda[3], p_bda[4], p_bda[5]);
3906 
3907     if ( (NULL != (p_dev_rec = btm_find_dev (p_bda))) &&
3908          btm_cb.api.p_sp_callback)
3909     {
3910         memcpy (evt_data.bd_addr, p_dev_rec->bd_addr, BD_ADDR_LEN);
3911         memcpy (evt_data.dev_class, p_dev_rec->dev_class, DEV_CLASS_LEN);
3912         BCM_STRNCPY_S((char *)evt_data.bd_name, sizeof(evt_data.bd_name), (char *)p_dev_rec->sec_bd_name, BTM_MAX_REM_BD_NAME_LEN+1);
3913         evt_data.bd_name[BTM_MAX_REM_BD_NAME_LEN] = 0;
3914 
3915         btm_sec_change_pairing_state(BTM_PAIR_STATE_WAIT_LOCAL_OOB_RSP);
3916         if ((*btm_cb.api.p_sp_callback) (BTM_SP_RMT_OOB_EVT, (tBTM_SP_EVT_DATA *)&evt_data) == BTM_NOT_AUTHORIZED)
3917         {
3918             BTM_RemoteOobDataReply(TRUE, p_bda, c, r);
3919         }
3920         return;
3921     }
3922 
3923     /* something bad. we can only fail this connection */
3924     btm_cb.acl_disc_reason = HCI_ERR_HOST_REJECT_SECURITY;
3925     btsnd_hcic_rem_oob_neg_reply (p_bda);
3926 }
3927 
3928 /*******************************************************************************
3929 **
3930 ** Function         btm_read_local_oob_complete
3931 **
3932 ** Description      This function is called when read local oob data is
3933 **                  completed by the LM
3934 **
3935 ** Returns          void
3936 **
3937 *******************************************************************************/
btm_read_local_oob_complete(UINT8 * p)3938 void btm_read_local_oob_complete (UINT8 *p)
3939 {
3940     tBTM_SP_LOC_OOB evt_data;
3941     UINT8           status = *p++;
3942 
3943     BTM_TRACE_EVENT ("btm_read_local_oob_complete:%d", status);
3944     if (status == HCI_SUCCESS)
3945     {
3946         evt_data.status = BTM_SUCCESS;
3947         STREAM_TO_ARRAY16(evt_data.c, p);
3948         STREAM_TO_ARRAY16(evt_data.r, p);
3949     }
3950     else
3951         evt_data.status = BTM_ERR_PROCESSING;
3952 
3953     if (btm_cb.api.p_sp_callback)
3954         (*btm_cb.api.p_sp_callback) (BTM_SP_LOC_OOB_EVT, (tBTM_SP_EVT_DATA *)&evt_data);
3955 }
3956 #endif /* BTM_OOB_INCLUDED */
3957 
3958 /*******************************************************************************
3959 **
3960 ** Function         btm_sec_auth_collision
3961 **
3962 ** Description      This function is called when authentication or encryption
3963 **                  needs to be retried at a later time.
3964 **
3965 ** Returns          void
3966 **
3967 *******************************************************************************/
btm_sec_auth_collision(UINT16 handle)3968 static void btm_sec_auth_collision (UINT16 handle)
3969 {
3970     tBTM_SEC_DEV_REC *p_dev_rec;
3971 
3972     if (!btm_cb.collision_start_time)
3973         btm_cb.collision_start_time = GKI_get_os_tick_count();
3974 
3975     if ((GKI_get_os_tick_count() - btm_cb.collision_start_time) < btm_cb.max_collision_delay)
3976     {
3977         if (handle == BTM_SEC_INVALID_HANDLE)
3978         {
3979             if ((p_dev_rec = btm_sec_find_dev_by_sec_state (BTM_SEC_STATE_AUTHENTICATING)) == NULL)
3980                 p_dev_rec = btm_sec_find_dev_by_sec_state (BTM_SEC_STATE_ENCRYPTING);
3981         }
3982         else
3983             p_dev_rec = btm_find_dev_by_handle (handle);
3984 
3985         if (p_dev_rec != NULL)
3986         {
3987             BTM_TRACE_DEBUG ("btm_sec_auth_collision: state %d (retrying in a moment...)", p_dev_rec->sec_state);
3988             /* We will restart authentication after timeout */
3989             if (p_dev_rec->sec_state == BTM_SEC_STATE_AUTHENTICATING || p_dev_rec->sec_state == BTM_SEC_STATE_ENCRYPTING)
3990                 p_dev_rec->sec_state = 0;
3991 
3992             btm_cb.p_collided_dev_rec = p_dev_rec;
3993             btm_cb.sec_collision_tle.param = (UINT32) btm_sec_collision_timeout;
3994             btu_start_timer (&btm_cb.sec_collision_tle, BTU_TTYPE_USER_FUNC, BT_1SEC_TIMEOUT);
3995         }
3996     }
3997 }
3998 
3999 /*******************************************************************************
4000 **
4001 ** Function         btm_sec_auth_complete
4002 **
4003 ** Description      This function is when authentication of the connection is
4004 **                  completed by the LM
4005 **
4006 ** Returns          void
4007 **
4008 *******************************************************************************/
btm_sec_auth_complete(UINT16 handle,UINT8 status)4009 void btm_sec_auth_complete (UINT16 handle, UINT8 status)
4010 {
4011     UINT8            old_sm4;
4012     tBTM_PAIRING_STATE  old_state   = btm_cb.pairing_state;
4013     tBTM_SEC_DEV_REC *p_dev_rec = btm_find_dev_by_handle (handle);
4014     BOOLEAN             are_bonding = FALSE;
4015 
4016     /* Commenting out trace due to obf/compilation problems.
4017     */
4018 #if (BT_USE_TRACES == TRUE)
4019     if (p_dev_rec)
4020     {
4021         BTM_TRACE_EVENT ("Security Manager: auth_complete PairState: %s  handle:%u  status:%d  dev->sec_state: %u  Bda:%08x, RName:%s",
4022                           btm_pair_state_descr (btm_cb.pairing_state),
4023                           handle, status,
4024                           p_dev_rec->sec_state,
4025                           (p_dev_rec->bd_addr[2]<<24)+(p_dev_rec->bd_addr[3]<<16)+(p_dev_rec->bd_addr[4]<<8)+p_dev_rec->bd_addr[5],
4026                           p_dev_rec->sec_bd_name);
4027     }
4028     else
4029     {
4030         BTM_TRACE_EVENT ("Security Manager: auth_complete PairState: %s  handle:%u  status:%d",
4031                           btm_pair_state_descr (btm_cb.pairing_state),
4032                           handle, status);
4033     }
4034 #endif
4035 
4036     /* For transaction collision we need to wait and repeat.  There is no need */
4037     /* for random timeout because only slave should receive the result */
4038     if ((status == HCI_ERR_LMP_ERR_TRANS_COLLISION) || (status == HCI_ERR_DIFF_TRANSACTION_COLLISION))
4039     {
4040         btm_sec_auth_collision(handle);
4041         return;
4042     }
4043     btm_cb.collision_start_time = 0;
4044 
4045     btm_restore_mode();
4046 
4047     /* Check if connection was made just to do bonding.  If we authenticate
4048        the connection that is up, this is the last event received.
4049     */
4050     if (p_dev_rec
4051         && (btm_cb.pairing_flags & BTM_PAIR_FLAGS_WE_STARTED_DD)
4052         && !(btm_cb.pairing_flags & BTM_PAIR_FLAGS_DISC_WHEN_DONE))
4053     {
4054         p_dev_rec->security_required &= ~BTM_SEC_OUT_AUTHENTICATE;
4055 
4056         l2cu_start_post_bond_timer (p_dev_rec->hci_handle);
4057     }
4058 
4059     if (!p_dev_rec)
4060         return;
4061 
4062     /* keep the old sm4 flag and clear the retry bit in control block */
4063     old_sm4 = p_dev_rec->sm4;
4064     p_dev_rec->sm4 &= ~BTM_SM4_RETRY;
4065 
4066     if ( (btm_cb.pairing_state != BTM_PAIR_STATE_IDLE)
4067          &&  (btm_cb.pairing_flags & BTM_PAIR_FLAGS_WE_STARTED_DD)
4068          &&  (memcmp (p_dev_rec->bd_addr, btm_cb.pairing_bda, BD_ADDR_LEN) == 0) )
4069         are_bonding = TRUE;
4070 
4071     if ( (btm_cb.pairing_state != BTM_PAIR_STATE_IDLE)
4072           &&  (memcmp (p_dev_rec->bd_addr, btm_cb.pairing_bda, BD_ADDR_LEN) == 0) )
4073         btm_sec_change_pairing_state (BTM_PAIR_STATE_IDLE);
4074 
4075     if (p_dev_rec->sec_state != BTM_SEC_STATE_AUTHENTICATING)
4076     {
4077         if ( (btm_cb.api.p_auth_complete_callback && status != HCI_SUCCESS)
4078              &&  (old_state != BTM_PAIR_STATE_IDLE) )
4079         {
4080             (*btm_cb.api.p_auth_complete_callback) (p_dev_rec->bd_addr,
4081                                                     p_dev_rec->dev_class,
4082                                                     p_dev_rec->sec_bd_name, status);
4083         }
4084         return;
4085     }
4086 
4087     /* There can be a race condition, when we are starting authentication and
4088     ** the peer device is doing encryption.
4089     ** If first we receive encryption change up, then initiated authentication
4090     ** can not be performed.  According to the spec we can not do authentication
4091     ** on the encrypted link, so device is correct.
4092     */
4093     if ((status == HCI_ERR_COMMAND_DISALLOWED)
4094         && ((p_dev_rec->sec_flags & (BTM_SEC_AUTHENTICATED | BTM_SEC_ENCRYPTED)) ==
4095             (BTM_SEC_AUTHENTICATED | BTM_SEC_ENCRYPTED)))
4096     {
4097         status = HCI_SUCCESS;
4098     }
4099     /* Currently we do not notify user if it is a keyboard which connects */
4100     /* User probably Disabled the keyboard while it was asleap.  Let her try */
4101     if (btm_cb.api.p_auth_complete_callback)
4102     {
4103         /* report the suthentication status */
4104         if (old_state != BTM_PAIR_STATE_IDLE)
4105             (*btm_cb.api.p_auth_complete_callback) (p_dev_rec->bd_addr,
4106                                                     p_dev_rec->dev_class,
4107                                                     p_dev_rec->sec_bd_name, status);
4108     }
4109 
4110     p_dev_rec->sec_state = BTM_SEC_STATE_IDLE;
4111 
4112     /* If this is a bonding procedure can disconnect the link now */
4113     if (are_bonding)
4114     {
4115         p_dev_rec->security_required &= ~BTM_SEC_OUT_AUTHENTICATE;
4116 
4117         if (status != HCI_SUCCESS)
4118         {
4119             if(((status != HCI_ERR_PEER_USER) && (status != HCI_ERR_CONN_CAUSE_LOCAL_HOST)))
4120                 btm_sec_send_hci_disconnect (p_dev_rec, HCI_ERR_PEER_USER, p_dev_rec->hci_handle);
4121         }
4122         else
4123         {
4124             BTM_TRACE_DEBUG ("TRYING TO DECIDE IF CAN USE SMP_BR_CHNL");
4125             if (p_dev_rec->new_encryption_key_is_p256 && (btm_sec_use_smp_br_chnl(p_dev_rec))
4126                 /* no LE keys are available, do deriving */
4127                  && (!(p_dev_rec->sec_flags &BTM_SEC_LE_LINK_KEY_KNOWN) ||
4128                 /* or BR key is higher security than existing LE keys */
4129                  (!(p_dev_rec->sec_flags & BTM_SEC_LE_LINK_KEY_AUTHED) &&
4130                  (p_dev_rec->sec_flags & BTM_SEC_LINK_KEY_AUTHED))))
4131             {
4132                 BTM_TRACE_DEBUG ("link encrypted afer dedic bonding can use SMP_BR_CHNL");
4133 
4134                 if (btm_sec_is_master(p_dev_rec))
4135                 {
4136                     // Encryption is required to start SM over BR/EDR
4137                     // indicate that this is encryption after authentication
4138                     BTM_SetEncryption(p_dev_rec->bd_addr, BT_TRANSPORT_BR_EDR, NULL, NULL);
4139                 }
4140             }
4141             l2cu_start_post_bond_timer (p_dev_rec->hci_handle);
4142         }
4143 
4144         return;
4145     }
4146 
4147     /* If authentication failed, notify the waiting layer */
4148     if (status != HCI_SUCCESS)
4149     {
4150         if ((old_sm4 & BTM_SM4_RETRY) == 0)
4151         {
4152             /* allow retry only once */
4153             if (status == HCI_ERR_LMP_ERR_TRANS_COLLISION)
4154             {
4155                 /* not retried yet. set the retry bit */
4156                 p_dev_rec->sm4 |= BTM_SM4_RETRY;
4157                 BTM_TRACE_DEBUG ("Collision retry sm4:x%x sec_flags:0x%x", p_dev_rec->sm4, p_dev_rec->sec_flags);
4158             }
4159             /* this retry for missing key is for Lisbon or later only.
4160              * Legacy device do not need this. the controller will drive the retry automatically */
4161             else if (HCI_ERR_KEY_MISSING == status && BTM_SEC_IS_SM4(p_dev_rec->sm4))
4162             {
4163                 /* not retried yet. set the retry bit */
4164                 p_dev_rec->sm4 |= BTM_SM4_RETRY;
4165                 p_dev_rec->sec_flags &= ~BTM_SEC_LINK_KEY_KNOWN;
4166                 BTM_TRACE_DEBUG ("Retry for missing key sm4:x%x sec_flags:0x%x", p_dev_rec->sm4, p_dev_rec->sec_flags);
4167 
4168                 /* With BRCM controller, we do not need to delete the stored link key in controller.
4169                 If the stack may sit on top of other controller, we may need this
4170                 BTM_DeleteStoredLinkKey (bd_addr, NULL); */
4171             }
4172 
4173             if (p_dev_rec->sm4 & BTM_SM4_RETRY)
4174             {
4175                 btm_sec_execute_procedure (p_dev_rec);
4176                 return;
4177             }
4178         }
4179 
4180         btm_sec_dev_rec_cback_event (p_dev_rec, BTM_ERR_PROCESSING, FALSE);
4181 
4182         if (btm_cb.pairing_flags & BTM_PAIR_FLAGS_DISC_WHEN_DONE)
4183         {
4184             btm_sec_send_hci_disconnect (p_dev_rec, HCI_ERR_AUTH_FAILURE, p_dev_rec->hci_handle);
4185         }
4186         return;
4187     }
4188 
4189     p_dev_rec->sec_flags |= BTM_SEC_AUTHENTICATED;
4190 
4191     if (p_dev_rec->pin_code_length >= 16 ||
4192         p_dev_rec->link_key_type == BTM_LKEY_TYPE_AUTH_COMB ||
4193         p_dev_rec->link_key_type == BTM_LKEY_TYPE_AUTH_COMB_P_256) {
4194         // If we have MITM protection we have a higher level of security than
4195         // provided by 16 digits PIN
4196         p_dev_rec->sec_flags |= BTM_SEC_16_DIGIT_PIN_AUTHED;
4197     }
4198 
4199     /* Authentication succeeded, execute the next security procedure, if any */
4200     status = btm_sec_execute_procedure (p_dev_rec);
4201 
4202     /* If there is no next procedure, or procedure failed to start, notify the caller */
4203     if (status != BTM_CMD_STARTED)
4204         btm_sec_dev_rec_cback_event (p_dev_rec, status, FALSE);
4205 }
4206 
4207 /*******************************************************************************
4208 **
4209 ** Function         btm_sec_encrypt_change
4210 **
4211 ** Description      This function is when encryption of the connection is
4212 **                  completed by the LM
4213 **
4214 ** Returns          void
4215 **
4216 *******************************************************************************/
btm_sec_encrypt_change(UINT16 handle,UINT8 status,UINT8 encr_enable)4217 void btm_sec_encrypt_change (UINT16 handle, UINT8 status, UINT8 encr_enable)
4218 {
4219     tBTM_SEC_DEV_REC  *p_dev_rec = btm_find_dev_by_handle (handle);
4220 #if BLE_INCLUDED == TRUE && SMP_INCLUDED == TRUE
4221     tACL_CONN       *p_acl = NULL;
4222     UINT8           acl_idx = btm_handle_to_acl_index(handle);
4223 #endif
4224     BTM_TRACE_EVENT ("Security Manager: encrypt_change status:%d State:%d, encr_enable = %d",
4225                       status, (p_dev_rec) ? p_dev_rec->sec_state : 0, encr_enable);
4226     BTM_TRACE_DEBUG ("before update p_dev_rec->sec_flags=0x%x", (p_dev_rec) ? p_dev_rec->sec_flags : 0 );
4227 
4228     /* For transaction collision we need to wait and repeat.  There is no need */
4229     /* for random timeout because only slave should receive the result */
4230     if ((status == HCI_ERR_LMP_ERR_TRANS_COLLISION) ||
4231         (status == HCI_ERR_DIFF_TRANSACTION_COLLISION))
4232     {
4233         btm_sec_auth_collision(handle);
4234         return;
4235     }
4236     btm_cb.collision_start_time = 0;
4237 
4238     if (!p_dev_rec)
4239         return;
4240 
4241     if ((status == HCI_SUCCESS) && encr_enable)
4242     {
4243         if (p_dev_rec->hci_handle == handle) {
4244             p_dev_rec->sec_flags |= (BTM_SEC_AUTHENTICATED | BTM_SEC_ENCRYPTED);
4245             if (p_dev_rec->pin_code_length >= 16 ||
4246                 p_dev_rec->link_key_type == BTM_LKEY_TYPE_AUTH_COMB ||
4247                 p_dev_rec->link_key_type == BTM_LKEY_TYPE_AUTH_COMB_P_256) {
4248                 p_dev_rec->sec_flags |= BTM_SEC_16_DIGIT_PIN_AUTHED;
4249             }
4250         }
4251         else
4252         {
4253             p_dev_rec->sec_flags |= (BTM_SEC_LE_AUTHENTICATED | BTM_SEC_LE_ENCRYPTED);
4254         }
4255     }
4256 
4257     /* It is possible that we decrypted the link to perform role switch */
4258     /* mark link not to be encrypted, so that when we execute security next time it will kick in again */
4259     if ((status == HCI_SUCCESS) && !encr_enable)
4260     {
4261         if (p_dev_rec->hci_handle == handle)
4262             p_dev_rec->sec_flags &= ~BTM_SEC_ENCRYPTED;
4263         else
4264             p_dev_rec->sec_flags &= ~BTM_SEC_LE_ENCRYPTED;
4265     }
4266 
4267     BTM_TRACE_DEBUG ("after update p_dev_rec->sec_flags=0x%x", p_dev_rec->sec_flags );
4268 
4269 #if BLE_INCLUDED == TRUE && SMP_INCLUDED == TRUE
4270     if (acl_idx != MAX_L2CAP_LINKS)
4271         p_acl = &btm_cb.acl_db[acl_idx];
4272 
4273     if (p_acl != NULL)
4274         btm_sec_check_pending_enc_req(p_dev_rec, p_acl->transport, encr_enable);
4275 
4276     if (p_acl && p_acl->transport == BT_TRANSPORT_LE)
4277     {
4278         if (status == HCI_ERR_KEY_MISSING || status == HCI_ERR_AUTH_FAILURE ||
4279             status == HCI_ERR_ENCRY_MODE_NOT_ACCEPTABLE)
4280         {
4281             p_dev_rec->sec_flags &= ~ (BTM_SEC_LE_LINK_KEY_KNOWN);
4282             p_dev_rec->ble.key_type = BTM_LE_KEY_NONE;
4283         }
4284         btm_ble_link_encrypted(p_dev_rec->ble.pseudo_addr, encr_enable);
4285         return;
4286     }
4287     else
4288     {
4289         /* BR/EDR connection, update the encryption key size to be 16 as always */
4290         p_dev_rec->enc_key_size = 16;
4291     }
4292 
4293      BTM_TRACE_DEBUG ("in %s new_encr_key_256 is %d",
4294                        __func__, p_dev_rec->new_encryption_key_is_p256);
4295 
4296     if ((status == HCI_SUCCESS) && encr_enable && (p_dev_rec->hci_handle == handle))
4297     {
4298         if (p_dev_rec->new_encryption_key_is_p256)
4299         {
4300             if (btm_sec_use_smp_br_chnl(p_dev_rec) &&
4301                 btm_sec_is_master(p_dev_rec) &&
4302                 /* if LE key is not known, do deriving */
4303                 (!(p_dev_rec->sec_flags &BTM_SEC_LE_LINK_KEY_KNOWN) ||
4304                 /* or BR key is higher security than existing LE keys */
4305                  (!(p_dev_rec->sec_flags & BTM_SEC_LE_LINK_KEY_AUTHED)
4306                  && (p_dev_rec->sec_flags & BTM_SEC_LINK_KEY_AUTHED))))
4307             {
4308                 /* BR/EDR is encrypted with LK that can be used to derive LE LTK */
4309                 p_dev_rec->new_encryption_key_is_p256 = FALSE;
4310 
4311                 if (p_dev_rec->no_smp_on_br)
4312                 {
4313                     BTM_TRACE_DEBUG ("%s NO SM over BR/EDR", __func__);
4314                 }
4315                 else
4316                 {
4317                     BTM_TRACE_DEBUG ("%s start SM over BR/EDR", __func__);
4318                     SMP_BR_PairWith(p_dev_rec->bd_addr);
4319                 }
4320             }
4321         }
4322         else
4323         {
4324             // BR/EDR is successfully encrypted. Correct LK type if needed
4325             // (BR/EDR LK derived from LE LTK was used for encryption)
4326             if ((encr_enable == 1)  && /* encryption is ON for SSP */
4327                 /* LK type is for BR/EDR SC */
4328                 (p_dev_rec->link_key_type == BTM_LKEY_TYPE_UNAUTH_COMB_P_256 ||
4329                  p_dev_rec->link_key_type == BTM_LKEY_TYPE_AUTH_COMB_P_256))
4330             {
4331                 if (p_dev_rec->link_key_type == BTM_LKEY_TYPE_UNAUTH_COMB_P_256)
4332                     p_dev_rec->link_key_type = BTM_LKEY_TYPE_UNAUTH_COMB;
4333                 else /* BTM_LKEY_TYPE_AUTH_COMB_P_256 */
4334                     p_dev_rec->link_key_type = BTM_LKEY_TYPE_AUTH_COMB;
4335 
4336                 BTM_TRACE_DEBUG("updated link key type to %d", p_dev_rec->link_key_type);
4337                 btm_send_link_key_notif(p_dev_rec);
4338             }
4339         }
4340     }
4341 #else
4342     btm_sec_check_pending_enc_req (p_dev_rec, BT_TRANSPORT_BR_EDR, encr_enable);
4343 #endif /* BLE_INCLUDED == TRUE && SMP_INCLUDED == TRUE */
4344 
4345     /* If this encryption was started by peer do not need to do anything */
4346     if (p_dev_rec->sec_state != BTM_SEC_STATE_ENCRYPTING)
4347     {
4348         if (BTM_SEC_STATE_DELAY_FOR_ENC == p_dev_rec->sec_state)
4349         {
4350             p_dev_rec->sec_state = BTM_SEC_STATE_IDLE;
4351             p_dev_rec->p_callback = NULL;
4352             l2cu_resubmit_pending_sec_req (p_dev_rec->bd_addr);
4353         }
4354         return;
4355     }
4356 
4357     p_dev_rec->sec_state = BTM_SEC_STATE_IDLE;
4358     /* If encryption setup failed, notify the waiting layer */
4359     if (status != HCI_SUCCESS)
4360     {
4361         btm_sec_dev_rec_cback_event (p_dev_rec, BTM_ERR_PROCESSING, FALSE);
4362         return;
4363     }
4364 
4365     /* Encryption setup succeeded, execute the next security procedure, if any */
4366     status = (UINT8)btm_sec_execute_procedure (p_dev_rec);
4367     /* If there is no next procedure, or procedure failed to start, notify the caller */
4368     if (status != BTM_CMD_STARTED)
4369         btm_sec_dev_rec_cback_event (p_dev_rec, status, FALSE);
4370 }
4371 
4372 /*******************************************************************************
4373 **
4374 ** Function         btm_sec_connect_after_reject_timeout
4375 **
4376 ** Description      Connection for bonding could not start because of the collision
4377 **                  Initiate outgoing connection
4378 **
4379 ** Returns          Pointer to the TLE struct
4380 **
4381 *******************************************************************************/
btm_sec_connect_after_reject_timeout(TIMER_LIST_ENT * p_tle)4382 static void btm_sec_connect_after_reject_timeout (TIMER_LIST_ENT *p_tle)
4383 {
4384     tBTM_SEC_DEV_REC *p_dev_rec = btm_cb.p_collided_dev_rec;
4385     UNUSED(p_tle);
4386 
4387     BTM_TRACE_EVENT ("btm_sec_connect_after_reject_timeout()");
4388     btm_cb.sec_collision_tle.param = 0;
4389     btm_cb.p_collided_dev_rec = 0;
4390 
4391     if (btm_sec_dd_create_conn(p_dev_rec) != BTM_CMD_STARTED)
4392     {
4393         BTM_TRACE_WARNING ("Security Manager: btm_sec_connect_after_reject_timeout: failed to start connection");
4394 
4395         btm_sec_change_pairing_state (BTM_PAIR_STATE_IDLE);
4396 
4397         if (btm_cb.api.p_auth_complete_callback)
4398         (*btm_cb.api.p_auth_complete_callback) (p_dev_rec->bd_addr,  p_dev_rec->dev_class,
4399                                                 p_dev_rec->sec_bd_name, HCI_ERR_MEMORY_FULL);
4400     }
4401 }
4402 
4403 /*******************************************************************************
4404 **
4405 ** Function         btm_sec_connected
4406 **
4407 ** Description      This function is when a connection to the peer device is
4408 **                  establsihed
4409 **
4410 ** Returns          void
4411 **
4412 *******************************************************************************/
btm_sec_connected(UINT8 * bda,UINT16 handle,UINT8 status,UINT8 enc_mode)4413 void btm_sec_connected (UINT8 *bda, UINT16 handle, UINT8 status, UINT8 enc_mode)
4414 {
4415     tBTM_SEC_DEV_REC *p_dev_rec = btm_find_dev (bda);
4416     UINT8            res;
4417     BOOLEAN          is_pairing_device = FALSE;
4418     tACL_CONN        *p_acl_cb;
4419     UINT8            bit_shift = 0;
4420 
4421     btm_acl_resubmit_page();
4422 
4423     /* Commenting out trace due to obf/compilation problems.
4424     */
4425 #if (BT_USE_TRACES == TRUE)
4426     if (p_dev_rec)
4427     {
4428         BTM_TRACE_EVENT ("Security Manager: btm_sec_connected in state: %s  handle:%d status:%d enc_mode:%d  bda:%x RName:%s",
4429                           btm_pair_state_descr(btm_cb.pairing_state), handle, status, enc_mode,
4430                           (bda[2]<<24)+(bda[3]<<16)+(bda[4]<<8)+bda[5],
4431                           p_dev_rec->sec_bd_name);
4432     }
4433     else
4434     {
4435         BTM_TRACE_EVENT ("Security Manager: btm_sec_connected in state: %s  handle:%d status:%d enc_mode:%d  bda:%x ",
4436                           btm_pair_state_descr(btm_cb.pairing_state), handle, status, enc_mode,
4437                           (bda[2]<<24)+(bda[3]<<16)+(bda[4]<<8)+bda[5]);
4438     }
4439 #endif
4440 
4441     if (!p_dev_rec)
4442     {
4443         /* There is no device record for new connection.  Allocate one */
4444         if (status == HCI_SUCCESS)
4445         {
4446             p_dev_rec = btm_sec_alloc_dev (bda);
4447         }
4448         else
4449         {
4450             /* If the device matches with stored paring address
4451              * reset the paring state to idle */
4452             if ((btm_cb.pairing_state != BTM_PAIR_STATE_IDLE) &&
4453                 (memcmp (btm_cb.pairing_bda, bda, BD_ADDR_LEN) == 0))
4454             {
4455                 btm_sec_change_pairing_state(BTM_PAIR_STATE_IDLE);
4456             }
4457 
4458             /* can not find the device record and the status is error,
4459              * just ignore it */
4460             return;
4461         }
4462     }
4463     else    /* Update the timestamp for this device */
4464     {
4465 
4466 #if BLE_INCLUDED == TRUE
4467         bit_shift = (handle == p_dev_rec->ble_hci_handle) ? 8 :0;
4468 #endif
4469         p_dev_rec->timestamp = btm_cb.dev_rec_count++;
4470         if (p_dev_rec->sm4 & BTM_SM4_CONN_PEND)
4471         {
4472             /* tell L2CAP it's a bonding connection. */
4473             if ( (btm_cb.pairing_state != BTM_PAIR_STATE_IDLE)
4474                  &&  (memcmp (btm_cb.pairing_bda, p_dev_rec->bd_addr, BD_ADDR_LEN) == 0)
4475                  &&  (btm_cb.pairing_flags & BTM_PAIR_FLAGS_WE_STARTED_DD) )
4476             {
4477                 /* if incoming connection failed while pairing, then try to connect and continue */
4478                 /* Motorola S9 disconnects without asking pin code */
4479                 if ((status != HCI_SUCCESS)&&(btm_cb.pairing_state == BTM_PAIR_STATE_WAIT_PIN_REQ))
4480                 {
4481                     BTM_TRACE_WARNING ("Security Manager: btm_sec_connected: incoming connection failed without asking PIN");
4482 
4483                     p_dev_rec->sm4 &= ~BTM_SM4_CONN_PEND;
4484                     if (p_dev_rec->sec_flags & BTM_SEC_NAME_KNOWN)
4485                     {
4486                         /* Start timer with 0 to initiate connection with new LCB */
4487                         /* because L2CAP will delete current LCB with this event  */
4488                         btm_cb.p_collided_dev_rec = p_dev_rec;
4489                         btm_cb.sec_collision_tle.param = (UINT32) btm_sec_connect_after_reject_timeout;
4490                         btu_start_timer (&btm_cb.sec_collision_tle, BTU_TTYPE_USER_FUNC, 0);
4491                     }
4492                     else
4493                     {
4494                         btm_sec_change_pairing_state (BTM_PAIR_STATE_GET_REM_NAME);
4495                         BTM_ReadRemoteDeviceName(p_dev_rec->bd_addr, NULL, BT_TRANSPORT_BR_EDR);
4496                     }
4497 #if BTM_DISC_DURING_RS == TRUE
4498                     p_dev_rec->rs_disc_pending   = BTM_SEC_RS_NOT_PENDING;     /* reset flag */
4499 #endif
4500                     return;
4501                 }
4502                 else
4503                 {
4504                     l2cu_update_lcb_4_bonding(p_dev_rec->bd_addr, TRUE);
4505                 }
4506             }
4507             /* always clear the pending flag */
4508             p_dev_rec->sm4 &= ~BTM_SM4_CONN_PEND;
4509         }
4510     }
4511 
4512 #if BLE_INCLUDED == TRUE
4513     p_dev_rec->device_type |= BT_DEVICE_TYPE_BREDR;
4514 #endif
4515 
4516 #if BTM_DISC_DURING_RS == TRUE
4517     p_dev_rec->rs_disc_pending   = BTM_SEC_RS_NOT_PENDING;     /* reset flag */
4518 #endif
4519 
4520     p_dev_rec->rs_disc_pending   = BTM_SEC_RS_NOT_PENDING;     /* reset flag */
4521 
4522     if ( (btm_cb.pairing_state != BTM_PAIR_STATE_IDLE)
4523          && (memcmp (btm_cb.pairing_bda, bda, BD_ADDR_LEN) == 0) )
4524     {
4525         /* if we rejected incoming connection from bonding device */
4526         if ((status == HCI_ERR_HOST_REJECT_DEVICE)
4527             &&(btm_cb.pairing_flags & BTM_PAIR_FLAGS_REJECTED_CONNECT))
4528         {
4529             BTM_TRACE_WARNING ("Security Manager: btm_sec_connected: HCI_Conn_Comp Flags:0x%04x, sm4: 0x%x",
4530                 btm_cb.pairing_flags, p_dev_rec->sm4);
4531 
4532             btm_cb.pairing_flags &= ~BTM_PAIR_FLAGS_REJECTED_CONNECT;
4533             if (BTM_SEC_IS_SM4_UNKNOWN(p_dev_rec->sm4))
4534             {
4535                 /* Try again: RNR when no ACL causes HCI_RMT_HOST_SUP_FEAT_NOTIFY_EVT */
4536                 btm_sec_change_pairing_state (BTM_PAIR_STATE_GET_REM_NAME);
4537                 BTM_ReadRemoteDeviceName(bda, NULL, BT_TRANSPORT_BR_EDR);
4538                 return;
4539             }
4540 
4541             /* if we already have pin code */
4542             if (btm_cb.pairing_state != BTM_PAIR_STATE_WAIT_LOCAL_PIN)
4543             {
4544                 /* Start timer with 0 to initiate connection with new LCB */
4545                 /* because L2CAP will delete current LCB with this event  */
4546                 btm_cb.p_collided_dev_rec = p_dev_rec;
4547                 btm_cb.sec_collision_tle.param = (UINT32) btm_sec_connect_after_reject_timeout;
4548                 btu_start_timer (&btm_cb.sec_collision_tle, BTU_TTYPE_USER_FUNC, 0);
4549             }
4550 
4551             return;
4552         }
4553         /* wait for incoming connection without resetting pairing state */
4554         else if (status == HCI_ERR_CONNECTION_EXISTS)
4555         {
4556             BTM_TRACE_WARNING ("Security Manager: btm_sec_connected: Wait for incoming connection");
4557             return;
4558         }
4559 
4560         is_pairing_device = TRUE;
4561     }
4562 
4563     /* If connection was made to do bonding restore link security if changed */
4564     btm_restore_mode();
4565 
4566     /* if connection fails during pin request, notify application */
4567     if (status != HCI_SUCCESS)
4568     {
4569         /* If connection failed because of during pairing, need to tell user */
4570         if (is_pairing_device)
4571         {
4572             p_dev_rec->security_required &= ~BTM_SEC_OUT_AUTHENTICATE;
4573             p_dev_rec->sec_flags &= ~((BTM_SEC_LINK_KEY_KNOWN | BTM_SEC_LINK_KEY_AUTHED) << bit_shift);
4574             BTM_TRACE_DEBUG ("security_required:%x ", p_dev_rec->security_required );
4575 
4576             btm_sec_change_pairing_state (BTM_PAIR_STATE_IDLE);
4577 
4578             /* We need to notify host that the key is not known any more */
4579             if (btm_cb.api.p_auth_complete_callback)
4580             {
4581                 (*btm_cb.api.p_auth_complete_callback) (p_dev_rec->bd_addr,
4582                                                         p_dev_rec->dev_class,
4583                                                         p_dev_rec->sec_bd_name, status);
4584             }
4585         }
4586  /*
4587      Do not send authentication failure, if following conditions hold good
4588       1.  BTM Sec Pairing state is idle
4589       2.  Link key for the remote device is present.
4590       3.  Remote is SSP capable.
4591   */
4592         else if  ((p_dev_rec->link_key_type  <= BTM_LKEY_TYPE_REMOTE_UNIT) &&
4593                  (((status == HCI_ERR_AUTH_FAILURE)                      ||
4594                  (status == HCI_ERR_KEY_MISSING)                         ||
4595                  (status == HCI_ERR_HOST_REJECT_SECURITY)                ||
4596                  (status == HCI_ERR_PAIRING_NOT_ALLOWED)                 ||
4597                  (status == HCI_ERR_UNIT_KEY_USED)                       ||
4598                  (status == HCI_ERR_PAIRING_WITH_UNIT_KEY_NOT_SUPPORTED) ||
4599                  (status == HCI_ERR_ENCRY_MODE_NOT_ACCEPTABLE)           ||
4600                  (status == HCI_ERR_REPEATED_ATTEMPTS))))
4601         {
4602             p_dev_rec->security_required &= ~BTM_SEC_OUT_AUTHENTICATE;
4603             p_dev_rec->sec_flags &= ~ (BTM_SEC_LE_LINK_KEY_KNOWN << bit_shift);
4604 
4605 
4606 #ifdef BRCM_NOT_4_BTE
4607             /* If we rejected pairing, pass this special result code */
4608             if (btm_cb.acl_disc_reason == HCI_ERR_HOST_REJECT_SECURITY)
4609             {
4610                 status = HCI_ERR_HOST_REJECT_SECURITY;
4611             }
4612 #endif
4613 
4614             /* We need to notify host that the key is not known any more */
4615             if (btm_cb.api.p_auth_complete_callback)
4616             {
4617                 (*btm_cb.api.p_auth_complete_callback) (p_dev_rec->bd_addr,
4618                                                         p_dev_rec->dev_class,
4619                                                         p_dev_rec->sec_bd_name, status);
4620             }
4621         }
4622 
4623         if (status == HCI_ERR_CONNECTION_TOUT || status == HCI_ERR_LMP_RESPONSE_TIMEOUT  ||
4624             status == HCI_ERR_UNSPECIFIED     || status == HCI_ERR_PAGE_TIMEOUT)
4625             btm_sec_dev_rec_cback_event (p_dev_rec, BTM_DEVICE_TIMEOUT, FALSE);
4626         else
4627             btm_sec_dev_rec_cback_event (p_dev_rec, BTM_ERR_PROCESSING, FALSE);
4628 
4629         return;
4630     }
4631 
4632     /* If initiated dedicated bonding, return the link key now, and initiate disconnect */
4633     /* If dedicated bonding, and we now have a link key, we are all done */
4634     if ( is_pairing_device
4635          && (p_dev_rec->sec_flags & BTM_SEC_LINK_KEY_KNOWN) )
4636     {
4637         if (p_dev_rec->link_key_not_sent)
4638         {
4639             p_dev_rec->link_key_not_sent = FALSE;
4640             btm_send_link_key_notif(p_dev_rec);
4641         }
4642 
4643         p_dev_rec->security_required &= ~BTM_SEC_OUT_AUTHENTICATE;
4644 
4645         /* remember flag before it is initialized */
4646         if (btm_cb.pairing_flags & BTM_PAIR_FLAGS_WE_STARTED_DD)
4647             res = TRUE;
4648         else
4649             res = FALSE;
4650 
4651         if (btm_cb.api.p_auth_complete_callback)
4652             (*btm_cb.api.p_auth_complete_callback) (p_dev_rec->bd_addr,
4653                                                     p_dev_rec->dev_class,
4654                                                     p_dev_rec->sec_bd_name, HCI_SUCCESS);
4655 
4656         btm_sec_change_pairing_state (BTM_PAIR_STATE_IDLE);
4657 
4658         if ( res )
4659         {
4660             /* Let l2cap start bond timer */
4661             l2cu_update_lcb_4_bonding (p_dev_rec->bd_addr, TRUE);
4662         }
4663 
4664         return;
4665     }
4666 
4667     p_dev_rec->hci_handle = handle;
4668 
4669     /* role may not be correct here, it will be updated by l2cap, but we need to */
4670     /* notify btm_acl that link is up, so starting of rmt name request will not */
4671     /* set paging flag up */
4672     p_acl_cb = btm_bda_to_acl(bda, BT_TRANSPORT_BR_EDR);
4673     if (p_acl_cb)
4674     {
4675         /* whatever is in btm_establish_continue() without reporting the BTM_BL_CONN_EVT event */
4676 #if (!defined(BTM_BYPASS_EXTRA_ACL_SETUP) || BTM_BYPASS_EXTRA_ACL_SETUP == FALSE)
4677         /* For now there are a some devices that do not like sending */
4678         /* commands events and data at the same time. */
4679         /* Set the packet types to the default allowed by the device */
4680         btm_set_packet_types (p_acl_cb, btm_cb.btm_acl_pkt_types_supported);
4681 
4682         if (btm_cb.btm_def_link_policy)
4683             BTM_SetLinkPolicy (p_acl_cb->remote_addr, &btm_cb.btm_def_link_policy);
4684 #endif
4685     }
4686     btm_acl_created (bda, p_dev_rec->dev_class, p_dev_rec->sec_bd_name, handle, HCI_ROLE_SLAVE, BT_TRANSPORT_BR_EDR);
4687 
4688     /* Initialize security flags.  We need to do that because some            */
4689     /* authorization complete could have come after the connection is dropped */
4690     /* and that would set wrong flag that link has been authorized already    */
4691     p_dev_rec->sec_flags &= ~((BTM_SEC_AUTHORIZED | BTM_SEC_AUTHENTICATED |
4692                               BTM_SEC_ENCRYPTED | BTM_SEC_ROLE_SWITCHED) << bit_shift);
4693 
4694     if (enc_mode != HCI_ENCRYPT_MODE_DISABLED)
4695         p_dev_rec->sec_flags |= ((BTM_SEC_AUTHENTICATED | BTM_SEC_ENCRYPTED) << bit_shift);
4696 
4697     if (btm_cb.security_mode == BTM_SEC_MODE_LINK)
4698         p_dev_rec->sec_flags |= (BTM_SEC_AUTHENTICATED << bit_shift);
4699 
4700     if (p_dev_rec->pin_code_length >= 16 ||
4701         p_dev_rec->link_key_type == BTM_LKEY_TYPE_AUTH_COMB ||
4702         p_dev_rec->link_key_type == BTM_LKEY_TYPE_AUTH_COMB_P_256) {
4703         p_dev_rec->sec_flags |= (BTM_SEC_16_DIGIT_PIN_AUTHED << bit_shift);
4704     }
4705 
4706     p_dev_rec->link_key_changed = FALSE;
4707 
4708     /* After connection is established we perform security if we do not know */
4709     /* the name, or if we are originator because some procedure can have */
4710     /* been scheduled while connection was down */
4711     BTM_TRACE_DEBUG ("is_originator:%d ", p_dev_rec->is_originator);
4712     if (!(p_dev_rec->sec_flags & BTM_SEC_NAME_KNOWN) || p_dev_rec->is_originator)
4713     {
4714         if ((res = btm_sec_execute_procedure (p_dev_rec)) != BTM_CMD_STARTED)
4715             btm_sec_dev_rec_cback_event (p_dev_rec, res, FALSE);
4716     }
4717     return;
4718 }
4719 
4720 /*******************************************************************************
4721 **
4722 ** Function         btm_sec_disconnect
4723 **
4724 ** Description      This function is called to disconnect HCI link
4725 **
4726 ** Returns          btm status
4727 **
4728 *******************************************************************************/
btm_sec_disconnect(UINT16 handle,UINT8 reason)4729 tBTM_STATUS btm_sec_disconnect (UINT16 handle, UINT8 reason)
4730 {
4731     tBTM_SEC_DEV_REC  *p_dev_rec = btm_find_dev_by_handle (handle);
4732 
4733     /* In some weird race condition we may not have a record */
4734     if (!p_dev_rec)
4735     {
4736         btsnd_hcic_disconnect (handle, reason);
4737         return(BTM_SUCCESS);
4738     }
4739 
4740     /* If we are in the process of bonding we need to tell client that auth failed */
4741     if ( (btm_cb.pairing_state != BTM_PAIR_STATE_IDLE)
4742          &&  (memcmp (btm_cb.pairing_bda, p_dev_rec->bd_addr, BD_ADDR_LEN) == 0)
4743          &&  (btm_cb.pairing_flags & BTM_PAIR_FLAGS_WE_STARTED_DD) )
4744     {
4745         /* we are currently doing bonding.  Link will be disconnected when done */
4746         btm_cb.pairing_flags |= BTM_PAIR_FLAGS_DISC_WHEN_DONE;
4747         return(BTM_BUSY);
4748     }
4749 
4750     return(btm_sec_send_hci_disconnect(p_dev_rec, reason, handle));
4751 }
4752 
4753 /*******************************************************************************
4754 **
4755 ** Function         btm_sec_disconnected
4756 **
4757 ** Description      This function is when a connection to the peer device is
4758 **                  dropped
4759 **
4760 ** Returns          void
4761 **
4762 *******************************************************************************/
btm_sec_disconnected(UINT16 handle,UINT8 reason)4763 void btm_sec_disconnected (UINT16 handle, UINT8 reason)
4764 {
4765     tBTM_SEC_DEV_REC  *p_dev_rec = btm_find_dev_by_handle (handle);
4766     UINT8             old_pairing_flags = btm_cb.pairing_flags;
4767     int               result = HCI_ERR_AUTH_FAILURE;
4768     tBTM_SEC_CALLBACK   *p_callback = NULL;
4769     tBT_TRANSPORT      transport = BT_TRANSPORT_BR_EDR;
4770 
4771     /* If page was delayed for disc complete, can do it now */
4772     btm_cb.discing = FALSE;
4773 
4774     btm_acl_resubmit_page();
4775 
4776     if (!p_dev_rec)
4777         return;
4778 
4779     transport  = (handle == p_dev_rec->hci_handle) ? BT_TRANSPORT_BR_EDR: BT_TRANSPORT_LE;
4780 
4781     p_dev_rec->rs_disc_pending = BTM_SEC_RS_NOT_PENDING;     /* reset flag */
4782 
4783 #if BTM_DISC_DURING_RS == TRUE
4784     LOG_INFO("%s clearing pending flag handle:%d reason:%d", __func__, handle, reason);
4785     p_dev_rec->rs_disc_pending = BTM_SEC_RS_NOT_PENDING;     /* reset flag */
4786 #endif
4787 
4788     /* clear unused flags */
4789     p_dev_rec->sm4 &= BTM_SM4_TRUE;
4790 
4791     uint8_t *bd_addr = (uint8_t *)p_dev_rec->bd_addr;
4792     BTM_TRACE_EVENT("%s sec_req:x%x state:%s reason:%d bd_addr:%02x:%02x:%02x:%02x:%02x:%02x"
4793             "  remote_name:%s", __func__, p_dev_rec->security_required, btm_pair_state_descr(btm_cb.pairing_state),
4794             reason, bd_addr[0], bd_addr[1], bd_addr[2], bd_addr[3], bd_addr[4], bd_addr[5], p_dev_rec->sec_bd_name);
4795 
4796     BTM_TRACE_EVENT("%s before update sec_flags=0x%x", __func__, p_dev_rec->sec_flags);
4797 
4798     /* If we are in the process of bonding we need to tell client that auth failed */
4799     if ( (btm_cb.pairing_state != BTM_PAIR_STATE_IDLE)
4800          && (memcmp (btm_cb.pairing_bda, p_dev_rec->bd_addr, BD_ADDR_LEN) == 0))
4801     {
4802         btm_sec_change_pairing_state (BTM_PAIR_STATE_IDLE);
4803         p_dev_rec->sec_flags &= ~BTM_SEC_LINK_KEY_KNOWN;
4804         if (btm_cb.api.p_auth_complete_callback)
4805         {
4806             /* If the disconnection reason is REPEATED_ATTEMPTS,
4807                send this error message to complete callback function
4808                to display the error message of Repeated attempts.
4809                All others, send HCI_ERR_AUTH_FAILURE. */
4810             if (reason == HCI_ERR_REPEATED_ATTEMPTS)
4811             {
4812                 result = HCI_ERR_REPEATED_ATTEMPTS;
4813             }
4814             else if (old_pairing_flags & BTM_PAIR_FLAGS_WE_STARTED_DD)
4815             {
4816                 result = HCI_ERR_HOST_REJECT_SECURITY;
4817             }
4818             (*btm_cb.api.p_auth_complete_callback) (p_dev_rec->bd_addr,     p_dev_rec->dev_class,
4819                                                     p_dev_rec->sec_bd_name, result);
4820         }
4821     }
4822 
4823 #if BLE_INCLUDED == TRUE && SMP_INCLUDED == TRUE
4824     btm_ble_update_mode_operation(HCI_ROLE_UNKNOWN, p_dev_rec->bd_addr, HCI_SUCCESS);
4825     /* see sec_flags processing in btm_acl_removed */
4826 
4827     if (transport == BT_TRANSPORT_LE)
4828     {
4829         p_dev_rec->ble_hci_handle = BTM_SEC_INVALID_HANDLE;
4830         p_dev_rec->sec_flags &= ~(BTM_SEC_LE_AUTHENTICATED|BTM_SEC_LE_ENCRYPTED);
4831         p_dev_rec->enc_key_size = 0;
4832     }
4833     else
4834 #endif
4835     {
4836         p_dev_rec->hci_handle = BTM_SEC_INVALID_HANDLE;
4837         p_dev_rec->sec_flags &= ~(BTM_SEC_AUTHORIZED | BTM_SEC_AUTHENTICATED | BTM_SEC_ENCRYPTED
4838                 | BTM_SEC_ROLE_SWITCHED | BTM_SEC_16_DIGIT_PIN_AUTHED);
4839     }
4840 
4841 #if BLE_INCLUDED == TRUE && SMP_INCLUDED == TRUE
4842     if (p_dev_rec->sec_state == BTM_SEC_STATE_DISCONNECTING_BOTH)
4843     {
4844         p_dev_rec->sec_state = (transport == BT_TRANSPORT_LE) ?
4845                                 BTM_SEC_STATE_DISCONNECTING : BTM_SEC_STATE_DISCONNECTING_BLE;
4846         return;
4847     }
4848 #endif
4849     p_dev_rec->sec_state  = BTM_SEC_STATE_IDLE;
4850     p_dev_rec->security_required = BTM_SEC_NONE;
4851 
4852     p_callback = p_dev_rec->p_callback;
4853 
4854     /* if security is pending, send callback to clean up the security state */
4855     if(p_callback)
4856     {
4857         p_dev_rec->p_callback = NULL; /* when the peer device time out the authentication before
4858                                          we do, this call back must be reset here */
4859         (*p_callback) (p_dev_rec->bd_addr, transport, p_dev_rec->p_ref_data, BTM_ERR_PROCESSING);
4860     }
4861 
4862     BTM_TRACE_EVENT("%s after update sec_flags=0x%x", __func__, p_dev_rec->sec_flags);
4863 }
4864 
4865 /*******************************************************************************
4866 **
4867 ** Function         btm_sec_link_key_notification
4868 **
4869 ** Description      This function is called when a new connection link key is
4870 **                  generated
4871 **
4872 ** Returns          Pointer to the record or NULL
4873 **
4874 *******************************************************************************/
btm_sec_link_key_notification(UINT8 * p_bda,UINT8 * p_link_key,UINT8 key_type)4875 void btm_sec_link_key_notification (UINT8 *p_bda, UINT8 *p_link_key, UINT8 key_type)
4876 {
4877     tBTM_SEC_DEV_REC *p_dev_rec = btm_find_or_alloc_dev (p_bda);
4878     BOOLEAN         we_are_bonding = FALSE;
4879     BOOLEAN         ltk_derived_lk  = FALSE;
4880 
4881     BTM_TRACE_EVENT ("btm_sec_link_key_notification()  BDA:%04x%08x, TYPE: %d",
4882                       (p_bda[0]<<8)+p_bda[1], (p_bda[2]<<24)+(p_bda[3]<<16)+(p_bda[4]<<8)+p_bda[5],
4883                       key_type);
4884 
4885     if ((key_type >= BTM_LTK_DERIVED_LKEY_OFFSET + BTM_LKEY_TYPE_COMBINATION) &&
4886         (key_type <= BTM_LTK_DERIVED_LKEY_OFFSET + BTM_LKEY_TYPE_AUTH_COMB_P_256))
4887     {
4888         ltk_derived_lk = TRUE;
4889         key_type -= BTM_LTK_DERIVED_LKEY_OFFSET;
4890     }
4891     /* If connection was made to do bonding restore link security if changed */
4892     btm_restore_mode();
4893 
4894     if (key_type != BTM_LKEY_TYPE_CHANGED_COMB)
4895         p_dev_rec->link_key_type = key_type;
4896 
4897     p_dev_rec->sec_flags |= BTM_SEC_LINK_KEY_KNOWN;
4898 
4899     /*
4900      * Until this point in time, we do not know if MITM was enabled, hence we
4901      * add the extended security flag here.
4902      */
4903     if (p_dev_rec->pin_code_length >= 16 ||
4904         p_dev_rec->link_key_type == BTM_LKEY_TYPE_AUTH_COMB ||
4905         p_dev_rec->link_key_type == BTM_LKEY_TYPE_AUTH_COMB_P_256) {
4906         p_dev_rec->sec_flags |= BTM_SEC_16_DIGIT_PIN_AUTHED;
4907     }
4908 
4909 #if (BLE_INCLUDED == TRUE)
4910     /* BR/EDR connection, update the encryption key size to be 16 as always */
4911     p_dev_rec->enc_key_size = 16;
4912 #endif
4913     memcpy (p_dev_rec->link_key, p_link_key, LINK_KEY_LEN);
4914 
4915     if ( (btm_cb.pairing_state != BTM_PAIR_STATE_IDLE)
4916          && (memcmp (btm_cb.pairing_bda, p_bda, BD_ADDR_LEN) == 0) )
4917     {
4918         if (btm_cb.pairing_flags & BTM_PAIR_FLAGS_WE_STARTED_DD)
4919             we_are_bonding = TRUE;
4920         else
4921             btm_sec_change_pairing_state (BTM_PAIR_STATE_IDLE);
4922     }
4923 
4924     /* save LTK derived LK no matter what */
4925     if (ltk_derived_lk)
4926     {
4927         if (btm_cb.api.p_link_key_callback)
4928         {
4929                 BTM_TRACE_DEBUG ("%s() Save LTK derived LK (key_type = %d)",
4930                                   __FUNCTION__, p_dev_rec->link_key_type);
4931                 (*btm_cb.api.p_link_key_callback) (p_bda, p_dev_rec->dev_class,
4932                                                    p_dev_rec->sec_bd_name,
4933                                                    p_link_key, p_dev_rec->link_key_type);
4934         }
4935     }
4936     else
4937     {
4938         if ((p_dev_rec->link_key_type == BTM_LKEY_TYPE_UNAUTH_COMB_P_256) ||
4939             (p_dev_rec->link_key_type == BTM_LKEY_TYPE_AUTH_COMB_P_256))
4940         {
4941              p_dev_rec->new_encryption_key_is_p256 = TRUE;
4942              BTM_TRACE_DEBUG ("%s set new_encr_key_256 to %d",
4943                                __func__, p_dev_rec->new_encryption_key_is_p256);
4944         }
4945     }
4946 
4947     /* If name is not known at this point delay calling callback until the name is   */
4948     /* resolved. Unless it is a HID Device and we really need to send all link keys. */
4949     if ((!(p_dev_rec->sec_flags & BTM_SEC_NAME_KNOWN)
4950         &&  ((p_dev_rec->dev_class[1] & BTM_COD_MAJOR_CLASS_MASK) != BTM_COD_MAJOR_PERIPHERAL))
4951         && !ltk_derived_lk)
4952     {
4953         BTM_TRACE_EVENT ("btm_sec_link_key_notification()  Delayed BDA: %08x%04x Type:%d",
4954                           (p_bda[0]<<24) + (p_bda[1]<<16) + (p_bda[2]<<8) + p_bda[3],
4955                           (p_bda[4] << 8) + p_bda[5], key_type);
4956 
4957         p_dev_rec->link_key_not_sent = TRUE;
4958 
4959         /* If it is for bonding nothing else will follow, so we need to start name resolution */
4960         if (we_are_bonding)
4961         {
4962             if (!(btsnd_hcic_rmt_name_req (p_bda, HCI_PAGE_SCAN_REP_MODE_R1, HCI_MANDATARY_PAGE_SCAN_MODE, 0)))
4963                 btm_inq_rmt_name_failed();
4964         }
4965 
4966         BTM_TRACE_EVENT ("rmt_io_caps:%d, sec_flags:x%x, dev_class[1]:x%02x", p_dev_rec->rmt_io_caps, p_dev_rec->sec_flags, p_dev_rec->dev_class[1])
4967         return;
4968     }
4969 
4970     /* If its not us who perform authentication, we should tell stackserver */
4971     /* that some authentication has been completed                          */
4972     /* This is required when different entities receive link notification and auth complete */
4973     if (!(p_dev_rec->security_required & BTM_SEC_OUT_AUTHENTICATE)
4974         /* for derived key, always send authentication callback for BR channel */
4975          || ltk_derived_lk)
4976     {
4977         if (btm_cb.api.p_auth_complete_callback)
4978             (*btm_cb.api.p_auth_complete_callback) (p_dev_rec->bd_addr, p_dev_rec->dev_class,
4979                                                     p_dev_rec->sec_bd_name, HCI_SUCCESS);
4980     }
4981 
4982     /* We will save link key only if the user authorized it - BTE report link key in all cases */
4983 #ifdef BRCM_NONE_BTE
4984     if (p_dev_rec->sec_flags & BTM_SEC_LINK_KEY_AUTHED)
4985 #endif
4986     {
4987         if (btm_cb.api.p_link_key_callback)
4988         {
4989             if (ltk_derived_lk)
4990             {
4991                 BTM_TRACE_DEBUG ("btm_sec_link_key_notification()  LTK derived LK is saved already"
4992                                     " (key_type = %d)", p_dev_rec->link_key_type);
4993             }
4994             else
4995             {
4996                 (*btm_cb.api.p_link_key_callback) (p_bda, p_dev_rec->dev_class,
4997                                                    p_dev_rec->sec_bd_name,
4998                                                    p_link_key, p_dev_rec->link_key_type);
4999             }
5000         }
5001     }
5002 }
5003 
5004 /*******************************************************************************
5005 **
5006 ** Function         btm_sec_link_key_request
5007 **
5008 ** Description      This function is called when controller requests link key
5009 **
5010 ** Returns          Pointer to the record or NULL
5011 **
5012 *******************************************************************************/
btm_sec_link_key_request(UINT8 * p_bda)5013 void btm_sec_link_key_request (UINT8 *p_bda)
5014 {
5015     tBTM_SEC_DEV_REC *p_dev_rec = btm_find_or_alloc_dev (p_bda);
5016 
5017     BTM_TRACE_EVENT ("btm_sec_link_key_request()  BDA: %02x:%02x:%02x:%02x:%02x:%02x",
5018                       p_bda[0], p_bda[1], p_bda[2], p_bda[3], p_bda[4], p_bda[5]);
5019 
5020     if( (btm_cb.pairing_state == BTM_PAIR_STATE_WAIT_PIN_REQ) &&
5021         (btm_cb.collision_start_time != 0) &&
5022         (memcmp (btm_cb.p_collided_dev_rec->bd_addr, p_bda, BD_ADDR_LEN) == 0) )
5023     {
5024         BTM_TRACE_EVENT ("btm_sec_link_key_request() rejecting link key req "
5025             "State: %d START_TIMEOUT : %d",
5026              btm_cb.pairing_state, btm_cb.collision_start_time);
5027         btsnd_hcic_link_key_neg_reply (p_bda);
5028         return;
5029     }
5030     if (p_dev_rec->sec_flags & BTM_SEC_LINK_KEY_KNOWN)
5031     {
5032         btsnd_hcic_link_key_req_reply (p_bda, p_dev_rec->link_key);
5033         return;
5034     }
5035 
5036     /* Notify L2CAP to increase timeout */
5037     l2c_pin_code_request (p_bda);
5038 
5039     /* The link key is not in the database and it is not known to the manager */
5040     btsnd_hcic_link_key_neg_reply (p_bda);
5041 }
5042 
5043 /*******************************************************************************
5044 **
5045 ** Function         btm_sec_pairing_timeout
5046 **
5047 ** Description      This function is called when host does not provide PIN
5048 **                  within requested time
5049 **
5050 ** Returns          Pointer to the TLE struct
5051 **
5052 *******************************************************************************/
btm_sec_pairing_timeout(TIMER_LIST_ENT * p_tle)5053 static void btm_sec_pairing_timeout (TIMER_LIST_ENT *p_tle)
5054 {
5055     tBTM_CB *p_cb = &btm_cb;
5056     tBTM_SEC_DEV_REC *p_dev_rec;
5057 #if BTM_OOB_INCLUDED == TRUE
5058 #if (BTM_LOCAL_IO_CAPS == BTM_IO_CAP_NONE)
5059     tBTM_AUTH_REQ   auth_req = BTM_AUTH_AP_NO;
5060 #else
5061     tBTM_AUTH_REQ   auth_req = BTM_AUTH_AP_YES;
5062 #endif
5063 #endif
5064     UINT8   name[2];
5065     UNUSED(p_tle);
5066 
5067     p_cb->pairing_tle.param = 0;
5068 /* Coverity: FALSE-POSITIVE error from Coverity tool. Please do NOT remove following comment. */
5069 /* coverity[UNUSED_VALUE] pointer p_dev_rec is actually used several times... This is a Coverity false-positive, i.e. a fake issue.
5070 */
5071     p_dev_rec = btm_find_dev (p_cb->pairing_bda);
5072 
5073     BTM_TRACE_EVENT ("btm_sec_pairing_timeout()  State: %s   Flags: %u",
5074                       btm_pair_state_descr(p_cb->pairing_state), p_cb->pairing_flags);
5075 
5076     switch (p_cb->pairing_state)
5077     {
5078         case BTM_PAIR_STATE_WAIT_PIN_REQ:
5079             btm_sec_bond_cancel_complete();
5080             break;
5081 
5082         case BTM_PAIR_STATE_WAIT_LOCAL_PIN:
5083             if ( (btm_cb.pairing_flags & BTM_PAIR_FLAGS_PRE_FETCH_PIN) == 0)
5084                 btsnd_hcic_pin_code_neg_reply (p_cb->pairing_bda);
5085             btm_sec_change_pairing_state (BTM_PAIR_STATE_IDLE);
5086             /* We need to notify the UI that no longer need the PIN */
5087             if (btm_cb.api.p_auth_complete_callback)
5088             {
5089                 if (p_dev_rec == NULL)
5090                 {
5091                     name[0] = 0;
5092                     (*btm_cb.api.p_auth_complete_callback) (p_cb->pairing_bda,
5093                                                             NULL,
5094                                                             name, HCI_ERR_CONNECTION_TOUT);
5095                 }
5096                 else
5097                     (*btm_cb.api.p_auth_complete_callback) (p_dev_rec->bd_addr,
5098                                                             p_dev_rec->dev_class,
5099                                                             p_dev_rec->sec_bd_name, HCI_ERR_CONNECTION_TOUT);
5100             }
5101             break;
5102 
5103         case BTM_PAIR_STATE_WAIT_NUMERIC_CONFIRM:
5104             btsnd_hcic_user_conf_reply (p_cb->pairing_bda, FALSE);
5105             /* btm_sec_change_pairing_state (BTM_PAIR_STATE_IDLE); */
5106             break;
5107 
5108 #if (BTM_LOCAL_IO_CAPS != BTM_IO_CAP_NONE)
5109         case BTM_PAIR_STATE_KEY_ENTRY:
5110             btsnd_hcic_user_passkey_neg_reply(p_cb->pairing_bda);
5111             /* btm_sec_change_pairing_state (BTM_PAIR_STATE_IDLE); */
5112             break;
5113 #endif /* !BTM_IO_CAP_NONE */
5114 
5115 #if BTM_OOB_INCLUDED == TRUE
5116         case BTM_PAIR_STATE_WAIT_LOCAL_IOCAPS:
5117             if (btm_cb.pairing_flags & BTM_PAIR_FLAGS_WE_STARTED_DD)
5118                 auth_req |= BTM_AUTH_DD_BOND;
5119 
5120             btsnd_hcic_io_cap_req_reply (p_cb->pairing_bda, btm_cb.devcb.loc_io_caps,
5121                                          BTM_OOB_NONE, auth_req);
5122             btm_sec_change_pairing_state (BTM_PAIR_STATE_IDLE);
5123             break;
5124 
5125         case BTM_PAIR_STATE_WAIT_LOCAL_OOB_RSP:
5126             btsnd_hcic_rem_oob_neg_reply (p_cb->pairing_bda);
5127             btm_sec_change_pairing_state (BTM_PAIR_STATE_IDLE);
5128             break;
5129 #endif /* BTM_OOB_INCLUDED */
5130 
5131         case BTM_PAIR_STATE_WAIT_DISCONNECT:
5132             /* simple pairing failed. Started a 1-sec timer at simple pairing complete.
5133              * now it's time to tear down the ACL link*/
5134             if (p_dev_rec == NULL)
5135             {
5136                 BTM_TRACE_ERROR ("btm_sec_pairing_timeout() BTM_PAIR_STATE_WAIT_DISCONNECT unknown BDA: %08x%04x",
5137                                   (p_cb->pairing_bda[0]<<24) + (p_cb->pairing_bda[1]<<16) + (p_cb->pairing_bda[2]<<8) + p_cb->pairing_bda[3],
5138                                   (p_cb->pairing_bda[4] << 8) + p_cb->pairing_bda[5]);
5139                 break;
5140             }
5141             btm_sec_send_hci_disconnect (p_dev_rec, HCI_ERR_AUTH_FAILURE, p_dev_rec->hci_handle);
5142             btm_sec_change_pairing_state (BTM_PAIR_STATE_IDLE);
5143             break;
5144 
5145         case BTM_PAIR_STATE_WAIT_AUTH_COMPLETE:
5146         case BTM_PAIR_STATE_GET_REM_NAME:
5147             /* We need to notify the UI that timeout has happened while waiting for authentication*/
5148             btm_sec_change_pairing_state (BTM_PAIR_STATE_IDLE);
5149             if (btm_cb.api.p_auth_complete_callback)
5150             {
5151                 if (p_dev_rec == NULL)
5152                 {
5153                     name[0] = 0;
5154                     (*btm_cb.api.p_auth_complete_callback) (p_cb->pairing_bda,
5155                                                             NULL,
5156                                                             name, HCI_ERR_CONNECTION_TOUT);
5157                 }
5158                 else
5159                     (*btm_cb.api.p_auth_complete_callback) (p_dev_rec->bd_addr,
5160                                                             p_dev_rec->dev_class,
5161                                                             p_dev_rec->sec_bd_name, HCI_ERR_CONNECTION_TOUT);
5162             }
5163             break;
5164 
5165         default:
5166             BTM_TRACE_WARNING ("btm_sec_pairing_timeout() not processed state: %s", btm_pair_state_descr(btm_cb.pairing_state));
5167             btm_sec_change_pairing_state (BTM_PAIR_STATE_IDLE);
5168             break;
5169     }
5170 }
5171 
5172 /*******************************************************************************
5173 **
5174 ** Function         btm_sec_pin_code_request
5175 **
5176 ** Description      This function is called when controller requests PIN code
5177 **
5178 ** Returns          Pointer to the record or NULL
5179 **
5180 *******************************************************************************/
btm_sec_pin_code_request(UINT8 * p_bda)5181 void btm_sec_pin_code_request (UINT8 *p_bda)
5182 {
5183     tBTM_SEC_DEV_REC *p_dev_rec;
5184     tBTM_CB          *p_cb = &btm_cb;
5185 
5186     BTM_TRACE_EVENT ("btm_sec_pin_code_request()  State: %s, BDA:%04x%08x",
5187                       btm_pair_state_descr(btm_cb.pairing_state),
5188                       (p_bda[0]<<8)+p_bda[1], (p_bda[2]<<24)+(p_bda[3]<<16)+(p_bda[4]<<8)+p_bda[5] );
5189 
5190     if (btm_cb.pairing_state != BTM_PAIR_STATE_IDLE)
5191     {
5192         if ( (memcmp (p_bda, btm_cb.pairing_bda, BD_ADDR_LEN) == 0)  &&
5193              (btm_cb.pairing_state == BTM_PAIR_STATE_WAIT_AUTH_COMPLETE) )
5194         {
5195              btsnd_hcic_pin_code_neg_reply (p_bda);
5196              return;
5197         }
5198         else if ((btm_cb.pairing_state != BTM_PAIR_STATE_WAIT_PIN_REQ)
5199                  || memcmp (p_bda, btm_cb.pairing_bda, BD_ADDR_LEN) != 0)
5200         {
5201             BTM_TRACE_WARNING ("btm_sec_pin_code_request() rejected - state: %s",
5202                                 btm_pair_state_descr(btm_cb.pairing_state));
5203             btsnd_hcic_pin_code_neg_reply (p_bda);
5204             return;
5205         }
5206     }
5207 
5208     p_dev_rec = btm_find_or_alloc_dev (p_bda);
5209     /* received PIN code request. must be non-sm4 */
5210     p_dev_rec->sm4 = BTM_SM4_KNOWN;
5211 
5212     if (btm_cb.pairing_state == BTM_PAIR_STATE_IDLE)
5213     {
5214         memcpy (btm_cb.pairing_bda, p_bda, BD_ADDR_LEN);
5215 
5216         btm_cb.pairing_flags = BTM_PAIR_FLAGS_PEER_STARTED_DD;
5217         /* Make sure we reset the trusted mask to help against attacks */
5218         BTM_SEC_CLR_TRUSTED_DEVICE(p_dev_rec->trusted_mask);
5219     }
5220 
5221     if (!p_cb->pairing_disabled && (p_cb->cfg.pin_type == HCI_PIN_TYPE_FIXED))
5222     {
5223         BTM_TRACE_EVENT ("btm_sec_pin_code_request fixed pin replying");
5224         btm_sec_change_pairing_state (BTM_PAIR_STATE_WAIT_AUTH_COMPLETE);
5225         btsnd_hcic_pin_code_req_reply (p_bda, p_cb->cfg.pin_code_len, p_cb->cfg.pin_code);
5226         return;
5227     }
5228 
5229     /* Use the connecting device's CoD for the connection */
5230     if ( (!memcmp (p_bda, p_cb->connecting_bda, BD_ADDR_LEN))
5231          &&  (p_cb->connecting_dc[0] || p_cb->connecting_dc[1] || p_cb->connecting_dc[2]) )
5232         memcpy (p_dev_rec->dev_class, p_cb->connecting_dc, DEV_CLASS_LEN);
5233 
5234     /* We could have started connection after asking user for the PIN code */
5235     if (btm_cb.pin_code_len != 0)
5236     {
5237         BTM_TRACE_EVENT ("btm_sec_pin_code_request bonding sending reply");
5238         btsnd_hcic_pin_code_req_reply (p_bda, btm_cb.pin_code_len, p_cb->pin_code);
5239 
5240         /* Mark that we forwarded received from the user PIN code */
5241         btm_cb.pin_code_len = 0;
5242 
5243         /* We can change mode back right away, that other connection being established */
5244         /* is not forced to be secure - found a FW issue, so we can not do this
5245         btm_restore_mode(); */
5246 
5247         btm_sec_change_pairing_state (BTM_PAIR_STATE_WAIT_AUTH_COMPLETE);
5248     }
5249 
5250     /* If pairing disabled OR (no PIN callback and not bonding) */
5251     /* OR we could not allocate entry in the database reject pairing request */
5252     else if (p_cb->pairing_disabled
5253              || (p_cb->api.p_pin_callback == NULL)
5254 
5255              /* OR Microsoft keyboard can for some reason try to establish connection */
5256              /*  the only thing we can do here is to shut it up.  Normally we will be originator */
5257              /*  for keyboard bonding */
5258              || (!p_dev_rec->is_originator
5259                  && ((p_dev_rec->dev_class[1] & BTM_COD_MAJOR_CLASS_MASK) == BTM_COD_MAJOR_PERIPHERAL)
5260                  &&  (p_dev_rec->dev_class[2] & BTM_COD_MINOR_KEYBOARD)) )
5261     {
5262         BTM_TRACE_WARNING("btm_sec_pin_code_request(): Pairing disabled:%d; PIN callback:%x, Dev Rec:%x!",
5263                            p_cb->pairing_disabled, p_cb->api.p_pin_callback, p_dev_rec);
5264 
5265         btsnd_hcic_pin_code_neg_reply (p_bda);
5266     }
5267     /* Notify upper layer of PIN request and start expiration timer */
5268     else
5269     {
5270         btm_sec_change_pairing_state (BTM_PAIR_STATE_WAIT_LOCAL_PIN);
5271         /* Pin code request can not come at the same time as connection request */
5272         memcpy (p_cb->connecting_bda, p_bda, BD_ADDR_LEN);
5273         memcpy (p_cb->connecting_dc,  p_dev_rec->dev_class, DEV_CLASS_LEN);
5274 
5275         /* Check if the name is known */
5276         /* Even if name is not known we might not be able to get one */
5277         /* this is the case when we are already getting something from the */
5278         /* device, so HCI level is flow controlled */
5279         /* Also cannot send remote name request while paging, i.e. connection is not completed */
5280         if (p_dev_rec->sec_flags & BTM_SEC_NAME_KNOWN)
5281         {
5282             BTM_TRACE_EVENT ("btm_sec_pin_code_request going for callback");
5283 
5284             btm_cb.pairing_flags |= BTM_PAIR_FLAGS_PIN_REQD;
5285             if (p_cb->api.p_pin_callback) {
5286                 (*p_cb->api.p_pin_callback) (p_bda, p_dev_rec->dev_class, p_dev_rec->sec_bd_name,
5287                         (p_dev_rec->p_cur_service == NULL) ? FALSE
5288                                 : (p_dev_rec->p_cur_service->security_flags
5289                                    & BTM_SEC_IN_MIN_16_DIGIT_PIN));
5290             }
5291         }
5292         else
5293         {
5294             BTM_TRACE_EVENT ("btm_sec_pin_code_request going for remote name");
5295 
5296             /* We received PIN code request for the device with unknown name */
5297             /* it is not user friendly just to ask for the PIN without name */
5298             /* try to get name at first */
5299             if (!btsnd_hcic_rmt_name_req (p_dev_rec->bd_addr,
5300                                           HCI_PAGE_SCAN_REP_MODE_R1,
5301                                           HCI_MANDATARY_PAGE_SCAN_MODE, 0))
5302             {
5303                 p_dev_rec->sec_flags |= BTM_SEC_NAME_KNOWN;
5304                 p_dev_rec->sec_bd_name[0] = 'f';
5305                 p_dev_rec->sec_bd_name[1] = '0';
5306                 BTM_TRACE_ERROR ("can not send rmt_name_req?? fake a name and call callback");
5307 
5308                 btm_cb.pairing_flags |= BTM_PAIR_FLAGS_PIN_REQD;
5309                 if (p_cb->api.p_pin_callback)
5310                     (*p_cb->api.p_pin_callback) (p_bda, p_dev_rec->dev_class,
5311                             p_dev_rec->sec_bd_name, (p_dev_rec->p_cur_service == NULL) ? FALSE
5312                                     : (p_dev_rec->p_cur_service->security_flags
5313                                        & BTM_SEC_IN_MIN_16_DIGIT_PIN));
5314             }
5315         }
5316     }
5317 
5318     return;
5319 }
5320 
5321 /*******************************************************************************
5322 **
5323 ** Function         btm_sec_update_clock_offset
5324 **
5325 ** Description      This function is called to update clock offset
5326 **
5327 ** Returns          void
5328 **
5329 *******************************************************************************/
btm_sec_update_clock_offset(UINT16 handle,UINT16 clock_offset)5330 void btm_sec_update_clock_offset (UINT16 handle, UINT16 clock_offset)
5331 {
5332     tBTM_SEC_DEV_REC  *p_dev_rec;
5333     tBTM_INQ_INFO     *p_inq_info;
5334 
5335     if ((p_dev_rec = btm_find_dev_by_handle (handle)) == NULL)
5336         return;
5337 
5338     p_dev_rec->clock_offset = clock_offset | BTM_CLOCK_OFFSET_VALID;
5339 
5340     if ((p_inq_info = BTM_InqDbRead(p_dev_rec->bd_addr)) == NULL)
5341         return;
5342 
5343     p_inq_info->results.clock_offset = clock_offset | BTM_CLOCK_OFFSET_VALID;
5344 }
5345 
5346 
5347 /******************************************************************
5348 ** S T A T I C     F U N C T I O N S
5349 *******************************************************************/
5350 
5351 /*******************************************************************************
5352 **
5353 ** Function         btm_sec_execute_procedure
5354 **
5355 ** Description      This function is called to start required security
5356 **                  procedure.  There is a case when multiplexing protocol
5357 **                  calls this function on the originating side, connection to
5358 **                  the peer will not be established.  This function in this
5359 **                  case performs only authorization.
5360 **
5361 ** Returns          BTM_SUCCESS     - permission is granted
5362 **                  BTM_CMD_STARTED - in process
5363 **                  BTM_NO_RESOURCES  - permission declined
5364 **
5365 *******************************************************************************/
btm_sec_execute_procedure(tBTM_SEC_DEV_REC * p_dev_rec)5366 static tBTM_STATUS btm_sec_execute_procedure (tBTM_SEC_DEV_REC *p_dev_rec)
5367 {
5368     BTM_TRACE_EVENT ("btm_sec_execute_procedure: Required:0x%x Flags:0x%x State:%d",
5369                       p_dev_rec->security_required, p_dev_rec->sec_flags, p_dev_rec->sec_state);
5370 
5371     /* There is a chance that we are getting name.  Wait until done. */
5372     if (p_dev_rec->sec_state != 0)
5373         return(BTM_CMD_STARTED);
5374 
5375     /* If any security is required, get the name first */
5376     if (!(p_dev_rec->sec_flags & BTM_SEC_NAME_KNOWN)
5377         && (p_dev_rec->hci_handle != BTM_SEC_INVALID_HANDLE))
5378     {
5379         BTM_TRACE_EVENT ("Security Manager: Start get name");
5380         if (!btm_sec_start_get_name (p_dev_rec))
5381         {
5382             return(BTM_NO_RESOURCES);
5383         }
5384         return(BTM_CMD_STARTED);
5385     }
5386 
5387     /* If connection is not authenticated and authentication is required */
5388     /* start authentication and return PENDING to the caller */
5389     if ((((!(p_dev_rec->sec_flags & BTM_SEC_AUTHENTICATED))
5390         && (( p_dev_rec->is_originator && (p_dev_rec->security_required & BTM_SEC_OUT_AUTHENTICATE))
5391             || (!p_dev_rec->is_originator && (p_dev_rec->security_required & BTM_SEC_IN_AUTHENTICATE))))
5392         || (!(p_dev_rec->sec_flags & BTM_SEC_16_DIGIT_PIN_AUTHED)
5393             && (!p_dev_rec->is_originator
5394                     && (p_dev_rec->security_required & BTM_SEC_IN_MIN_16_DIGIT_PIN))))
5395         && (p_dev_rec->hci_handle != BTM_SEC_INVALID_HANDLE))
5396     {
5397         /*
5398          * We rely on BTM_SEC_16_DIGIT_PIN_AUTHED being set if MITM is in use,
5399          * as 16 DIGIT is only needed if MITM is not used. Unfortunately, the
5400          * BTM_SEC_AUTHENTICATED is used for both MITM and non-MITM
5401          * authenticated connections, hence we cannot distinguish here.
5402          */
5403 
5404 #if (L2CAP_UCD_INCLUDED == TRUE)
5405         /* if incoming UCD packet, discard it */
5406         if ( !p_dev_rec->is_originator && (p_dev_rec->is_ucd == TRUE ))
5407             return(BTM_FAILED_ON_SECURITY);
5408 #endif
5409 
5410         BTM_TRACE_EVENT ("Security Manager: Start authentication");
5411 
5412         /*
5413          * If we do have a link-key, but we end up here because we need an
5414          * upgrade, then clear the link-key known and authenticated flag before
5415          * restarting authentication.
5416          * WARNING: If the controller has link-key, it is optional and
5417          * recommended for the controller to send a Link_Key_Request.
5418          * In case we need an upgrade, the only alternative would be to delete
5419          * the existing link-key. That could lead to very bad user experience
5420          * or even IOP issues, if a reconnect causes a new connection that
5421          * requires an upgrade.
5422          */
5423         if ((p_dev_rec->sec_flags & BTM_SEC_LINK_KEY_KNOWN)
5424                 && (!(p_dev_rec->sec_flags & BTM_SEC_16_DIGIT_PIN_AUTHED)
5425                     && (!p_dev_rec->is_originator && (p_dev_rec->security_required
5426                             & BTM_SEC_IN_MIN_16_DIGIT_PIN)))) {
5427             p_dev_rec->sec_flags &= ~(BTM_SEC_LINK_KEY_KNOWN | BTM_SEC_LINK_KEY_AUTHED
5428                     | BTM_SEC_AUTHENTICATED);
5429         }
5430 
5431         if (!btm_sec_start_authentication (p_dev_rec))
5432         {
5433             return(BTM_NO_RESOURCES);
5434         }
5435         return(BTM_CMD_STARTED);
5436     }
5437 
5438     /* If connection is not encrypted and encryption is required */
5439     /* start encryption and return PENDING to the caller */
5440     if (!(p_dev_rec->sec_flags & BTM_SEC_ENCRYPTED)
5441         && (( p_dev_rec->is_originator && (p_dev_rec->security_required & BTM_SEC_OUT_ENCRYPT))
5442             || (!p_dev_rec->is_originator && (p_dev_rec->security_required & BTM_SEC_IN_ENCRYPT)))
5443         && (p_dev_rec->hci_handle != BTM_SEC_INVALID_HANDLE))
5444     {
5445 #if (L2CAP_UCD_INCLUDED == TRUE)
5446         /* if incoming UCD packet, discard it */
5447         if ( !p_dev_rec->is_originator && (p_dev_rec->is_ucd == TRUE ))
5448             return(BTM_FAILED_ON_SECURITY);
5449 #endif
5450 
5451         BTM_TRACE_EVENT ("Security Manager: Start encryption");
5452 
5453         if (!btm_sec_start_encryption (p_dev_rec))
5454         {
5455             return(BTM_NO_RESOURCES);
5456         }
5457         return(BTM_CMD_STARTED);
5458     }
5459 
5460     if ((p_dev_rec->security_required & BTM_SEC_MODE4_LEVEL4) &&
5461         (p_dev_rec->link_key_type != BTM_LKEY_TYPE_AUTH_COMB_P_256))
5462     {
5463         BTM_TRACE_EVENT("%s: Security Manager: SC only service, but link key type is 0x%02x -",
5464                         "security failure", __FUNCTION__, p_dev_rec->link_key_type);
5465         return (BTM_FAILED_ON_SECURITY);
5466     }
5467 
5468     /* If connection is not authorized and authorization is required */
5469     /* start authorization and return PENDING to the caller */
5470     if (!(p_dev_rec->sec_flags & BTM_SEC_AUTHORIZED)
5471         && (( p_dev_rec->is_originator && (p_dev_rec->security_required & BTM_SEC_OUT_AUTHORIZE))
5472             || (!p_dev_rec->is_originator && (p_dev_rec->security_required & BTM_SEC_IN_AUTHORIZE))))
5473     {
5474         BTM_TRACE_EVENT ("service id:%d, is trusted:%d",
5475                           p_dev_rec->p_cur_service->service_id,
5476                           (BTM_SEC_IS_SERVICE_TRUSTED(p_dev_rec->trusted_mask,
5477                                                       p_dev_rec->p_cur_service->service_id)));
5478         if ((btm_sec_are_all_trusted(p_dev_rec->trusted_mask) == FALSE) &&
5479             (p_dev_rec->p_cur_service->service_id < BTM_SEC_MAX_SERVICES) &&
5480             (BTM_SEC_IS_SERVICE_TRUSTED(p_dev_rec->trusted_mask,
5481                                         p_dev_rec->p_cur_service->service_id) == FALSE))
5482         {
5483             BTM_TRACE_EVENT ("Security Manager: Start authorization");
5484             return(btm_sec_start_authorization (p_dev_rec));
5485         }
5486     }
5487 
5488     /* All required  security procedures already established */
5489     p_dev_rec->security_required &= ~(BTM_SEC_OUT_AUTHORIZE | BTM_SEC_IN_AUTHORIZE |
5490                                       BTM_SEC_OUT_AUTHENTICATE | BTM_SEC_IN_AUTHENTICATE |
5491                                       BTM_SEC_OUT_ENCRYPT | BTM_SEC_IN_ENCRYPT |
5492                                       BTM_SEC_FORCE_MASTER | BTM_SEC_ATTEMPT_MASTER |
5493                                       BTM_SEC_FORCE_SLAVE | BTM_SEC_ATTEMPT_SLAVE);
5494 
5495     BTM_TRACE_EVENT ("Security Manager: trusted:0x%04x%04x", p_dev_rec->trusted_mask[1], p_dev_rec->trusted_mask[0]);
5496     BTM_TRACE_EVENT ("Security Manager: access granted");
5497 
5498     return(BTM_SUCCESS);
5499 }
5500 
5501 
5502 /*******************************************************************************
5503 **
5504 ** Function         btm_sec_start_get_name
5505 **
5506 ** Description      This function is called to start get name procedure
5507 **
5508 ** Returns          TRUE if started
5509 **
5510 *******************************************************************************/
btm_sec_start_get_name(tBTM_SEC_DEV_REC * p_dev_rec)5511 static BOOLEAN btm_sec_start_get_name (tBTM_SEC_DEV_REC *p_dev_rec)
5512 {
5513     UINT8 tempstate = p_dev_rec->sec_state;
5514 
5515     p_dev_rec->sec_state = BTM_SEC_STATE_GETTING_NAME;
5516 
5517     /* Device should be connected, no need to provide correct page params */
5518     /* 0 and NULL are as timeout and callback params because they are not used in security get name case */
5519     if ((btm_initiate_rem_name (p_dev_rec->bd_addr, NULL, BTM_RMT_NAME_SEC,
5520                                 0, NULL)) != BTM_CMD_STARTED)
5521     {
5522         p_dev_rec->sec_state = tempstate;
5523         return(FALSE);
5524     }
5525 
5526     return(TRUE);
5527 }
5528 
5529 /*******************************************************************************
5530 **
5531 ** Function         btm_sec_start_authentication
5532 **
5533 ** Description      This function is called to start authentication
5534 **
5535 ** Returns          TRUE if started
5536 **
5537 *******************************************************************************/
btm_sec_start_authentication(tBTM_SEC_DEV_REC * p_dev_rec)5538 static BOOLEAN btm_sec_start_authentication (tBTM_SEC_DEV_REC *p_dev_rec)
5539 {
5540     p_dev_rec->sec_state = BTM_SEC_STATE_AUTHENTICATING;
5541 
5542     return(btsnd_hcic_auth_request (p_dev_rec->hci_handle));
5543 }
5544 
5545 /*******************************************************************************
5546 **
5547 ** Function         btm_sec_start_encryption
5548 **
5549 ** Description      This function is called to start encryption
5550 **
5551 ** Returns          TRUE if started
5552 **
5553 *******************************************************************************/
btm_sec_start_encryption(tBTM_SEC_DEV_REC * p_dev_rec)5554 static BOOLEAN btm_sec_start_encryption (tBTM_SEC_DEV_REC *p_dev_rec)
5555 {
5556     if (!btsnd_hcic_set_conn_encrypt (p_dev_rec->hci_handle, TRUE))
5557         return(FALSE);
5558 
5559     p_dev_rec->sec_state = BTM_SEC_STATE_ENCRYPTING;
5560     return(TRUE);
5561 }
5562 
5563 
5564 /*******************************************************************************
5565 **
5566 ** Function         btm_sec_start_authorization
5567 **
5568 ** Description      This function is called to start authorization
5569 **
5570 ** Returns          TRUE if started
5571 **
5572 *******************************************************************************/
btm_sec_start_authorization(tBTM_SEC_DEV_REC * p_dev_rec)5573 static UINT8 btm_sec_start_authorization (tBTM_SEC_DEV_REC *p_dev_rec)
5574 {
5575     UINT8    result;
5576     UINT8   *p_service_name = NULL;
5577     UINT8    service_id;
5578 
5579     if ((p_dev_rec->sec_flags & BTM_SEC_NAME_KNOWN)
5580         || (p_dev_rec->hci_handle == BTM_SEC_INVALID_HANDLE))
5581     {
5582         if (!btm_cb.api.p_authorize_callback)
5583             return(BTM_MODE_UNSUPPORTED);
5584 
5585         if (p_dev_rec->p_cur_service)
5586         {
5587 #if BTM_SEC_SERVICE_NAME_LEN > 0
5588             if (p_dev_rec->is_originator)
5589                 p_service_name = p_dev_rec->p_cur_service->orig_service_name;
5590             else
5591                 p_service_name = p_dev_rec->p_cur_service->term_service_name;
5592 #endif
5593             service_id = p_dev_rec->p_cur_service->service_id;
5594         }
5595         else
5596             service_id = 0;
5597 
5598         /* Send authorization request if not already sent during this service connection */
5599         if (p_dev_rec->last_author_service_id == BTM_SEC_NO_LAST_SERVICE_ID
5600             || p_dev_rec->last_author_service_id != service_id)
5601         {
5602             p_dev_rec->sec_state = BTM_SEC_STATE_AUTHORIZING;
5603             result = (*btm_cb.api.p_authorize_callback) (p_dev_rec->bd_addr,
5604                                                      p_dev_rec->dev_class,
5605                                                      p_dev_rec->sec_bd_name,
5606                                                      p_service_name,
5607                                                      service_id,
5608                                                      p_dev_rec->is_originator);
5609         }
5610 
5611         else    /* Already authorized once for this L2CAP bringup */
5612         {
5613             BTM_TRACE_DEBUG ("btm_sec_start_authorization: (Ignoring extra Authorization prompt for service %d)", service_id);
5614             return (BTM_SUCCESS);
5615         }
5616 
5617         if (result == BTM_SUCCESS)
5618         {
5619             p_dev_rec->sec_flags |= BTM_SEC_AUTHORIZED;
5620 
5621             /* Save the currently authorized service in case we are asked again by another multiplexer layer */
5622             if (!p_dev_rec->is_originator)
5623                 p_dev_rec->last_author_service_id = service_id;
5624 
5625             p_dev_rec->sec_state = BTM_SEC_STATE_IDLE;
5626         }
5627         return(result);
5628     }
5629     btm_sec_start_get_name (p_dev_rec);
5630     return(BTM_CMD_STARTED);
5631 }
5632 
5633 /*******************************************************************************
5634 **
5635 ** Function         btm_sec_are_all_trusted
5636 **
5637 ** Description      This function is called check if all services are trusted
5638 **
5639 ** Returns          TRUE if all are trusted, otherwise FALSE
5640 **
5641 *******************************************************************************/
btm_sec_are_all_trusted(UINT32 p_mask[])5642 BOOLEAN btm_sec_are_all_trusted(UINT32 p_mask[])
5643 {
5644     UINT32 trusted_inx;
5645     for (trusted_inx = 0; trusted_inx < BTM_SEC_SERVICE_ARRAY_SIZE; trusted_inx++)
5646     {
5647         if (p_mask[trusted_inx] != BTM_SEC_TRUST_ALL)
5648             return(FALSE);
5649     }
5650 
5651     return(TRUE);
5652 }
5653 
5654 /*******************************************************************************
5655 **
5656 ** Function         btm_sec_find_first_serv
5657 **
5658 ** Description      Look for the first record in the service database
5659 **                  with specified PSM
5660 **
5661 ** Returns          Pointer to the record or NULL
5662 **
5663 *******************************************************************************/
btm_sec_find_first_serv(CONNECTION_TYPE conn_type,UINT16 psm)5664 static tBTM_SEC_SERV_REC *btm_sec_find_first_serv (CONNECTION_TYPE conn_type, UINT16 psm)
5665 {
5666     tBTM_SEC_SERV_REC *p_serv_rec = &btm_cb.sec_serv_rec[0];
5667     int i;
5668     BOOLEAN is_originator;
5669 
5670 #if (L2CAP_UCD_INCLUDED == TRUE)
5671 
5672     if ( conn_type & CONNECTION_TYPE_ORIG_MASK )
5673         is_originator = TRUE;
5674     else
5675         is_originator = FALSE;
5676 #else
5677     is_originator = conn_type;
5678 #endif
5679 
5680     if (is_originator && btm_cb.p_out_serv && btm_cb.p_out_serv->psm == psm)
5681     {
5682         /* If this is outgoing connection and the PSM matches p_out_serv,
5683          * use it as the current service */
5684         return btm_cb.p_out_serv;
5685     }
5686 
5687     /* otherwise, just find the first record with the specified PSM */
5688     for (i = 0; i < BTM_SEC_MAX_SERVICE_RECORDS; i++, p_serv_rec++)
5689     {
5690         if ( (p_serv_rec->security_flags & BTM_SEC_IN_USE) && (p_serv_rec->psm == psm) )
5691             return(p_serv_rec);
5692     }
5693     return(NULL);
5694 }
5695 
5696 
5697 /*******************************************************************************
5698 **
5699 ** Function         btm_sec_find_next_serv
5700 **
5701 ** Description      Look for the next record in the service database
5702 **                  with specified PSM
5703 **
5704 ** Returns          Pointer to the record or NULL
5705 **
5706 *******************************************************************************/
btm_sec_find_next_serv(tBTM_SEC_SERV_REC * p_cur)5707 static tBTM_SEC_SERV_REC *btm_sec_find_next_serv (tBTM_SEC_SERV_REC *p_cur)
5708 {
5709     tBTM_SEC_SERV_REC *p_serv_rec   = &btm_cb.sec_serv_rec[0];
5710     int               i;
5711 
5712     for (i = 0; i < BTM_SEC_MAX_SERVICE_RECORDS; i++, p_serv_rec++)
5713     {
5714         if ((p_serv_rec->security_flags & BTM_SEC_IN_USE)
5715             && (p_serv_rec->psm == p_cur->psm) )
5716         {
5717             if (p_cur != p_serv_rec)
5718             {
5719                 return(p_serv_rec);
5720             }
5721         }
5722     }
5723     return(NULL);
5724 }
5725 
5726 
5727 /*******************************************************************************
5728 **
5729 ** Function         btm_sec_find_mx_serv
5730 **
5731 ** Description      Look for the record in the service database with specified
5732 **                  PSM and multiplexor channel information
5733 **
5734 ** Returns          Pointer to the record or NULL
5735 **
5736 *******************************************************************************/
btm_sec_find_mx_serv(UINT8 is_originator,UINT16 psm,UINT32 mx_proto_id,UINT32 mx_chan_id)5737 static tBTM_SEC_SERV_REC *btm_sec_find_mx_serv (UINT8 is_originator, UINT16 psm,
5738                                                 UINT32 mx_proto_id, UINT32 mx_chan_id)
5739 {
5740     tBTM_SEC_SERV_REC *p_out_serv = btm_cb.p_out_serv;
5741     tBTM_SEC_SERV_REC *p_serv_rec = &btm_cb.sec_serv_rec[0];
5742     int i;
5743 
5744     BTM_TRACE_DEBUG ("%s()", __func__);
5745     if (is_originator && p_out_serv && p_out_serv->psm == psm
5746         && p_out_serv->mx_proto_id == mx_proto_id
5747         && p_out_serv->orig_mx_chan_id == mx_chan_id)
5748     {
5749         /* If this is outgoing connection and the parameters match p_out_serv,
5750          * use it as the current service */
5751         return btm_cb.p_out_serv;
5752     }
5753 
5754     /* otherwise, the old way */
5755     for (i = 0; i < BTM_SEC_MAX_SERVICE_RECORDS; i++, p_serv_rec++)
5756     {
5757         if ((p_serv_rec->security_flags & BTM_SEC_IN_USE)
5758             && (p_serv_rec->psm == psm)
5759             && (p_serv_rec->mx_proto_id == mx_proto_id)
5760             && (( is_originator && (p_serv_rec->orig_mx_chan_id  == mx_chan_id))
5761                 || (!is_originator && (p_serv_rec->term_mx_chan_id  == mx_chan_id))))
5762         {
5763             return(p_serv_rec);
5764         }
5765     }
5766     return(NULL);
5767 }
5768 
5769 
5770 /*******************************************************************************
5771 **
5772 ** Function         btm_sec_collision_timeout
5773 **
5774 ** Description      Encryption could not start because of the collision
5775 **                  try to do it again
5776 **
5777 ** Returns          Pointer to the TLE struct
5778 **
5779 *******************************************************************************/
btm_sec_collision_timeout(TIMER_LIST_ENT * p_tle)5780 static void btm_sec_collision_timeout (TIMER_LIST_ENT *p_tle)
5781 {
5782     UNUSED(p_tle);
5783 
5784     BTM_TRACE_EVENT ("%s()", __func__);
5785     btm_cb.sec_collision_tle.param = 0;
5786 
5787     tBTM_STATUS status = btm_sec_execute_procedure (btm_cb.p_collided_dev_rec);
5788 
5789     /* If result is pending reply from the user or from the device is pending */
5790     if (status != BTM_CMD_STARTED)
5791     {
5792         /* There is no next procedure or start of procedure failed, notify the waiting layer */
5793         btm_sec_dev_rec_cback_event (btm_cb.p_collided_dev_rec, status, FALSE);
5794     }
5795 }
5796 
5797 /*******************************************************************************
5798 **
5799 ** Function         btm_sec_link_key_request
5800 **
5801 ** Description      This function is called when controller requests link key
5802 **
5803 ** Returns          Pointer to the record or NULL
5804 **
5805 *******************************************************************************/
btm_send_link_key_notif(tBTM_SEC_DEV_REC * p_dev_rec)5806 static void btm_send_link_key_notif (tBTM_SEC_DEV_REC *p_dev_rec)
5807 {
5808     if (btm_cb.api.p_link_key_callback)
5809         (*btm_cb.api.p_link_key_callback) (p_dev_rec->bd_addr, p_dev_rec->dev_class,
5810                                            p_dev_rec->sec_bd_name, p_dev_rec->link_key,
5811                                            p_dev_rec->link_key_type);
5812 }
5813 
5814 /*******************************************************************************
5815 **
5816 ** Function         BTM_ReadTrustedMask
5817 **
5818 ** Description      Get trusted mask for the peer device
5819 **
5820 ** Parameters:      bd_addr   - Address of the device
5821 **
5822 ** Returns          NULL, if the device record is not found.
5823 **                  otherwise, the trusted mask
5824 **
5825 *******************************************************************************/
BTM_ReadTrustedMask(BD_ADDR bd_addr)5826 UINT32 * BTM_ReadTrustedMask (BD_ADDR bd_addr)
5827 {
5828     tBTM_SEC_DEV_REC *p_dev_rec = btm_find_dev (bd_addr);
5829     if (p_dev_rec != NULL)
5830         return(p_dev_rec->trusted_mask);
5831     return NULL;
5832 }
5833 
5834 /*******************************************************************************
5835 **
5836 ** Function         btm_restore_mode
5837 **
5838 ** Description      This function returns the security mode to previous setting
5839 **                  if it was changed during bonding.
5840 **
5841 **
5842 ** Parameters:      void
5843 **
5844 *******************************************************************************/
btm_restore_mode(void)5845 static void btm_restore_mode(void)
5846 {
5847     if (btm_cb.security_mode_changed)
5848     {
5849         btm_cb.security_mode_changed = FALSE;
5850         BTM_TRACE_DEBUG("%s() Auth enable -> %d", __func__, (btm_cb.security_mode == BTM_SEC_MODE_LINK));
5851         btsnd_hcic_write_auth_enable ((UINT8)(btm_cb.security_mode == BTM_SEC_MODE_LINK));
5852     }
5853 
5854     if (btm_cb.pin_type_changed)
5855     {
5856         btm_cb.pin_type_changed = FALSE;
5857         btsnd_hcic_write_pin_type (btm_cb.cfg.pin_type);
5858     }
5859 }
5860 
5861 
5862 /*******************************************************************************
5863 **
5864 ** Function         btm_sec_find_dev_by_sec_state
5865 **
5866 ** Description      Look for the record in the device database for the device
5867 **                  which is being authenticated or encrypted
5868 **
5869 ** Returns          Pointer to the record or NULL
5870 **
5871 *******************************************************************************/
btm_sec_find_dev_by_sec_state(UINT8 state)5872 tBTM_SEC_DEV_REC *btm_sec_find_dev_by_sec_state (UINT8 state)
5873 {
5874     tBTM_SEC_DEV_REC *p_dev_rec = &btm_cb.sec_dev_rec[0];
5875 
5876     for (int i = 0; i < BTM_SEC_MAX_DEVICE_RECORDS; i++, p_dev_rec++)
5877     {
5878         if ((p_dev_rec->sec_flags & BTM_SEC_IN_USE)
5879             && (p_dev_rec->sec_state == state))
5880             return(p_dev_rec);
5881     }
5882     return(NULL);
5883 }
5884 
5885 /*******************************************************************************
5886 **
5887 ** Function         btm_sec_change_pairing_state
5888 **
5889 ** Description      This function is called to change pairing state
5890 **
5891 *******************************************************************************/
btm_sec_change_pairing_state(tBTM_PAIRING_STATE new_state)5892 static void btm_sec_change_pairing_state (tBTM_PAIRING_STATE new_state)
5893 {
5894     tBTM_PAIRING_STATE  old_state = btm_cb.pairing_state;
5895 
5896     BTM_TRACE_EVENT ("%s()  Old: %s", __func__, btm_pair_state_descr(btm_cb.pairing_state));
5897     BTM_TRACE_EVENT ("%s()  New: %s pairing_flags:0x%x", __func__,
5898             btm_pair_state_descr(new_state), btm_cb.pairing_flags);
5899 
5900     btm_cb.pairing_state = new_state;
5901 
5902     if (new_state == BTM_PAIR_STATE_IDLE)
5903     {
5904         btu_stop_timer (&btm_cb.pairing_tle);
5905 
5906         btm_cb.pairing_flags = 0;
5907         btm_cb.pin_code_len  = 0;
5908 
5909         /* Make sure the the lcb shows we are not bonding */
5910         l2cu_update_lcb_4_bonding (btm_cb.pairing_bda, FALSE);
5911 
5912         btm_restore_mode();
5913         btm_sec_check_pending_reqs();
5914         btm_inq_clear_ssp();
5915 
5916         memset (btm_cb.pairing_bda, 0xFF, BD_ADDR_LEN);
5917     }
5918     else
5919     {
5920         /* If transitionng out of idle, mark the lcb as bonding */
5921         if (old_state == BTM_PAIR_STATE_IDLE)
5922             l2cu_update_lcb_4_bonding (btm_cb.pairing_bda, TRUE);
5923 
5924         btm_cb.pairing_tle.param = (TIMER_PARAM_TYPE)btm_sec_pairing_timeout;
5925 
5926         btu_start_timer (&btm_cb.pairing_tle, BTU_TTYPE_USER_FUNC, BTM_SEC_TIMEOUT_VALUE);
5927     }
5928 }
5929 
5930 
5931 /*******************************************************************************
5932 **
5933 ** Function         btm_pair_state_descr
5934 **
5935 ** Description      Return state description for tracing
5936 **
5937 *******************************************************************************/
5938 #if (BT_USE_TRACES == TRUE)
btm_pair_state_descr(tBTM_PAIRING_STATE state)5939 static char *btm_pair_state_descr (tBTM_PAIRING_STATE state)
5940 {
5941 #if (BT_TRACE_VERBOSE == TRUE)
5942     switch (state)
5943     {
5944         case BTM_PAIR_STATE_IDLE:                   return("IDLE");
5945         case BTM_PAIR_STATE_GET_REM_NAME:           return("GET_REM_NAME");
5946         case BTM_PAIR_STATE_WAIT_PIN_REQ:           return("WAIT_PIN_REQ");
5947         case BTM_PAIR_STATE_WAIT_LOCAL_PIN:         return("WAIT_LOCAL_PIN");
5948         case BTM_PAIR_STATE_WAIT_NUMERIC_CONFIRM:   return("WAIT_NUM_CONFIRM");
5949         case BTM_PAIR_STATE_KEY_ENTRY:              return("KEY_ENTRY");
5950         case BTM_PAIR_STATE_WAIT_LOCAL_OOB_RSP:     return("WAIT_LOCAL_OOB_RSP");
5951         case BTM_PAIR_STATE_WAIT_LOCAL_IOCAPS:      return("WAIT_LOCAL_IOCAPS");
5952         case BTM_PAIR_STATE_INCOMING_SSP:           return("INCOMING_SSP");
5953         case BTM_PAIR_STATE_WAIT_AUTH_COMPLETE:     return("WAIT_AUTH_COMPLETE");
5954         case BTM_PAIR_STATE_WAIT_DISCONNECT:        return("WAIT_DISCONNECT");
5955     }
5956 
5957     return("???");
5958 #else
5959     sprintf(btm_cb.state_temp_buffer,"%hhu",state);
5960 
5961     return(btm_cb.state_temp_buffer);
5962 #endif
5963 }
5964 #endif
5965 
5966 /*******************************************************************************
5967 **
5968 ** Function         btm_sec_dev_rec_cback_event
5969 **
5970 ** Description      This function calls the callback function with the given
5971 **                  result and clear the callback function.
5972 **
5973 ** Parameters:      void
5974 **
5975 *******************************************************************************/
btm_sec_dev_rec_cback_event(tBTM_SEC_DEV_REC * p_dev_rec,UINT8 res,BOOLEAN is_le_transport)5976 void btm_sec_dev_rec_cback_event (tBTM_SEC_DEV_REC *p_dev_rec, UINT8 res, BOOLEAN is_le_transport)
5977 {
5978     tBTM_SEC_CALLBACK   *p_callback = p_dev_rec->p_callback;
5979 
5980     if (p_dev_rec->p_callback)
5981     {
5982         p_dev_rec->p_callback = NULL;
5983 
5984 #if BLE_INCLUDED == TRUE
5985         if (is_le_transport)
5986            (*p_callback) (p_dev_rec->ble.pseudo_addr, BT_TRANSPORT_LE, p_dev_rec->p_ref_data, res);
5987         else
5988 #endif
5989            (*p_callback) (p_dev_rec->bd_addr, BT_TRANSPORT_BR_EDR, p_dev_rec->p_ref_data, res);
5990     }
5991 
5992     btm_sec_check_pending_reqs();
5993 }
5994 
5995 /*******************************************************************************
5996 **
5997 ** Function         btm_sec_queue_mx_request
5998 **
5999 ** Description      Return state description for tracing
6000 **
6001 *******************************************************************************/
btm_sec_queue_mx_request(BD_ADDR bd_addr,UINT16 psm,BOOLEAN is_orig,UINT32 mx_proto_id,UINT32 mx_chan_id,tBTM_SEC_CALLBACK * p_callback,void * p_ref_data)6002 static BOOLEAN btm_sec_queue_mx_request (BD_ADDR bd_addr,  UINT16 psm,  BOOLEAN is_orig,
6003                                          UINT32 mx_proto_id, UINT32 mx_chan_id,
6004                                          tBTM_SEC_CALLBACK *p_callback, void *p_ref_data)
6005 {
6006     tBTM_SEC_QUEUE_ENTRY *p_e = (tBTM_SEC_QUEUE_ENTRY *)GKI_getbuf (sizeof(tBTM_SEC_QUEUE_ENTRY));
6007 
6008     if (p_e)
6009     {
6010         p_e->psm            = psm;
6011         p_e->is_orig        = is_orig;
6012         p_e->p_callback     = p_callback;
6013         p_e->p_ref_data     = p_ref_data;
6014         p_e->mx_proto_id    = mx_proto_id;
6015         p_e->mx_chan_id     = mx_chan_id;
6016         p_e->transport      = BT_TRANSPORT_BR_EDR;
6017 
6018         memcpy (p_e->bd_addr, bd_addr, BD_ADDR_LEN);
6019 
6020         BTM_TRACE_EVENT ("%s() PSM: 0x%04x  Is_Orig: %u  mx_proto_id: %u  mx_chan_id: %u",
6021                           __func__, psm, is_orig, mx_proto_id, mx_chan_id);
6022 
6023         GKI_enqueue (&btm_cb.sec_pending_q, p_e);
6024 
6025         return(TRUE);
6026     }
6027 
6028     return(FALSE);
6029 }
6030 
btm_sec_check_prefetch_pin(tBTM_SEC_DEV_REC * p_dev_rec)6031 static BOOLEAN btm_sec_check_prefetch_pin (tBTM_SEC_DEV_REC  *p_dev_rec)
6032 {
6033     UINT8 major = (UINT8)(p_dev_rec->dev_class[1] & BTM_COD_MAJOR_CLASS_MASK);
6034     UINT8 minor = (UINT8)(p_dev_rec->dev_class[2] & BTM_COD_MINOR_CLASS_MASK);
6035     BOOLEAN rv = FALSE;
6036 
6037     if ((major == BTM_COD_MAJOR_AUDIO)
6038         &&  ((minor == BTM_COD_MINOR_CONFM_HANDSFREE) || (minor == BTM_COD_MINOR_CAR_AUDIO)) )
6039     {
6040         BTM_TRACE_EVENT ("%s() Skipping pre-fetch PIN for carkit COD Major: 0x%02x Minor: 0x%02x",
6041             __func__, major, minor);
6042 
6043         if (btm_cb.security_mode_changed == FALSE)
6044         {
6045             btm_cb.security_mode_changed = TRUE;
6046 #ifdef APPL_AUTH_WRITE_EXCEPTION
6047             if(!(APPL_AUTH_WRITE_EXCEPTION)(p_dev_rec->bd_addr))
6048 #endif
6049                 btsnd_hcic_write_auth_enable (TRUE);
6050         }
6051     }
6052     else
6053     {
6054         btm_sec_change_pairing_state (BTM_PAIR_STATE_WAIT_LOCAL_PIN);
6055 
6056         /* If we got a PIN, use that, else try to get one */
6057         if (btm_cb.pin_code_len)
6058         {
6059             BTM_PINCodeReply (p_dev_rec->bd_addr, BTM_SUCCESS, btm_cb.pin_code_len, btm_cb.pin_code, p_dev_rec->trusted_mask);
6060         }
6061         else
6062         {
6063             /* pin was not supplied - pre-fetch pin code now */
6064             if (btm_cb.api.p_pin_callback && ((btm_cb.pairing_flags & BTM_PAIR_FLAGS_PIN_REQD) == 0))
6065             {
6066                 BTM_TRACE_DEBUG("%s() PIN code callback called", __func__);
6067                 if (btm_bda_to_acl(p_dev_rec->bd_addr, BT_TRANSPORT_BR_EDR) == NULL)
6068                 btm_cb.pairing_flags |= BTM_PAIR_FLAGS_PIN_REQD;
6069                 (btm_cb.api.p_pin_callback) (p_dev_rec->bd_addr, p_dev_rec->dev_class,
6070                         p_dev_rec->sec_bd_name, (p_dev_rec->p_cur_service == NULL) ? FALSE
6071                                 : (p_dev_rec->p_cur_service->security_flags
6072                                    & BTM_SEC_IN_MIN_16_DIGIT_PIN));
6073             }
6074         }
6075 
6076         rv = TRUE;
6077     }
6078 
6079     return rv;
6080 }
6081 
6082 /*******************************************************************************
6083 **
6084 ** Function         btm_sec_auth_payload_tout
6085 **
6086 ** Description      Processes the HCI Autheniticated Payload Timeout Event
6087 **                  indicating that a packet containing a valid MIC on the
6088 **                  connection handle was not received within the programmed
6089 **                  timeout value. (Spec Default is 30 secs, but can be
6090 **                  changed via the BTM_SecSetAuthPayloadTimeout() function.
6091 **
6092 *******************************************************************************/
btm_sec_auth_payload_tout(UINT8 * p,UINT16 hci_evt_len)6093 void btm_sec_auth_payload_tout (UINT8 *p, UINT16 hci_evt_len)
6094 {
6095     UINT16 handle;
6096 
6097     STREAM_TO_UINT16 (handle, p);
6098     handle = HCID_GET_HANDLE (handle);
6099 
6100     /* Will be exposed to upper layers in the future if/when determined necessary */
6101     BTM_TRACE_ERROR ("%s on handle 0x%02x", __func__, handle);
6102 }
6103 
6104 /*******************************************************************************
6105 **
6106 ** Function         btm_sec_queue_encrypt_request
6107 **
6108 ** Description      encqueue encryption request when device has active security
6109 **                  process pending.
6110 **
6111 *******************************************************************************/
btm_sec_queue_encrypt_request(BD_ADDR bd_addr,tBT_TRANSPORT transport,tBTM_SEC_CALLBACK * p_callback,void * p_ref_data)6112 static BOOLEAN btm_sec_queue_encrypt_request (BD_ADDR bd_addr, tBT_TRANSPORT transport,
6113                                          tBTM_SEC_CALLBACK *p_callback, void *p_ref_data)
6114 {
6115     tBTM_SEC_QUEUE_ENTRY  *p_e;
6116     p_e = (tBTM_SEC_QUEUE_ENTRY *)GKI_getbuf(sizeof(tBTM_SEC_QUEUE_ENTRY) + 1);
6117 
6118     if (p_e)
6119     {
6120         p_e->psm  = 0;  /* if PSM 0, encryption request */
6121         p_e->p_callback  = p_callback;
6122         p_e->p_ref_data = (void *)(p_e + 1);
6123         *(UINT8 *)p_e->p_ref_data = *(UINT8 *)(p_ref_data);
6124         p_e->transport  = transport;
6125         memcpy(p_e->bd_addr, bd_addr, BD_ADDR_LEN);
6126         GKI_enqueue(&btm_cb.sec_pending_q, p_e);
6127         return TRUE;
6128     }
6129 
6130     return FALSE;
6131 }
6132 
6133 /*******************************************************************************
6134 **
6135 ** Function         btm_sec_set_peer_sec_caps
6136 **
6137 ** Description      This function is called to set sm4 and rmt_sec_caps fields
6138 **                  based on the available peer device features.
6139 **
6140 ** Returns          void
6141 **
6142 *******************************************************************************/
btm_sec_set_peer_sec_caps(tACL_CONN * p_acl_cb,tBTM_SEC_DEV_REC * p_dev_rec)6143 void btm_sec_set_peer_sec_caps(tACL_CONN *p_acl_cb, tBTM_SEC_DEV_REC *p_dev_rec)
6144 {
6145     BD_ADDR     rem_bd_addr;
6146     UINT8       *p_rem_bd_addr;
6147 
6148     if ((btm_cb.security_mode == BTM_SEC_MODE_SP ||
6149          btm_cb.security_mode == BTM_SEC_MODE_SP_DEBUG ||
6150          btm_cb.security_mode == BTM_SEC_MODE_SC) &&
6151         HCI_SSP_HOST_SUPPORTED(p_acl_cb->peer_lmp_features[HCI_EXT_FEATURES_PAGE_1]))
6152     {
6153         p_dev_rec->sm4 = BTM_SM4_TRUE;
6154         p_dev_rec->remote_supports_secure_connections =
6155             (HCI_SC_HOST_SUPPORTED(p_acl_cb->peer_lmp_features[HCI_EXT_FEATURES_PAGE_1]));
6156     }
6157     else
6158     {
6159         p_dev_rec->sm4 = BTM_SM4_KNOWN;
6160         p_dev_rec->remote_supports_secure_connections = FALSE;
6161     }
6162 
6163     BTM_TRACE_API("%s: sm4: 0x%02x, rmt_support_for_secure_connections %d", __FUNCTION__,
6164                   p_dev_rec->sm4, p_dev_rec->remote_supports_secure_connections);
6165 
6166 
6167     if (p_dev_rec->remote_features_needed)
6168     {
6169         BTM_TRACE_EVENT("%s: Now device in SC Only mode, waiting for peer remote features!",
6170                         __FUNCTION__);
6171         p_rem_bd_addr = (UINT8*) rem_bd_addr;
6172         BDADDR_TO_STREAM(p_rem_bd_addr, p_dev_rec->bd_addr);
6173         p_rem_bd_addr = (UINT8*) rem_bd_addr;
6174         btm_io_capabilities_req(p_rem_bd_addr);
6175         p_dev_rec->remote_features_needed = FALSE;
6176     }
6177 }
6178 
6179 /*******************************************************************************
6180 **
6181 ** Function         btm_sec_clean_pending_req_queue
6182 **
6183 ** Description      This function cleans up the pending security request when the
6184 **                  link to the target device dropped.
6185 **
6186 ** Returns          void
6187 **
6188 *******************************************************************************/
btm_sec_clean_pending_req_queue(BD_ADDR remote_bda,tBT_TRANSPORT transport)6189 static void btm_sec_clean_pending_req_queue (BD_ADDR remote_bda, tBT_TRANSPORT transport)
6190 {
6191     tBTM_SEC_QUEUE_ENTRY    *p_e;
6192     BUFFER_Q                *bq = &btm_cb.sec_pending_q;
6193 
6194     p_e = (tBTM_SEC_QUEUE_ENTRY *)GKI_getfirst(bq);
6195 
6196     if (p_e != NULL)
6197     {
6198         if (memcmp(p_e->bd_addr, remote_bda, BD_ADDR_LEN) == 0
6199 #if BLE_INCLUDED == TRUE
6200             && p_e->transport == transport
6201 #endif
6202             )
6203         {
6204             (*p_e->p_callback) (remote_bda, transport, p_e->p_ref_data, BTM_ERR_PROCESSING);
6205             GKI_remove_from_queue(bq, (void *)p_e);
6206         }
6207         p_e = (tBTM_SEC_QUEUE_ENTRY *) GKI_getnext ((void *)p_e);
6208     }
6209 }
6210 
6211 /*******************************************************************************
6212 **
6213 ** Function         btm_sec_is_serv_level0
6214 **
6215 ** Description      This function is called to check if the service corresponding
6216 **                  to PSM is security mode 4 level 0 service.
6217 **
6218 ** Returns          TRUE if the service is security mode 4 level 0 service
6219 **
6220 *******************************************************************************/
btm_sec_is_serv_level0(UINT16 psm)6221 static BOOLEAN btm_sec_is_serv_level0(UINT16 psm)
6222 {
6223     if (psm == BT_PSM_SDP)
6224     {
6225         BTM_TRACE_DEBUG("%s: PSM: 0x%04x -> mode 4 level 0 service", __FUNCTION__, psm);
6226         return TRUE;
6227     }
6228     return FALSE;
6229 }
6230 
6231 /*******************************************************************************
6232 **
6233 ** Function         btm_sec_check_pending_enc_req
6234 **
6235 ** Description      This function is called to send pending encryption callback if
6236 **                  waiting
6237 **
6238 ** Returns          void
6239 **
6240 *******************************************************************************/
btm_sec_check_pending_enc_req(tBTM_SEC_DEV_REC * p_dev_rec,tBT_TRANSPORT transport,UINT8 encr_enable)6241 static void btm_sec_check_pending_enc_req (tBTM_SEC_DEV_REC  *p_dev_rec, tBT_TRANSPORT transport,
6242                                             UINT8 encr_enable)
6243 {
6244     tBTM_SEC_QUEUE_ENTRY    *p_e;
6245     BUFFER_Q                *bq = &btm_cb.sec_pending_q;
6246     UINT8                   res = encr_enable ? BTM_SUCCESS : BTM_ERR_PROCESSING;
6247 
6248     p_e = (tBTM_SEC_QUEUE_ENTRY *)GKI_getfirst(bq);
6249 
6250     while (p_e != NULL)
6251     {
6252         if (memcmp(p_e->bd_addr, p_dev_rec->bd_addr, BD_ADDR_LEN) == 0 && p_e->psm == 0
6253 #if BLE_INCLUDED == TRUE
6254             && p_e->transport == transport
6255 #endif
6256             )
6257         {
6258 #if BLE_INCLUDED == TRUE
6259             UINT8 sec_act = *(UINT8 *)(p_e->p_ref_data);
6260 #endif
6261 
6262             if (encr_enable == 0 || transport == BT_TRANSPORT_BR_EDR
6263 #if BLE_INCLUDED == TRUE
6264                 || (sec_act == BTM_BLE_SEC_ENCRYPT || sec_act == BTM_BLE_SEC_ENCRYPT_NO_MITM)
6265                 || (sec_act == BTM_BLE_SEC_ENCRYPT_MITM && p_dev_rec->sec_flags
6266                     & BTM_SEC_LE_AUTHENTICATED)
6267 #endif
6268                )
6269             {
6270                 (*p_e->p_callback) (p_dev_rec->bd_addr, transport, p_e->p_ref_data, res);
6271                 GKI_remove_from_queue(bq, (void *)p_e);
6272             }
6273         }
6274         p_e = (tBTM_SEC_QUEUE_ENTRY *) GKI_getnext ((void *)p_e);
6275     }
6276 }
6277 
6278 /*******************************************************************************
6279 **
6280 ** Function         btm_sec_set_serv_level4_flags
6281 **
6282 ** Description      This function is called to set security mode 4 level 4 flags.
6283 **
6284 ** Returns          service security requirements updated to include secure
6285 **                  connections only mode.
6286 **
6287 *******************************************************************************/
btm_sec_set_serv_level4_flags(UINT16 cur_security,BOOLEAN is_originator)6288 static UINT16 btm_sec_set_serv_level4_flags(UINT16 cur_security, BOOLEAN is_originator)
6289 {
6290     UINT16  sec_level4_flags = is_originator ? BTM_SEC_OUT_LEVEL4_FLAGS : BTM_SEC_IN_LEVEL4_FLAGS;
6291 
6292     return cur_security | sec_level4_flags;
6293 }
6294 
6295 /*******************************************************************************
6296 **
6297 ** Function         btm_sec_clear_ble_keys
6298 **
6299 ** Description      This function is called to clear out the BLE keys.
6300 **                  Typically when devices are removed in BTM_SecDeleteDevice,
6301 **                  or when a new BT Link key is generated.
6302 **
6303 ** Returns          void
6304 **
6305 *******************************************************************************/
btm_sec_clear_ble_keys(tBTM_SEC_DEV_REC * p_dev_rec)6306 void btm_sec_clear_ble_keys (tBTM_SEC_DEV_REC  *p_dev_rec)
6307 {
6308 
6309     BTM_TRACE_DEBUG ("%s() Clearing BLE Keys", __func__);
6310 #if (SMP_INCLUDED== TRUE)
6311     p_dev_rec->ble.key_type = BTM_LE_KEY_NONE;
6312     memset (&p_dev_rec->ble.keys, 0, sizeof(tBTM_SEC_BLE_KEYS));
6313 
6314 #if (BLE_PRIVACY_SPT == TRUE)
6315     btm_ble_resolving_list_remove_dev(p_dev_rec);
6316 #endif
6317 #endif
6318 }
6319 
6320 /*******************************************************************************
6321 **
6322 ** Function         btm_sec_is_a_bonded_dev
6323 **
6324 ** Description       Is the specified device is a bonded device
6325 **
6326 ** Returns          TRUE - dev is bonded
6327 **
6328 *******************************************************************************/
btm_sec_is_a_bonded_dev(BD_ADDR bda)6329 BOOLEAN btm_sec_is_a_bonded_dev (BD_ADDR bda)
6330 {
6331 
6332     tBTM_SEC_DEV_REC *p_dev_rec= btm_find_dev (bda);
6333     BOOLEAN is_bonded= FALSE;
6334 
6335     if (p_dev_rec &&
6336 #if (SMP_INCLUDED == TRUE)
6337         ((p_dev_rec->ble.key_type && (p_dev_rec->sec_flags & BTM_SEC_LE_LINK_KEY_KNOWN))||
6338 #else
6339         (
6340 #endif
6341          (p_dev_rec->sec_flags & BTM_SEC_LINK_KEY_KNOWN)))
6342     {
6343         is_bonded = TRUE;
6344     }
6345     BTM_TRACE_DEBUG ("%s() is_bonded=%d", __func__, is_bonded);
6346     return(is_bonded);
6347 }
6348 
6349 /*******************************************************************************
6350 **
6351 ** Function         btm_sec_is_le_capable_dev
6352 **
6353 ** Description       Is the specified device is dual mode or LE only device
6354 **
6355 ** Returns          TRUE - dev is a dual mode
6356 **
6357 *******************************************************************************/
btm_sec_is_le_capable_dev(BD_ADDR bda)6358 BOOLEAN btm_sec_is_le_capable_dev (BD_ADDR bda)
6359 {
6360     tBTM_SEC_DEV_REC *p_dev_rec= btm_find_dev (bda);
6361     BOOLEAN le_capable = FALSE;
6362 
6363 #if (BLE_INCLUDED== TRUE)
6364     if (p_dev_rec && (p_dev_rec->device_type & BT_DEVICE_TYPE_BLE) == BT_DEVICE_TYPE_BLE)
6365         le_capable  = TRUE;
6366 #endif
6367     return le_capable;
6368 }
6369 
6370 /*******************************************************************************
6371 **
6372 ** Function         btm_sec_find_bonded_dev
6373 **
6374 ** Description      Find a bonded device starting from the specified index
6375 **
6376 ** Returns          TRUE - found a bonded device
6377 **
6378 *******************************************************************************/
btm_sec_find_bonded_dev(UINT8 start_idx,UINT8 * p_found_idx,tBTM_SEC_DEV_REC ** p_rec)6379 BOOLEAN btm_sec_find_bonded_dev (UINT8 start_idx, UINT8 *p_found_idx, tBTM_SEC_DEV_REC **p_rec)
6380 {
6381     BOOLEAN found= FALSE;
6382 
6383 #if (SMP_INCLUDED== TRUE)
6384     tBTM_SEC_DEV_REC *p_dev_rec;
6385     int i;
6386     if (start_idx >= BTM_SEC_MAX_DEVICE_RECORDS)
6387     {
6388         BTM_TRACE_DEBUG ("LE bonded device not found");
6389         return found;
6390     }
6391 
6392     p_dev_rec = &btm_cb.sec_dev_rec[start_idx];
6393     for (i = start_idx; i < BTM_SEC_MAX_DEVICE_RECORDS; i++, p_dev_rec++)
6394     {
6395         if (p_dev_rec->ble.key_type || (p_dev_rec->sec_flags & BTM_SEC_LINK_KEY_KNOWN))
6396         {
6397             *p_found_idx = i;
6398             *p_rec = p_dev_rec;
6399             break;
6400         }
6401     }
6402     BTM_TRACE_DEBUG ("%s() found=%d", __func__, found);
6403 #endif
6404     return(found);
6405 }
6406 
6407 /*******************************************************************************
6408 **
6409 ** Function         btm_sec_use_smp_br_chnl
6410 **
6411 ** Description      The function checks if SMP BR connection can be used with
6412 **                  the peer.
6413 **                  Is called when authentication for dedicated bonding is
6414 **                  successfully completed.
6415 **
6416 ** Returns          TRUE - if SMP BR connection can be used (the link key is
6417 **                         generated from P-256 and the peer supports Security
6418 **                         Manager over BR).
6419 **
6420 *******************************************************************************/
btm_sec_use_smp_br_chnl(tBTM_SEC_DEV_REC * p_dev_rec)6421 static BOOLEAN btm_sec_use_smp_br_chnl(tBTM_SEC_DEV_REC *p_dev_rec)
6422 {
6423     UINT32  ext_feat;
6424     UINT8   chnl_mask[L2CAP_FIXED_CHNL_ARRAY_SIZE];
6425 
6426     BTM_TRACE_DEBUG ("%s() link_key_type = 0x%x", __func__,
6427                       p_dev_rec->link_key_type);
6428 
6429     if ((p_dev_rec->link_key_type != BTM_LKEY_TYPE_UNAUTH_COMB_P_256) &&
6430         (p_dev_rec->link_key_type != BTM_LKEY_TYPE_AUTH_COMB_P_256))
6431          return FALSE;
6432 
6433     if (!L2CA_GetPeerFeatures (p_dev_rec->bd_addr, &ext_feat, chnl_mask))
6434         return FALSE;
6435 
6436     if (!(chnl_mask[0] & L2CAP_FIXED_CHNL_SMP_BR_BIT))
6437         return FALSE;
6438 
6439     return TRUE;
6440 }
6441 
6442 /*******************************************************************************
6443 **
6444 ** Function         btm_sec_is_master
6445 **
6446 ** Description      The function checks if the device is BR/EDR master after
6447 **                  pairing is completed.
6448 **
6449 ** Returns          TRUE - if the device is master.
6450 **
6451 *******************************************************************************/
btm_sec_is_master(tBTM_SEC_DEV_REC * p_dev_rec)6452 static BOOLEAN btm_sec_is_master(tBTM_SEC_DEV_REC *p_dev_rec)
6453 {
6454     tACL_CONN *p= btm_bda_to_acl(p_dev_rec->bd_addr, BT_TRANSPORT_BR_EDR);
6455     return (p && (p->link_role == BTM_ROLE_MASTER));
6456 }
6457 
6458