1 /******************************************************************************
2 *
3 * Copyright (C) 1999-2012 Broadcom Corporation
4 *
5 * Licensed under the Apache License, Version 2.0 (the "License");
6 * you may not use this file except in compliance with the License.
7 * You may obtain a copy of the License at:
8 *
9 * http://www.apache.org/licenses/LICENSE-2.0
10 *
11 * Unless required by applicable law or agreed to in writing, software
12 * distributed under the License is distributed on an "AS IS" BASIS,
13 * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
14 * See the License for the specific language governing permissions and
15 * limitations under the License.
16 *
17 ******************************************************************************/
18
19 /******************************************************************************
20 *
21 * This file contains functions for the Bluetooth Security Manager
22 *
23 ******************************************************************************/
24
25 #define LOG_TAG "bt_btm_sec"
26
27 #include <stdarg.h>
28 #include <string.h>
29
30 #include "bt_types.h"
31 #include "device/include/controller.h"
32 #include "hcimsgs.h"
33 #include "btu.h"
34 #include "btm_int.h"
35 #include "l2c_int.h"
36 #include "bt_utils.h"
37 #include "osi/include/log.h"
38
39 #if (BT_USE_TRACES == TRUE && BT_TRACE_VERBOSE == FALSE)
40 /* needed for sprintf() */
41 #include <stdio.h>
42 #endif
43
44 #if BLE_INCLUDED == TRUE
45 #include "gatt_int.h"
46 #endif
47
48 #define BTM_SEC_MAX_COLLISION_DELAY (5000)
49
50 #ifdef APPL_AUTH_WRITE_EXCEPTION
51 BOOLEAN (APPL_AUTH_WRITE_EXCEPTION)(BD_ADDR bd_addr);
52 #endif
53
54
55 /********************************************************************************
56 ** L O C A L F U N C T I O N P R O T O T Y P E S *
57 *********************************************************************************/
58 static tBTM_SEC_SERV_REC *btm_sec_find_first_serv (BOOLEAN is_originator, UINT16 psm);
59 static tBTM_SEC_SERV_REC *btm_sec_find_next_serv (tBTM_SEC_SERV_REC *p_cur);
60 static tBTM_SEC_SERV_REC *btm_sec_find_mx_serv (UINT8 is_originator, UINT16 psm,
61 UINT32 mx_proto_id,
62 UINT32 mx_chan_id);
63
64 static tBTM_STATUS btm_sec_execute_procedure (tBTM_SEC_DEV_REC *p_dev_rec);
65 static BOOLEAN btm_sec_start_get_name (tBTM_SEC_DEV_REC *p_dev_rec);
66 static BOOLEAN btm_sec_start_authentication (tBTM_SEC_DEV_REC *p_dev_rec);
67 static BOOLEAN btm_sec_start_encryption (tBTM_SEC_DEV_REC *p_dev_rec);
68 static void btm_sec_collision_timeout (TIMER_LIST_ENT *p_tle);
69 static void btm_restore_mode(void);
70 static void btm_sec_pairing_timeout (TIMER_LIST_ENT *p_tle);
71 static tBTM_STATUS btm_sec_dd_create_conn (tBTM_SEC_DEV_REC *p_dev_rec);
72 static void btm_sec_change_pairing_state (tBTM_PAIRING_STATE new_state);
73
74 #if (BT_USE_TRACES == TRUE)
75 static char *btm_pair_state_descr (tBTM_PAIRING_STATE state);
76 #endif
77
78 static void btm_sec_check_pending_reqs(void);
79 static BOOLEAN btm_sec_queue_mx_request (BD_ADDR bd_addr, UINT16 psm, BOOLEAN is_orig,
80 UINT32 mx_proto_id, UINT32 mx_chan_id,
81 tBTM_SEC_CALLBACK *p_callback, void *p_ref_data);
82 static void btm_sec_bond_cancel_complete (void);
83 static void btm_send_link_key_notif (tBTM_SEC_DEV_REC *p_dev_rec);
84 static BOOLEAN btm_sec_check_prefetch_pin (tBTM_SEC_DEV_REC *p_dev_rec);
85
86 static UINT8 btm_sec_start_authorization (tBTM_SEC_DEV_REC *p_dev_rec);
87 BOOLEAN btm_sec_are_all_trusted(UINT32 p_mask[]);
88
89 static tBTM_STATUS btm_sec_send_hci_disconnect (tBTM_SEC_DEV_REC *p_dev_rec, UINT8 reason, UINT16 conn_handle);
90 UINT8 btm_sec_start_role_switch (tBTM_SEC_DEV_REC *p_dev_rec);
91 tBTM_SEC_DEV_REC *btm_sec_find_dev_by_sec_state (UINT8 state);
92
93 static BOOLEAN btm_sec_set_security_level ( CONNECTION_TYPE conn_type, char *p_name, UINT8 service_id,
94 UINT16 sec_level, UINT16 psm, UINT32 mx_proto_id,
95 UINT32 mx_chan_id);
96
97 static BOOLEAN btm_dev_authenticated(tBTM_SEC_DEV_REC *p_dev_rec);
98 static BOOLEAN btm_dev_encrypted(tBTM_SEC_DEV_REC *p_dev_rec);
99 static BOOLEAN btm_dev_authorized(tBTM_SEC_DEV_REC *p_dev_rec);
100 static BOOLEAN btm_serv_trusted(tBTM_SEC_DEV_REC *p_dev_rec, tBTM_SEC_SERV_REC *p_serv_rec);
101 static BOOLEAN btm_sec_is_serv_level0 (UINT16 psm);
102 static UINT16 btm_sec_set_serv_level4_flags (UINT16 cur_security, BOOLEAN is_originator);
103
104 static BOOLEAN btm_sec_queue_encrypt_request (BD_ADDR bd_addr, tBT_TRANSPORT transport,
105 tBTM_SEC_CALLBACK *p_callback, void *p_ref_data);
106 static void btm_sec_clean_pending_req_queue (BD_ADDR remote_bda, tBT_TRANSPORT transport) ;
107 static void btm_sec_check_pending_enc_req (tBTM_SEC_DEV_REC *p_dev_rec, tBT_TRANSPORT transport,
108 UINT8 encr_enable);
109 static BOOLEAN btm_sec_acceptor_rejects_bonding (tBTM_SEC_DEV_REC *p_dev_rec);
110
111 static BOOLEAN btm_sec_use_smp_br_chnl(tBTM_SEC_DEV_REC *p_dev_rec);
112 static BOOLEAN btm_sec_is_master(tBTM_SEC_DEV_REC *p_dev_rec);
113
114 /* TRUE - authenticated link key is possible */
115 static const BOOLEAN btm_sec_io_map [BTM_IO_CAP_MAX][BTM_IO_CAP_MAX] =
116 {
117 /* OUT, IO, IN, NONE */
118 /* OUT */ {FALSE, FALSE, TRUE, FALSE},
119 /* IO */ {FALSE, TRUE, TRUE, FALSE},
120 /* IN */ {TRUE, TRUE, TRUE, FALSE},
121 /* NONE */ {FALSE, FALSE, FALSE, FALSE}
122 };
123 /* BTM_IO_CAP_OUT 0 DisplayOnly */
124 /* BTM_IO_CAP_IO 1 DisplayYesNo */
125 /* BTM_IO_CAP_IN 2 KeyboardOnly */
126 /* BTM_IO_CAP_NONE 3 NoInputNoOutput */
127
128 /*******************************************************************************
129 **
130 ** Function btm_dev_authenticated
131 **
132 ** Description check device is authenticated
133 **
134 ** Returns BOOLEAN TRUE or FALSE
135 **
136 *******************************************************************************/
btm_dev_authenticated(tBTM_SEC_DEV_REC * p_dev_rec)137 static BOOLEAN btm_dev_authenticated (tBTM_SEC_DEV_REC *p_dev_rec)
138 {
139 if(p_dev_rec->sec_flags & BTM_SEC_AUTHENTICATED)
140 {
141 return(TRUE);
142 }
143 return(FALSE);
144 }
145
146 /*******************************************************************************
147 **
148 ** Function btm_dev_encrypted
149 **
150 ** Description check device is encrypted
151 **
152 ** Returns BOOLEAN TRUE or FALSE
153 **
154 *******************************************************************************/
btm_dev_encrypted(tBTM_SEC_DEV_REC * p_dev_rec)155 static BOOLEAN btm_dev_encrypted (tBTM_SEC_DEV_REC *p_dev_rec)
156 {
157 if(p_dev_rec->sec_flags & BTM_SEC_ENCRYPTED)
158 {
159 return(TRUE);
160 }
161 return(FALSE);
162 }
163
164 /*******************************************************************************
165 **
166 ** Function btm_dev_authorized
167 **
168 ** Description check device is authorized
169 **
170 ** Returns BOOLEAN TRUE or FALSE
171 **
172 *******************************************************************************/
btm_dev_authorized(tBTM_SEC_DEV_REC * p_dev_rec)173 static BOOLEAN btm_dev_authorized (tBTM_SEC_DEV_REC *p_dev_rec)
174 {
175 if(p_dev_rec->sec_flags & BTM_SEC_AUTHORIZED)
176 {
177 return(TRUE);
178 }
179 return(FALSE);
180 }
181
182 /*******************************************************************************
183 **
184 ** Function btm_dev_16_digit_authenticated
185 **
186 ** Description check device is authenticated by using 16 digit pin or MITM
187 **
188 ** Returns BOOLEAN TRUE or FALSE
189 **
190 *******************************************************************************/
btm_dev_16_digit_authenticated(tBTM_SEC_DEV_REC * p_dev_rec)191 static BOOLEAN btm_dev_16_digit_authenticated(tBTM_SEC_DEV_REC *p_dev_rec)
192 {
193 // BTM_SEC_16_DIGIT_PIN_AUTHED is set if MITM or 16 digit pin is used
194 if(p_dev_rec->sec_flags & BTM_SEC_16_DIGIT_PIN_AUTHED)
195 {
196 return(TRUE);
197 }
198 return(FALSE);
199 }
200
201 /*******************************************************************************
202 **
203 ** Function btm_serv_trusted
204 **
205 ** Description check service is trusted
206 **
207 ** Returns BOOLEAN TRUE or FALSE
208 **
209 *******************************************************************************/
btm_serv_trusted(tBTM_SEC_DEV_REC * p_dev_rec,tBTM_SEC_SERV_REC * p_serv_rec)210 static BOOLEAN btm_serv_trusted(tBTM_SEC_DEV_REC *p_dev_rec, tBTM_SEC_SERV_REC *p_serv_rec)
211 {
212 if(BTM_SEC_IS_SERVICE_TRUSTED(p_dev_rec->trusted_mask, p_serv_rec->service_id))
213 {
214 return(TRUE);
215 }
216 return(FALSE);
217 }
218
219 /*******************************************************************************
220 **
221 ** Function BTM_SecRegister
222 **
223 ** Description Application manager calls this function to register for
224 ** security services. There can be one and only one application
225 ** saving link keys. BTM allows only first registration.
226 **
227 ** Returns TRUE if registered OK, else FALSE
228 **
229 *******************************************************************************/
BTM_SecRegister(tBTM_APPL_INFO * p_cb_info)230 BOOLEAN BTM_SecRegister(tBTM_APPL_INFO *p_cb_info)
231 {
232 #if BLE_INCLUDED == TRUE
233 BT_OCTET16 temp_value = {0};
234 #endif
235
236 BTM_TRACE_EVENT("%s application registered", __func__);
237
238 #if BLE_INCLUDED == TRUE && SMP_INCLUDED == TRUE
239 LOG_INFO("%s p_cb_info->p_le_callback == 0x%p", __func__, p_cb_info->p_le_callback);
240 if (p_cb_info->p_le_callback)
241 {
242 #if SMP_INCLUDED == TRUE
243 BTM_TRACE_EVENT("%s SMP_Register( btm_proc_smp_cback )", __func__);
244 SMP_Register(btm_proc_smp_cback);
245 #endif
246 /* if no IR is loaded, need to regenerate all the keys */
247 if (memcmp(btm_cb.devcb.id_keys.ir, &temp_value, sizeof(BT_OCTET16)) == 0)
248 {
249 btm_ble_reset_id();
250 }
251 }
252 else
253 {
254 LOG_WARN("%s p_cb_info->p_le_callback == NULL", __func__);
255 }
256 #endif
257
258 btm_cb.api = *p_cb_info;
259 #if BLE_INCLUDED == TRUE && SMP_INCLUDED == TRUE
260 LOG_INFO("%s btm_cb.api.p_le_callback = 0x%p ", __func__, btm_cb.api.p_le_callback);
261 #endif
262 BTM_TRACE_EVENT("%s application registered", __func__);
263 return(TRUE);
264 }
265
266 /*******************************************************************************
267 **
268 ** Function BTM_SecRegisterLinkKeyNotificationCallback
269 **
270 ** Description Application manager calls this function to register for
271 ** link key notification. When there is nobody registered
272 ** we should avoid changing link key
273 **
274 ** Returns TRUE if registered OK, else FALSE
275 **
276 *******************************************************************************/
BTM_SecRegisterLinkKeyNotificationCallback(tBTM_LINK_KEY_CALLBACK * p_callback)277 BOOLEAN BTM_SecRegisterLinkKeyNotificationCallback (tBTM_LINK_KEY_CALLBACK *p_callback)
278 {
279 btm_cb.api.p_link_key_callback = p_callback;
280 return TRUE;
281 }
282
283 /*******************************************************************************
284 **
285 ** Function BTM_SecAddRmtNameNotifyCallback
286 **
287 ** Description Any profile can register to be notified when name of the
288 ** remote device is resolved.
289 **
290 ** Returns TRUE if registered OK, else FALSE
291 **
292 *******************************************************************************/
BTM_SecAddRmtNameNotifyCallback(tBTM_RMT_NAME_CALLBACK * p_callback)293 BOOLEAN BTM_SecAddRmtNameNotifyCallback (tBTM_RMT_NAME_CALLBACK *p_callback)
294 {
295 int i;
296
297 for (i = 0; i < BTM_SEC_MAX_RMT_NAME_CALLBACKS; i++)
298 {
299 if (btm_cb.p_rmt_name_callback[i] == NULL)
300 {
301 btm_cb.p_rmt_name_callback[i] = p_callback;
302 return(TRUE);
303 }
304 }
305
306 return(FALSE);
307 }
308
309
310 /*******************************************************************************
311 **
312 ** Function BTM_SecDeleteRmtNameNotifyCallback
313 **
314 ** Description Any profile can deregister notification when a new Link Key
315 ** is generated per connection.
316 **
317 ** Returns TRUE if OK, else FALSE
318 **
319 *******************************************************************************/
BTM_SecDeleteRmtNameNotifyCallback(tBTM_RMT_NAME_CALLBACK * p_callback)320 BOOLEAN BTM_SecDeleteRmtNameNotifyCallback (tBTM_RMT_NAME_CALLBACK *p_callback)
321 {
322 int i;
323
324 for (i = 0; i < BTM_SEC_MAX_RMT_NAME_CALLBACKS; i++)
325 {
326 if (btm_cb.p_rmt_name_callback[i] == p_callback)
327 {
328 btm_cb.p_rmt_name_callback[i] = NULL;
329 return(TRUE);
330 }
331 }
332
333 return(FALSE);
334 }
335
336 /*******************************************************************************
337 **
338 ** Function BTM_GetSecurityFlags
339 **
340 ** Description Get security flags for the device
341 **
342 ** Returns BOOLEAN TRUE or FALSE is device found
343 **
344 *******************************************************************************/
BTM_GetSecurityFlags(BD_ADDR bd_addr,UINT8 * p_sec_flags)345 BOOLEAN BTM_GetSecurityFlags (BD_ADDR bd_addr, UINT8 * p_sec_flags)
346 {
347 tBTM_SEC_DEV_REC *p_dev_rec;
348
349 if ((p_dev_rec = btm_find_dev (bd_addr)) != NULL)
350 {
351 *p_sec_flags = (UINT8) p_dev_rec->sec_flags;
352 return(TRUE);
353 }
354 BTM_TRACE_ERROR ("BTM_GetSecurityFlags false");
355 return(FALSE);
356 }
357
358 /*******************************************************************************
359 **
360 ** Function BTM_GetSecurityFlagsByTransport
361 **
362 ** Description Get security flags for the device on a particular transport
363 **
364 ** Returns BOOLEAN TRUE or FALSE is device found
365 **
366 *******************************************************************************/
BTM_GetSecurityFlagsByTransport(BD_ADDR bd_addr,UINT8 * p_sec_flags,tBT_TRANSPORT transport)367 BOOLEAN BTM_GetSecurityFlagsByTransport (BD_ADDR bd_addr, UINT8 * p_sec_flags,
368 tBT_TRANSPORT transport)
369 {
370 tBTM_SEC_DEV_REC *p_dev_rec;
371
372 if ((p_dev_rec = btm_find_dev (bd_addr)) != NULL)
373 {
374 if (transport == BT_TRANSPORT_BR_EDR)
375 *p_sec_flags = (UINT8) p_dev_rec->sec_flags;
376 else
377 *p_sec_flags = (UINT8) (p_dev_rec->sec_flags >> 8);
378
379 return(TRUE);
380 }
381 BTM_TRACE_ERROR ("BTM_GetSecurityFlags false");
382 return(FALSE);
383 }
384
385 /*******************************************************************************
386 **
387 ** Function BTM_SetPinType
388 **
389 ** Description Set PIN type for the device.
390 **
391 ** Returns void
392 **
393 *******************************************************************************/
BTM_SetPinType(UINT8 pin_type,PIN_CODE pin_code,UINT8 pin_code_len)394 void BTM_SetPinType (UINT8 pin_type, PIN_CODE pin_code, UINT8 pin_code_len)
395 {
396 BTM_TRACE_API ("BTM_SetPinType: pin type %d [variable-0, fixed-1], code %s, length %d",
397 pin_type, (char *) pin_code, pin_code_len);
398
399 /* If device is not up security mode will be set as a part of startup */
400 if ( (btm_cb.cfg.pin_type != pin_type)
401 && controller_get_interface()->get_is_ready() )
402 {
403 btsnd_hcic_write_pin_type (pin_type);
404 }
405
406 btm_cb.cfg.pin_type = pin_type;
407 btm_cb.cfg.pin_code_len = pin_code_len;
408 memcpy (btm_cb.cfg.pin_code, pin_code, pin_code_len);
409 }
410
411 /*******************************************************************************
412 **
413 ** Function BTM_SetPairableMode
414 **
415 ** Description Enable or disable pairing
416 **
417 ** Parameters allow_pairing - (TRUE or FALSE) whether or not the device
418 ** allows pairing.
419 ** connect_only_paired - (TRUE or FALSE) whether or not to
420 ** only allow paired devices to connect.
421 **
422 ** Returns void
423 **
424 *******************************************************************************/
BTM_SetPairableMode(BOOLEAN allow_pairing,BOOLEAN connect_only_paired)425 void BTM_SetPairableMode (BOOLEAN allow_pairing, BOOLEAN connect_only_paired)
426 {
427 BTM_TRACE_API ("BTM_SetPairableMode() allow_pairing: %u connect_only_paired: %u", allow_pairing, connect_only_paired);
428
429 btm_cb.pairing_disabled = !allow_pairing;
430 btm_cb.connect_only_paired = connect_only_paired;
431 }
432
433 /*******************************************************************************
434 **
435 ** Function BTM_SetSecureConnectionsOnly
436 **
437 ** Description Enable or disable default treatment for Mode 4 Level 0 services
438 **
439 ** Parameter secure_connections_only_mode - (TRUE or FALSE) whether or not the device
440 ** TRUE means that the device should treat Mode 4 Level 0 services as
441 ** services of other levels. (Secure_connections_only_mode)
442 ** FALSE means that the device should provide default treatment for
443 ** Mode 4 Level 0 services.
444 **
445 ** Returns void
446 **
447 *******************************************************************************/
BTM_SetSecureConnectionsOnly(BOOLEAN secure_connections_only_mode)448 void BTM_SetSecureConnectionsOnly (BOOLEAN secure_connections_only_mode)
449 {
450 BTM_TRACE_API("%s: Mode : %u", __FUNCTION__,
451 secure_connections_only_mode);
452
453 btm_cb.devcb.secure_connections_only = secure_connections_only_mode;
454 btm_cb.security_mode = BTM_SEC_MODE_SC;
455 }
456 #define BTM_NO_AVAIL_SEC_SERVICES ((UINT16) 0xffff)
457
458 /*******************************************************************************
459 **
460 ** Function BTM_SetSecurityLevel
461 **
462 ** Description Register service security level with Security Manager
463 **
464 ** Parameters: is_originator - TRUE if originating the connection, FALSE if not
465 ** p_name - Name of the service relevant only if
466 ** authorization will show this name to user. ignored
467 ** if BTM_SEC_SERVICE_NAME_LEN is 0.
468 ** service_id - service ID for the service passed to authorization callback
469 ** sec_level - bit mask of the security features
470 ** psm - L2CAP PSM
471 ** mx_proto_id - protocol ID of multiplexing proto below
472 ** mx_chan_id - channel ID of multiplexing proto below
473 **
474 ** Returns TRUE if registered OK, else FALSE
475 **
476 *******************************************************************************/
BTM_SetSecurityLevel(BOOLEAN is_originator,char * p_name,UINT8 service_id,UINT16 sec_level,UINT16 psm,UINT32 mx_proto_id,UINT32 mx_chan_id)477 BOOLEAN BTM_SetSecurityLevel (BOOLEAN is_originator, char *p_name, UINT8 service_id,
478 UINT16 sec_level, UINT16 psm, UINT32 mx_proto_id,
479 UINT32 mx_chan_id)
480 {
481 #if (L2CAP_UCD_INCLUDED == TRUE)
482 CONNECTION_TYPE conn_type;
483
484 if (is_originator)
485 conn_type = CONN_ORIENT_ORIG;
486 else
487 conn_type = CONN_ORIENT_TERM;
488
489 return(btm_sec_set_security_level (conn_type, p_name, service_id,
490 sec_level, psm, mx_proto_id, mx_chan_id));
491 #else
492 return(btm_sec_set_security_level (is_originator, p_name, service_id,
493 sec_level, psm, mx_proto_id, mx_chan_id));
494 #endif
495 }
496
497 /*******************************************************************************
498 **
499 ** Function btm_sec_set_security_level
500 **
501 ** Description Register service security level with Security Manager
502 **
503 ** Parameters: conn_type - TRUE if originating the connection, FALSE if not
504 ** p_name - Name of the service relevant only if
505 ** authorization will show this name to user. ignored
506 ** if BTM_SEC_SERVICE_NAME_LEN is 0.
507 ** service_id - service ID for the service passed to authorization callback
508 ** sec_level - bit mask of the security features
509 ** psm - L2CAP PSM
510 ** mx_proto_id - protocol ID of multiplexing proto below
511 ** mx_chan_id - channel ID of multiplexing proto below
512 **
513 ** Returns TRUE if registered OK, else FALSE
514 **
515 *******************************************************************************/
btm_sec_set_security_level(CONNECTION_TYPE conn_type,char * p_name,UINT8 service_id,UINT16 sec_level,UINT16 psm,UINT32 mx_proto_id,UINT32 mx_chan_id)516 static BOOLEAN btm_sec_set_security_level (CONNECTION_TYPE conn_type, char *p_name, UINT8 service_id,
517 UINT16 sec_level, UINT16 psm, UINT32 mx_proto_id,
518 UINT32 mx_chan_id)
519 {
520 tBTM_SEC_SERV_REC *p_srec;
521 UINT16 index;
522 UINT16 first_unused_record = BTM_NO_AVAIL_SEC_SERVICES;
523 BOOLEAN record_allocated = FALSE;
524 BOOLEAN is_originator;
525 #if (L2CAP_UCD_INCLUDED == TRUE)
526 BOOLEAN is_ucd;
527
528 if (conn_type & CONNECTION_TYPE_ORIG_MASK)
529 is_originator = TRUE;
530 else
531 is_originator = FALSE;
532
533 if (conn_type & CONNECTION_TYPE_CONNLESS_MASK )
534 {
535 is_ucd = TRUE;
536 }
537 else
538 {
539 is_ucd = FALSE;
540 }
541 #else
542 is_originator = conn_type;
543 #endif
544
545 BTM_TRACE_API("%s : sec: 0x%x", __func__, sec_level);
546
547 /* See if the record can be reused (same service name, psm, mx_proto_id,
548 service_id, and mx_chan_id), or obtain the next unused record */
549
550 p_srec = &btm_cb.sec_serv_rec[0];
551
552
553 for (index = 0; index < BTM_SEC_MAX_SERVICE_RECORDS; index++, p_srec++)
554 {
555 /* Check if there is already a record for this service */
556 if (p_srec->security_flags & BTM_SEC_IN_USE)
557 {
558 #if BTM_SEC_SERVICE_NAME_LEN > 0
559 if (p_srec->psm == psm &&
560 p_srec->mx_proto_id == mx_proto_id &&
561 service_id == p_srec->service_id &&
562 (!strncmp (p_name, (char *) p_srec->orig_service_name,
563 BTM_SEC_SERVICE_NAME_LEN) ||
564 !strncmp (p_name, (char *) p_srec->term_service_name,
565 BTM_SEC_SERVICE_NAME_LEN)))
566 #else
567 if (p_srec->psm == psm &&
568 p_srec->mx_proto_id == mx_proto_id &&
569 service_id == p_srec->service_id)
570 #endif
571 {
572 record_allocated = TRUE;
573 break;
574 }
575 }
576 /* Mark the first available service record */
577 else if (!record_allocated)
578 {
579 memset (p_srec, 0, sizeof(tBTM_SEC_SERV_REC));
580 record_allocated = TRUE;
581 first_unused_record = index;
582 }
583 }
584
585 if (!record_allocated)
586 {
587 BTM_TRACE_WARNING("BTM_SEC_REG: Out of Service Records (%d)", BTM_SEC_MAX_SERVICE_RECORDS);
588 return(record_allocated);
589 }
590
591 /* Process the request if service record is valid */
592 /* If a duplicate service wasn't found, use the first available */
593 if (index >= BTM_SEC_MAX_SERVICE_RECORDS)
594 {
595 index = first_unused_record;
596 p_srec = &btm_cb.sec_serv_rec[index];
597 }
598
599 p_srec->psm = psm;
600 p_srec->service_id = service_id;
601 p_srec->mx_proto_id = mx_proto_id;
602
603 if (is_originator)
604 {
605 p_srec->orig_mx_chan_id = mx_chan_id;
606 #if BTM_SEC_SERVICE_NAME_LEN > 0
607 BCM_STRNCPY_S ((char *)p_srec->orig_service_name, sizeof(p_srec->orig_service_name), p_name, BTM_SEC_SERVICE_NAME_LEN);
608 #endif
609 /* clear out the old setting, just in case it exists */
610 #if (L2CAP_UCD_INCLUDED == TRUE)
611 if ( is_ucd )
612 {
613 p_srec->ucd_security_flags &=
614 ~(BTM_SEC_OUT_AUTHORIZE | BTM_SEC_OUT_ENCRYPT | BTM_SEC_OUT_AUTHENTICATE | BTM_SEC_OUT_MITM |
615 BTM_SEC_FORCE_MASTER | BTM_SEC_ATTEMPT_MASTER | BTM_SEC_FORCE_SLAVE | BTM_SEC_ATTEMPT_SLAVE);
616 }
617 else
618 #endif
619 {
620 p_srec->security_flags &=
621 ~(BTM_SEC_OUT_AUTHORIZE | BTM_SEC_OUT_ENCRYPT | BTM_SEC_OUT_AUTHENTICATE | BTM_SEC_OUT_MITM |
622 BTM_SEC_FORCE_MASTER | BTM_SEC_ATTEMPT_MASTER | BTM_SEC_FORCE_SLAVE | BTM_SEC_ATTEMPT_SLAVE);
623 }
624
625 /* Parameter validation. Originator should not set requirements for incoming connections */
626 sec_level &= ~(BTM_SEC_IN_AUTHORIZE | BTM_SEC_IN_ENCRYPT | BTM_SEC_IN_AUTHENTICATE
627 | BTM_SEC_IN_MITM | BTM_SEC_IN_MIN_16_DIGIT_PIN );
628
629 if (btm_cb.security_mode == BTM_SEC_MODE_SP ||
630 btm_cb.security_mode == BTM_SEC_MODE_SP_DEBUG ||
631 btm_cb.security_mode == BTM_SEC_MODE_SC)
632 {
633 if (sec_level & BTM_SEC_OUT_AUTHENTICATE)
634 sec_level |= BTM_SEC_OUT_MITM;
635 }
636
637 /* Make sure the authenticate bit is set, when encrypt bit is set */
638 if (sec_level & BTM_SEC_OUT_ENCRYPT)
639 sec_level |= BTM_SEC_OUT_AUTHENTICATE;
640
641 /* outgoing connections usually set the security level right before
642 * the connection is initiated.
643 * set it to be the outgoing service */
644 #if (L2CAP_UCD_INCLUDED == TRUE)
645 if ( is_ucd == FALSE )
646 #endif
647 {
648 btm_cb.p_out_serv = p_srec;
649 }
650 }
651 else
652 {
653 p_srec->term_mx_chan_id = mx_chan_id;
654 #if BTM_SEC_SERVICE_NAME_LEN > 0
655 BCM_STRNCPY_S ((char *)p_srec->term_service_name, sizeof(p_srec->term_service_name), p_name, BTM_SEC_SERVICE_NAME_LEN);
656 #endif
657 /* clear out the old setting, just in case it exists */
658 #if (L2CAP_UCD_INCLUDED == TRUE)
659 if ( is_ucd )
660 {
661 p_srec->ucd_security_flags &=
662 ~(BTM_SEC_IN_AUTHORIZE | BTM_SEC_IN_ENCRYPT | BTM_SEC_IN_AUTHENTICATE | BTM_SEC_IN_MITM |
663 BTM_SEC_FORCE_MASTER | BTM_SEC_ATTEMPT_MASTER | BTM_SEC_FORCE_SLAVE | BTM_SEC_ATTEMPT_SLAVE
664 | BTM_SEC_IN_MIN_16_DIGIT_PIN);
665 }
666 else
667 #endif
668 {
669 p_srec->security_flags &=
670 ~(BTM_SEC_IN_AUTHORIZE | BTM_SEC_IN_ENCRYPT | BTM_SEC_IN_AUTHENTICATE | BTM_SEC_IN_MITM |
671 BTM_SEC_FORCE_MASTER | BTM_SEC_ATTEMPT_MASTER | BTM_SEC_FORCE_SLAVE | BTM_SEC_ATTEMPT_SLAVE
672 | BTM_SEC_IN_MIN_16_DIGIT_PIN);
673 }
674
675 /* Parameter validation. Acceptor should not set requirements for outgoing connections */
676 sec_level &= ~(BTM_SEC_OUT_AUTHORIZE | BTM_SEC_OUT_ENCRYPT | BTM_SEC_OUT_AUTHENTICATE | BTM_SEC_OUT_MITM);
677
678 if (btm_cb.security_mode == BTM_SEC_MODE_SP ||
679 btm_cb.security_mode == BTM_SEC_MODE_SP_DEBUG ||
680 btm_cb.security_mode == BTM_SEC_MODE_SC)
681 {
682 if (sec_level & BTM_SEC_IN_AUTHENTICATE)
683 sec_level |= BTM_SEC_IN_MITM;
684 }
685
686 /* Make sure the authenticate bit is set, when encrypt bit is set */
687 if (sec_level & BTM_SEC_IN_ENCRYPT)
688 sec_level |= BTM_SEC_IN_AUTHENTICATE;
689 }
690
691 #if (L2CAP_UCD_INCLUDED == TRUE)
692 if ( is_ucd )
693 {
694 p_srec->security_flags |= (UINT16)(BTM_SEC_IN_USE);
695 p_srec->ucd_security_flags |= (UINT16)(sec_level | BTM_SEC_IN_USE);
696 }
697 else
698 {
699 p_srec->security_flags |= (UINT16)(sec_level | BTM_SEC_IN_USE);
700 }
701
702 BTM_TRACE_API("BTM_SEC_REG[%d]: id %d, conn_type 0x%x, psm 0x%04x, proto_id %d, chan_id %d",
703 index, service_id, conn_type, psm, mx_proto_id, mx_chan_id);
704
705 BTM_TRACE_API(" : security_flags: 0x%04x, ucd_security_flags: 0x%04x",
706 p_srec->security_flags, p_srec->ucd_security_flags);
707
708 #if BTM_SEC_SERVICE_NAME_LEN > 0
709 BTM_TRACE_API(" : service name [%s] (up to %d chars saved)",
710 p_name, BTM_SEC_SERVICE_NAME_LEN);
711 #endif
712 #else
713 p_srec->security_flags |= (UINT16)(sec_level | BTM_SEC_IN_USE);
714
715 BTM_TRACE_API("BTM_SEC_REG[%d]: id %d, is_orig %d, psm 0x%04x, proto_id %d, chan_id %d",
716 index, service_id, is_originator, psm, mx_proto_id, mx_chan_id);
717
718 #if BTM_SEC_SERVICE_NAME_LEN > 0
719 BTM_TRACE_API(" : sec: 0x%x, service name [%s] (up to %d chars saved)",
720 p_srec->security_flags, p_name, BTM_SEC_SERVICE_NAME_LEN);
721 #endif
722 #endif
723
724
725 return(record_allocated);
726 }
727
728 /*******************************************************************************
729 **
730 ** Function BTM_SecClrService
731 **
732 ** Description Removes specified service record(s) from the security database.
733 ** All service records with the specified name are removed.
734 ** Typically used only by devices with limited RAM so that it can
735 ** reuse an old security service record.
736 **
737 ** Note: Unpredictable results may occur if a service is cleared
738 ** that is still in use by an application/profile.
739 **
740 ** Parameters Service ID - Id of the service to remove. ('0' removes all service
741 ** records (except SDP).
742 **
743 ** Returns Number of records that were freed.
744 **
745 *******************************************************************************/
BTM_SecClrService(UINT8 service_id)746 UINT8 BTM_SecClrService (UINT8 service_id)
747 {
748 tBTM_SEC_SERV_REC *p_srec = &btm_cb.sec_serv_rec[0];
749 UINT8 num_freed = 0;
750 int i;
751
752 for (i = 0; i < BTM_SEC_MAX_SERVICE_RECORDS; i++, p_srec++)
753 {
754 /* Delete services with specified name (if in use and not SDP) */
755 if ((p_srec->security_flags & BTM_SEC_IN_USE) && (p_srec->psm != BT_PSM_SDP) &&
756 (!service_id || (service_id == p_srec->service_id)))
757 {
758 BTM_TRACE_API("BTM_SEC_CLR[%d]: id %d", i, service_id);
759 p_srec->security_flags = 0;
760 #if (L2CAP_UCD_INCLUDED == TRUE)
761 p_srec->ucd_security_flags = 0;
762 #endif
763 num_freed++;
764 }
765 }
766
767 return(num_freed);
768 }
769
770 /*******************************************************************************
771 **
772 ** Function btm_sec_clr_service_by_psm
773 **
774 ** Description Removes specified service record from the security database.
775 ** All service records with the specified psm are removed.
776 ** Typically used by L2CAP to free up the service record used
777 ** by dynamic PSM clients when the channel is closed.
778 ** The given psm must be a virtual psm.
779 **
780 ** Parameters Service ID - Id of the service to remove. ('0' removes all service
781 ** records (except SDP).
782 **
783 ** Returns Number of records that were freed.
784 **
785 *******************************************************************************/
btm_sec_clr_service_by_psm(UINT16 psm)786 UINT8 btm_sec_clr_service_by_psm (UINT16 psm)
787 {
788 tBTM_SEC_SERV_REC *p_srec = &btm_cb.sec_serv_rec[0];
789 UINT8 num_freed = 0;
790 int i;
791
792 for (i = 0; i < BTM_SEC_MAX_SERVICE_RECORDS; i++, p_srec++)
793 {
794 /* Delete services with specified name (if in use and not SDP) */
795 if ((p_srec->security_flags & BTM_SEC_IN_USE) && (p_srec->psm == psm) )
796 {
797 BTM_TRACE_API("BTM_SEC_CLR[%d]: id %d ", i, p_srec->service_id);
798 p_srec->security_flags = 0;
799 num_freed++;
800 }
801 }
802 BTM_TRACE_API("btm_sec_clr_service_by_psm psm:0x%x num_freed:%d", psm, num_freed);
803
804 return(num_freed);
805 }
806
807 /*******************************************************************************
808 **
809 ** Function btm_sec_clr_temp_auth_service
810 **
811 ** Description Removes specified device record's temporary authorization
812 ** flag from the security database.
813 **
814 ** Parameters Device address to be cleared
815 **
816 ** Returns void.
817 **
818 *******************************************************************************/
btm_sec_clr_temp_auth_service(BD_ADDR bda)819 void btm_sec_clr_temp_auth_service (BD_ADDR bda)
820 {
821 tBTM_SEC_DEV_REC *p_dev_rec;
822
823 if ((p_dev_rec = btm_find_dev (bda)) == NULL)
824 {
825 BTM_TRACE_WARNING ("btm_sec_clr_temp_auth_service() - no dev CB");
826 return;
827 }
828
829 /* Reset the temporary authorized flag so that next time (untrusted) service is accessed autorization will take place */
830 if (p_dev_rec->last_author_service_id != BTM_SEC_NO_LAST_SERVICE_ID && p_dev_rec->p_cur_service)
831 {
832 BTM_TRACE_DEBUG ("btm_sec_clr_auth_service_by_psm [clearing device: %02x:%02x:%02x:%02x:%02x:%02x]",
833 bda[0], bda[1], bda[2], bda[3], bda[4], bda[5]);
834
835 p_dev_rec->last_author_service_id = BTM_SEC_NO_LAST_SERVICE_ID;
836 }
837 }
838
839 /*******************************************************************************
840 **
841 ** Function BTM_PINCodeReply
842 **
843 ** Description This function is called after Security Manager submitted
844 ** PIN code request to the UI.
845 **
846 ** Parameters: bd_addr - Address of the device for which PIN was requested
847 ** res - result of the operation BTM_SUCCESS if success
848 ** pin_len - length in bytes of the PIN Code
849 ** p_pin - pointer to array with the PIN Code
850 ** trusted_mask - bitwise OR of trusted services (array of UINT32)
851 **
852 *******************************************************************************/
BTM_PINCodeReply(BD_ADDR bd_addr,UINT8 res,UINT8 pin_len,UINT8 * p_pin,UINT32 trusted_mask[])853 void BTM_PINCodeReply (BD_ADDR bd_addr, UINT8 res, UINT8 pin_len, UINT8 *p_pin, UINT32 trusted_mask[])
854 {
855 tBTM_SEC_DEV_REC *p_dev_rec;
856
857 BTM_TRACE_API ("BTM_PINCodeReply(): PairState: %s PairFlags: 0x%02x PinLen:%d Result:%d",
858 btm_pair_state_descr(btm_cb.pairing_state), btm_cb.pairing_flags, pin_len, res);
859
860 /* If timeout already expired or has been canceled, ignore the reply */
861 if (btm_cb.pairing_state != BTM_PAIR_STATE_WAIT_LOCAL_PIN)
862 {
863 BTM_TRACE_WARNING ("BTM_PINCodeReply() - Wrong State: %d", btm_cb.pairing_state);
864 return;
865 }
866
867 if (memcmp (bd_addr, btm_cb.pairing_bda, BD_ADDR_LEN) != 0)
868 {
869 BTM_TRACE_ERROR ("BTM_PINCodeReply() - Wrong BD Addr");
870 return;
871 }
872
873 if ((p_dev_rec = btm_find_dev (bd_addr)) == NULL)
874 {
875 BTM_TRACE_ERROR ("BTM_PINCodeReply() - no dev CB");
876 return;
877 }
878
879 if ( (pin_len > PIN_CODE_LEN) || (pin_len == 0) || (p_pin == NULL) )
880 res = BTM_ILLEGAL_VALUE;
881
882 if (res != BTM_SUCCESS)
883 {
884 /* if peer started dd OR we started dd and pre-fetch pin was not used send negative reply */
885 if ((btm_cb.pairing_flags & BTM_PAIR_FLAGS_PEER_STARTED_DD) ||
886 ((btm_cb.pairing_flags & BTM_PAIR_FLAGS_WE_STARTED_DD) &&
887 (btm_cb.pairing_flags & BTM_PAIR_FLAGS_DISC_WHEN_DONE)) )
888 {
889 /* use BTM_PAIR_STATE_WAIT_AUTH_COMPLETE to report authentication failed event */
890 btm_sec_change_pairing_state (BTM_PAIR_STATE_WAIT_AUTH_COMPLETE);
891 btm_cb.acl_disc_reason = HCI_ERR_HOST_REJECT_SECURITY;
892
893 btsnd_hcic_pin_code_neg_reply (bd_addr);
894 }
895 else
896 {
897 p_dev_rec->security_required = BTM_SEC_NONE;
898 btm_sec_change_pairing_state (BTM_PAIR_STATE_IDLE);
899 }
900 return;
901 }
902 if (trusted_mask)
903 BTM_SEC_COPY_TRUSTED_DEVICE(trusted_mask, p_dev_rec->trusted_mask);
904 p_dev_rec->sec_flags |= BTM_SEC_LINK_KEY_AUTHED;
905 if (pin_len >= 16) {
906 p_dev_rec->sec_flags |= BTM_SEC_16_DIGIT_PIN_AUTHED;
907 }
908
909 if ( (btm_cb.pairing_flags & BTM_PAIR_FLAGS_WE_STARTED_DD)
910 && (p_dev_rec->hci_handle == BTM_SEC_INVALID_HANDLE)
911 && (btm_cb.security_mode_changed == FALSE) )
912 {
913 /* This is start of the dedicated bonding if local device is 2.0 */
914 btm_cb.pin_code_len = pin_len;
915 p_dev_rec->pin_code_length = pin_len;
916 memcpy (btm_cb.pin_code, p_pin, pin_len);
917
918 btm_cb.security_mode_changed = TRUE;
919 #ifdef APPL_AUTH_WRITE_EXCEPTION
920 if(!(APPL_AUTH_WRITE_EXCEPTION)(p_dev_rec->bd_addr))
921 #endif
922 btsnd_hcic_write_auth_enable (TRUE);
923
924 btm_cb.acl_disc_reason = 0xff ;
925
926 /* if we rejected incoming connection request, we have to wait HCI_Connection_Complete event */
927 /* before originating */
928 if (btm_cb.pairing_flags & BTM_PAIR_FLAGS_REJECTED_CONNECT)
929 {
930 BTM_TRACE_WARNING ("BTM_PINCodeReply(): waiting HCI_Connection_Complete after rejected incoming connection");
931 /* we change state little bit early so btm_sec_connected() will originate connection */
932 /* when existing ACL link is down completely */
933 btm_sec_change_pairing_state (BTM_PAIR_STATE_WAIT_PIN_REQ);
934 }
935 /* if we already accepted incoming connection from pairing device */
936 else if (p_dev_rec->sm4 & BTM_SM4_CONN_PEND)
937 {
938 BTM_TRACE_WARNING ("BTM_PINCodeReply(): link is connecting so wait pin code request from peer");
939 btm_sec_change_pairing_state (BTM_PAIR_STATE_WAIT_PIN_REQ);
940 }
941 else if (btm_sec_dd_create_conn(p_dev_rec) != BTM_CMD_STARTED)
942 {
943 btm_sec_change_pairing_state (BTM_PAIR_STATE_IDLE);
944 p_dev_rec->sec_flags &= ~BTM_SEC_LINK_KEY_AUTHED;
945
946 if (btm_cb.api.p_auth_complete_callback)
947 (*btm_cb.api.p_auth_complete_callback) (p_dev_rec->bd_addr, p_dev_rec->dev_class,
948 p_dev_rec->sec_bd_name, HCI_ERR_AUTH_FAILURE);
949 }
950 return;
951 }
952
953 btm_sec_change_pairing_state (BTM_PAIR_STATE_WAIT_AUTH_COMPLETE);
954 btm_cb.acl_disc_reason = HCI_SUCCESS;
955
956 btsnd_hcic_pin_code_req_reply (bd_addr, pin_len, p_pin);
957 }
958
959 /*******************************************************************************
960 **
961 ** Function btm_sec_bond_by_transport
962 **
963 ** Description this is the bond function that will start either SSP or SMP.
964 **
965 ** Parameters: bd_addr - Address of the device to bond
966 ** pin_len - length in bytes of the PIN Code
967 ** p_pin - pointer to array with the PIN Code
968 ** trusted_mask - bitwise OR of trusted services (array of UINT32)
969 **
970 ** Note: After 2.1 parameters are not used and preserved here not to change API
971 *******************************************************************************/
btm_sec_bond_by_transport(BD_ADDR bd_addr,tBT_TRANSPORT transport,UINT8 pin_len,UINT8 * p_pin,UINT32 trusted_mask[])972 tBTM_STATUS btm_sec_bond_by_transport (BD_ADDR bd_addr, tBT_TRANSPORT transport,
973 UINT8 pin_len, UINT8 *p_pin, UINT32 trusted_mask[])
974 {
975 tBTM_SEC_DEV_REC *p_dev_rec;
976 tBTM_STATUS status;
977 UINT8 *p_features;
978 UINT8 ii;
979 tACL_CONN *p= btm_bda_to_acl(bd_addr, transport);
980 BTM_TRACE_API ("btm_sec_bond_by_transport BDA: %02x:%02x:%02x:%02x:%02x:%02x",
981 bd_addr[0], bd_addr[1], bd_addr[2], bd_addr[3], bd_addr[4], bd_addr[5]);
982
983 BTM_TRACE_DEBUG("btm_sec_bond_by_transport: Transport used %d" , transport);
984
985
986 /* Other security process is in progress */
987 if (btm_cb.pairing_state != BTM_PAIR_STATE_IDLE)
988 {
989 BTM_TRACE_ERROR ("BTM_SecBond: already busy in state: %s", btm_pair_state_descr(btm_cb.pairing_state));
990 return(BTM_WRONG_MODE);
991 }
992
993 if ((p_dev_rec = btm_find_or_alloc_dev (bd_addr)) == NULL)
994 {
995 return(BTM_NO_RESOURCES);
996 }
997
998 BTM_TRACE_DEBUG ("before update sec_flags=0x%x", p_dev_rec->sec_flags);
999
1000 /* Finished if connection is active and already paired */
1001 if ( ((p_dev_rec->hci_handle != BTM_SEC_INVALID_HANDLE) && transport == BT_TRANSPORT_BR_EDR
1002 && (p_dev_rec->sec_flags & BTM_SEC_AUTHENTICATED))
1003 #if (BLE_INCLUDED == TRUE)
1004 ||((p_dev_rec->ble_hci_handle != BTM_SEC_INVALID_HANDLE) && transport == BT_TRANSPORT_LE
1005 && (p_dev_rec->sec_flags & BTM_SEC_LE_AUTHENTICATED))
1006 #endif
1007
1008 )
1009 {
1010 BTM_TRACE_WARNING("BTM_SecBond -> Already Paired");
1011 return(BTM_SUCCESS);
1012 }
1013
1014 /* Tell controller to get rid of the link key if it has one stored */
1015 if ((BTM_DeleteStoredLinkKey (bd_addr, NULL)) != BTM_SUCCESS)
1016 return(BTM_NO_RESOURCES);
1017
1018 /* Save the PIN code if we got a valid one */
1019 if (p_pin && (pin_len <= PIN_CODE_LEN) && (pin_len != 0))
1020 {
1021 btm_cb.pin_code_len = pin_len;
1022 p_dev_rec->pin_code_length = pin_len;
1023 memcpy (btm_cb.pin_code, p_pin, PIN_CODE_LEN);
1024 }
1025
1026 memcpy (btm_cb.pairing_bda, bd_addr, BD_ADDR_LEN);
1027
1028 btm_cb.pairing_flags = BTM_PAIR_FLAGS_WE_STARTED_DD;
1029
1030 p_dev_rec->security_required = BTM_SEC_OUT_AUTHENTICATE;
1031 p_dev_rec->is_originator = TRUE;
1032 if (trusted_mask)
1033 BTM_SEC_COPY_TRUSTED_DEVICE(trusted_mask, p_dev_rec->trusted_mask);
1034
1035 #if BLE_INCLUDED == TRUE && SMP_INCLUDED == TRUE
1036 if (transport == BT_TRANSPORT_LE)
1037 {
1038 btm_ble_init_pseudo_addr (p_dev_rec, bd_addr);
1039 p_dev_rec->sec_flags &= ~ BTM_SEC_LE_MASK;
1040
1041 if (SMP_Pair(bd_addr) == SMP_STARTED)
1042 {
1043 btm_cb.pairing_flags |= BTM_PAIR_FLAGS_LE_ACTIVE;
1044 p_dev_rec->sec_state = BTM_SEC_STATE_AUTHENTICATING;
1045 btm_sec_change_pairing_state (BTM_PAIR_STATE_WAIT_AUTH_COMPLETE);
1046 return BTM_CMD_STARTED;
1047 }
1048
1049 btm_cb.pairing_flags = 0;
1050 return(BTM_NO_RESOURCES);
1051 }
1052 #endif
1053
1054 p_dev_rec->sec_flags &= ~(BTM_SEC_LINK_KEY_KNOWN | BTM_SEC_AUTHENTICATED | BTM_SEC_ENCRYPTED
1055 | BTM_SEC_ROLE_SWITCHED | BTM_SEC_LINK_KEY_AUTHED);
1056
1057
1058 BTM_TRACE_DEBUG ("after update sec_flags=0x%x", p_dev_rec->sec_flags);
1059 if (!controller_get_interface()->supports_simple_pairing())
1060 {
1061 /* The special case when we authenticate keyboard. Set pin type to fixed */
1062 /* It would be probably better to do it from the application, but it is */
1063 /* complicated */
1064 if (((p_dev_rec->dev_class[1] & BTM_COD_MAJOR_CLASS_MASK) == BTM_COD_MAJOR_PERIPHERAL)
1065 && (p_dev_rec->dev_class[2] & BTM_COD_MINOR_KEYBOARD)
1066 && (btm_cb.cfg.pin_type != HCI_PIN_TYPE_FIXED))
1067 {
1068 btm_cb.pin_type_changed = TRUE;
1069 btsnd_hcic_write_pin_type (HCI_PIN_TYPE_FIXED);
1070 }
1071 }
1072
1073 for (ii = 0; ii <= HCI_EXT_FEATURES_PAGE_MAX; ii++)
1074 {
1075 p_features = p_dev_rec->features[ii];
1076 BTM_TRACE_EVENT(" remote_features page[%1d] = %02x-%02x-%02x-%02x",
1077 ii, p_features[0], p_features[1], p_features[2], p_features[3]);
1078 BTM_TRACE_EVENT(" %02x-%02x-%02x-%02x",
1079 p_features[4], p_features[5], p_features[6], p_features[7]);
1080 }
1081
1082 BTM_TRACE_EVENT ("BTM_SecBond: Remote sm4: 0x%x HCI Handle: 0x%04x", p_dev_rec->sm4, p_dev_rec->hci_handle);
1083
1084 #if BTM_SEC_FORCE_RNR_FOR_DBOND == TRUE
1085 p_dev_rec->sec_flags &= ~BTM_SEC_NAME_KNOWN;
1086 #endif
1087
1088 /* If connection already exists... */
1089 if (p && p->hci_handle != BTM_SEC_INVALID_HANDLE)
1090 {
1091 if (!btm_sec_start_authentication (p_dev_rec))
1092 return(BTM_NO_RESOURCES);
1093
1094 btm_sec_change_pairing_state (BTM_PAIR_STATE_WAIT_PIN_REQ);
1095
1096 /* Mark lcb as bonding */
1097 l2cu_update_lcb_4_bonding (bd_addr, TRUE);
1098 return(BTM_CMD_STARTED);
1099 }
1100
1101 BTM_TRACE_DEBUG ("sec mode: %d sm4:x%x", btm_cb.security_mode, p_dev_rec->sm4);
1102 if (!controller_get_interface()->supports_simple_pairing()
1103 || (p_dev_rec->sm4 == BTM_SM4_KNOWN))
1104 {
1105 if ( btm_sec_check_prefetch_pin (p_dev_rec) )
1106 return (BTM_CMD_STARTED);
1107 }
1108 if ((btm_cb.security_mode == BTM_SEC_MODE_SP ||
1109 btm_cb.security_mode == BTM_SEC_MODE_SP_DEBUG ||
1110 btm_cb.security_mode == BTM_SEC_MODE_SC) &&
1111 BTM_SEC_IS_SM4_UNKNOWN(p_dev_rec->sm4))
1112 {
1113 /* local is 2.1 and peer is unknown */
1114 if ((p_dev_rec->sm4 & BTM_SM4_CONN_PEND) == 0)
1115 {
1116 /* we are not accepting connection request from peer
1117 * -> RNR (to learn if peer is 2.1)
1118 * RNR when no ACL causes HCI_RMT_HOST_SUP_FEAT_NOTIFY_EVT */
1119 btm_sec_change_pairing_state (BTM_PAIR_STATE_GET_REM_NAME);
1120 BTM_ReadRemoteDeviceName(bd_addr, NULL, BT_TRANSPORT_BR_EDR);
1121 }
1122 else
1123 {
1124 /* We are accepting connection request from peer */
1125 btm_sec_change_pairing_state (BTM_PAIR_STATE_WAIT_PIN_REQ);
1126 }
1127 BTM_TRACE_DEBUG ("State:%s sm4: 0x%x sec_state:%d",
1128 btm_pair_state_descr (btm_cb.pairing_state), p_dev_rec->sm4, p_dev_rec->sec_state);
1129 return BTM_CMD_STARTED;
1130 }
1131
1132 /* both local and peer are 2.1 */
1133 status = btm_sec_dd_create_conn(p_dev_rec);
1134
1135 if (status != BTM_CMD_STARTED)
1136 {
1137 btm_sec_change_pairing_state (BTM_PAIR_STATE_IDLE);
1138 }
1139
1140 return status;
1141 }
1142
1143 /*******************************************************************************
1144 **
1145 ** Function BTM_SecBondByTransport
1146 **
1147 ** Description This function is called to perform bonding with peer device.
1148 ** If the connection is already up, but not secure, pairing
1149 ** is attempted. If already paired BTM_SUCCESS is returned.
1150 **
1151 ** Parameters: bd_addr - Address of the device to bond
1152 ** transport - doing SSP over BR/EDR or SMP over LE
1153 ** pin_len - length in bytes of the PIN Code
1154 ** p_pin - pointer to array with the PIN Code
1155 ** trusted_mask - bitwise OR of trusted services (array of UINT32)
1156 **
1157 ** Note: After 2.1 parameters are not used and preserved here not to change API
1158 *******************************************************************************/
BTM_SecBondByTransport(BD_ADDR bd_addr,tBT_TRANSPORT transport,UINT8 pin_len,UINT8 * p_pin,UINT32 trusted_mask[])1159 tBTM_STATUS BTM_SecBondByTransport (BD_ADDR bd_addr, tBT_TRANSPORT transport,
1160 UINT8 pin_len, UINT8 *p_pin, UINT32 trusted_mask[])
1161 {
1162 #if SMP_INCLUDED == TRUE
1163 tBT_DEVICE_TYPE dev_type;
1164 tBLE_ADDR_TYPE addr_type;
1165
1166 BTM_ReadDevInfo(bd_addr, &dev_type, &addr_type);
1167 /* LE device, do SMP pairing */
1168 if ((transport == BT_TRANSPORT_LE && (dev_type & BT_DEVICE_TYPE_BLE) == 0) ||
1169 (transport == BT_TRANSPORT_BR_EDR && (dev_type & BT_DEVICE_TYPE_BREDR) == 0))
1170 {
1171 return BTM_ILLEGAL_ACTION;
1172 }
1173 #endif
1174 return btm_sec_bond_by_transport(bd_addr, transport, pin_len, p_pin, trusted_mask);
1175 }
1176
1177 /*******************************************************************************
1178 **
1179 ** Function BTM_SecBond
1180 **
1181 ** Description This function is called to perform bonding with peer device.
1182 ** If the connection is already up, but not secure, pairing
1183 ** is attempted. If already paired BTM_SUCCESS is returned.
1184 **
1185 ** Parameters: bd_addr - Address of the device to bond
1186 ** pin_len - length in bytes of the PIN Code
1187 ** p_pin - pointer to array with the PIN Code
1188 ** trusted_mask - bitwise OR of trusted services (array of UINT32)
1189 **
1190 ** Note: After 2.1 parameters are not used and preserved here not to change API
1191 *******************************************************************************/
BTM_SecBond(BD_ADDR bd_addr,UINT8 pin_len,UINT8 * p_pin,UINT32 trusted_mask[])1192 tBTM_STATUS BTM_SecBond (BD_ADDR bd_addr, UINT8 pin_len, UINT8 *p_pin, UINT32 trusted_mask[])
1193 {
1194 tBT_TRANSPORT transport = BT_TRANSPORT_BR_EDR;
1195 #if BLE_INCLUDED == TRUE
1196 if (BTM_UseLeLink(bd_addr))
1197 transport = BT_TRANSPORT_LE;
1198 #endif
1199 return btm_sec_bond_by_transport(bd_addr, transport, pin_len, p_pin, trusted_mask);
1200 }
1201 /*******************************************************************************
1202 **
1203 ** Function BTM_SecBondCancel
1204 **
1205 ** Description This function is called to cancel ongoing bonding process
1206 ** with peer device.
1207 **
1208 ** Parameters: bd_addr - Address of the peer device
1209 ** transport - FALSE for BR/EDR link; TRUE for LE link
1210 **
1211 *******************************************************************************/
BTM_SecBondCancel(BD_ADDR bd_addr)1212 tBTM_STATUS BTM_SecBondCancel (BD_ADDR bd_addr)
1213 {
1214 tBTM_SEC_DEV_REC *p_dev_rec;
1215
1216 BTM_TRACE_API ("BTM_SecBondCancel() State: %s flags:0x%x",
1217 btm_pair_state_descr (btm_cb.pairing_state), btm_cb.pairing_flags);
1218
1219 if (((p_dev_rec = btm_find_dev (bd_addr)) == NULL)
1220 || (memcmp (btm_cb.pairing_bda, bd_addr, BD_ADDR_LEN) != 0) )
1221 return BTM_UNKNOWN_ADDR;
1222
1223 #if SMP_INCLUDED == TRUE
1224 if (btm_cb.pairing_flags & BTM_PAIR_FLAGS_LE_ACTIVE)
1225 {
1226 if (p_dev_rec->sec_state == BTM_SEC_STATE_AUTHENTICATING)
1227 {
1228 BTM_TRACE_DEBUG ("Cancel LE pairing");
1229 if (SMP_PairCancel(bd_addr))
1230 {
1231 return BTM_CMD_STARTED;
1232 }
1233 }
1234 return BTM_WRONG_MODE;
1235 }
1236
1237 #endif
1238 BTM_TRACE_DEBUG ("hci_handle:0x%x sec_state:%d", p_dev_rec->hci_handle, p_dev_rec->sec_state );
1239 if (BTM_PAIR_STATE_WAIT_LOCAL_PIN == btm_cb.pairing_state &&
1240 BTM_PAIR_FLAGS_WE_STARTED_DD & btm_cb.pairing_flags)
1241 {
1242 /* pre-fetching pin for dedicated bonding */
1243 btm_sec_bond_cancel_complete();
1244 return BTM_SUCCESS;
1245 }
1246
1247 /* If this BDA is in a bonding procedure */
1248 if ( (btm_cb.pairing_state != BTM_PAIR_STATE_IDLE)
1249 && (btm_cb.pairing_flags & BTM_PAIR_FLAGS_WE_STARTED_DD))
1250 {
1251 /* If the HCI link is up */
1252 if (p_dev_rec->hci_handle != BTM_SEC_INVALID_HANDLE)
1253 {
1254 /* If some other thread disconnecting, we do not send second command */
1255 if ((p_dev_rec->sec_state == BTM_SEC_STATE_DISCONNECTING) ||
1256 (p_dev_rec->sec_state == BTM_SEC_STATE_DISCONNECTING_BOTH))
1257 return(BTM_CMD_STARTED);
1258
1259 /* If the HCI link was set up by Bonding process */
1260 if (btm_cb.pairing_flags & BTM_PAIR_FLAGS_DISC_WHEN_DONE)
1261 return btm_sec_send_hci_disconnect(p_dev_rec, HCI_ERR_PEER_USER, p_dev_rec->hci_handle);
1262 else
1263 l2cu_update_lcb_4_bonding(bd_addr, FALSE);
1264
1265 return BTM_NOT_AUTHORIZED;
1266 }
1267 else /*HCI link is not up */
1268 {
1269 /* If the HCI link creation was started by Bonding process */
1270 if (btm_cb.pairing_flags & BTM_PAIR_FLAGS_DISC_WHEN_DONE)
1271 {
1272 if (btsnd_hcic_create_conn_cancel(bd_addr))
1273 return BTM_CMD_STARTED;
1274
1275 return BTM_NO_RESOURCES;
1276 }
1277 if (btm_cb.pairing_state == BTM_PAIR_STATE_GET_REM_NAME)
1278 {
1279 BTM_CancelRemoteDeviceName();
1280 btm_cb.pairing_flags |= BTM_PAIR_FLAGS_WE_CANCEL_DD;
1281 return BTM_CMD_STARTED;
1282 }
1283 return BTM_NOT_AUTHORIZED;
1284 }
1285 }
1286
1287 return BTM_WRONG_MODE;
1288 }
1289
1290 /*******************************************************************************
1291 **
1292 ** Function BTM_SecGetDeviceLinkKey
1293 **
1294 ** Description This function is called to obtain link key for the device
1295 ** it returns BTM_SUCCESS if link key is available, or
1296 ** BTM_UNKNOWN_ADDR if Security Manager does not know about
1297 ** the device or device record does not contain link key info
1298 **
1299 ** Parameters: bd_addr - Address of the device
1300 ** link_key - Link Key is copied into this array
1301 **
1302 *******************************************************************************/
BTM_SecGetDeviceLinkKey(BD_ADDR bd_addr,LINK_KEY link_key)1303 tBTM_STATUS BTM_SecGetDeviceLinkKey (BD_ADDR bd_addr, LINK_KEY link_key)
1304 {
1305 tBTM_SEC_DEV_REC *p_dev_rec;
1306
1307 if (((p_dev_rec = btm_find_dev (bd_addr)) != NULL)
1308 && (p_dev_rec->sec_flags & BTM_SEC_LINK_KEY_KNOWN))
1309 {
1310 memcpy (link_key, p_dev_rec->link_key, LINK_KEY_LEN);
1311 return(BTM_SUCCESS);
1312 }
1313 return(BTM_UNKNOWN_ADDR);
1314 }
1315
1316 /*******************************************************************************
1317 **
1318 ** Function BTM_SecGetDeviceLinkKeyType
1319 **
1320 ** Description This function is called to obtain link key type for the
1321 ** device.
1322 ** it returns BTM_SUCCESS if link key is available, or
1323 ** BTM_UNKNOWN_ADDR if Security Manager does not know about
1324 ** the device or device record does not contain link key info
1325 **
1326 ** Returns BTM_LKEY_TYPE_IGNORE if link key is unknown, link type
1327 ** otherwise.
1328 **
1329 *******************************************************************************/
BTM_SecGetDeviceLinkKeyType(BD_ADDR bd_addr)1330 tBTM_LINK_KEY_TYPE BTM_SecGetDeviceLinkKeyType (BD_ADDR bd_addr)
1331 {
1332 tBTM_SEC_DEV_REC *p_dev_rec = btm_find_dev (bd_addr);
1333
1334 if ((p_dev_rec != NULL) && (p_dev_rec->sec_flags & BTM_SEC_LINK_KEY_KNOWN))
1335 {
1336 return p_dev_rec->link_key_type;
1337 }
1338 return BTM_LKEY_TYPE_IGNORE;
1339 }
1340
1341 /*******************************************************************************
1342 **
1343 ** Function BTM_SetEncryption
1344 **
1345 ** Description This function is called to ensure that connection is
1346 ** encrypted. Should be called only on an open connection.
1347 ** Typically only needed for connections that first want to
1348 ** bring up unencrypted links, then later encrypt them.
1349 **
1350 ** Parameters: bd_addr - Address of the peer device
1351 ** p_callback - Pointer to callback function called if
1352 ** this function returns PENDING after required
1353 ** procedures are completed. Can be set to NULL
1354 ** if status is not desired.
1355 ** p_ref_data - pointer to any data the caller wishes to receive
1356 ** in the callback function upon completion.
1357 * can be set to NULL if not used.
1358 ** transport - TRUE to encryption the link over LE transport
1359 ** or FALSE for BR/EDR transport
1360 **
1361 ** Returns BTM_SUCCESS - already encrypted
1362 ** BTM_PENDING - command will be returned in the callback
1363 ** BTM_WRONG_MODE- connection not up.
1364 ** BTM_BUSY - security procedures are currently active
1365 ** BTM_MODE_UNSUPPORTED - if security manager not linked in.
1366 **
1367 *******************************************************************************/
BTM_SetEncryption(BD_ADDR bd_addr,tBT_TRANSPORT transport,tBTM_SEC_CBACK * p_callback,void * p_ref_data)1368 tBTM_STATUS BTM_SetEncryption (BD_ADDR bd_addr, tBT_TRANSPORT transport, tBTM_SEC_CBACK *p_callback,
1369 void *p_ref_data)
1370 {
1371 tBTM_STATUS rc = 0;
1372
1373 tBTM_SEC_DEV_REC *p_dev_rec = btm_find_dev (bd_addr);
1374 if (!p_dev_rec ||
1375 (transport == BT_TRANSPORT_BR_EDR && p_dev_rec->hci_handle == BTM_SEC_INVALID_HANDLE)
1376 #if BLE_INCLUDED == TRUE
1377 || (transport == BT_TRANSPORT_LE && p_dev_rec->ble_hci_handle == BTM_SEC_INVALID_HANDLE)
1378 #endif
1379 )
1380 {
1381 /* Connection should be up and runnning */
1382 BTM_TRACE_WARNING ("Security Manager: BTM_SetEncryption not connected");
1383
1384 if (p_callback)
1385 (*p_callback) (bd_addr, transport, p_ref_data, BTM_WRONG_MODE);
1386
1387 return(BTM_WRONG_MODE);
1388 }
1389
1390 if ((transport == BT_TRANSPORT_BR_EDR &&
1391 (p_dev_rec->sec_flags & BTM_SEC_ENCRYPTED))
1392 #if BLE_INCLUDED == TRUE && SMP_INCLUDED == TRUE
1393 || (transport == BT_TRANSPORT_LE &&
1394 (p_dev_rec->sec_flags & BTM_SEC_LE_ENCRYPTED))
1395 #endif
1396 )
1397 {
1398 BTM_TRACE_EVENT ("Security Manager: BTM_SetEncryption already encrypted");
1399
1400 if (p_callback)
1401 (*p_callback) (bd_addr, transport, p_ref_data, BTM_SUCCESS);
1402
1403 return(BTM_SUCCESS);
1404 }
1405
1406 /* enqueue security request if security is active */
1407 if (p_dev_rec->p_callback || (p_dev_rec->sec_state != BTM_SEC_STATE_IDLE))
1408 {
1409 BTM_TRACE_WARNING ("Security Manager: BTM_SetEncryption busy, enqueue request");
1410
1411 if (btm_sec_queue_encrypt_request(bd_addr, transport, p_callback, p_ref_data))
1412 {
1413 return BTM_CMD_STARTED;
1414 }
1415 else
1416 {
1417 if (p_callback)
1418 (*p_callback) (bd_addr, transport, p_ref_data, BTM_NO_RESOURCES);
1419 return BTM_NO_RESOURCES;
1420 }
1421 }
1422
1423 p_dev_rec->p_callback = p_callback;
1424 p_dev_rec->p_ref_data = p_ref_data;
1425 p_dev_rec->security_required |= (BTM_SEC_IN_AUTHENTICATE | BTM_SEC_IN_ENCRYPT);
1426 p_dev_rec->is_originator = FALSE;
1427
1428 BTM_TRACE_API ("Security Manager: BTM_SetEncryption Handle:%d State:%d Flags:0x%x Required:0x%x",
1429 p_dev_rec->hci_handle, p_dev_rec->sec_state, p_dev_rec->sec_flags,
1430 p_dev_rec->security_required);
1431
1432 #if BLE_INCLUDED == TRUE && SMP_INCLUDED == TRUE
1433 if (transport == BT_TRANSPORT_LE)
1434 {
1435 tACL_CONN *p = btm_bda_to_acl(bd_addr, transport);
1436 if (p)
1437 {
1438 rc = btm_ble_set_encryption(bd_addr, p_ref_data, p->link_role);
1439 }
1440 else
1441 {
1442 rc = BTM_WRONG_MODE;
1443 BTM_TRACE_WARNING("%s: cannot call btm_ble_set_encryption, p is NULL", __FUNCTION__);
1444 }
1445 }
1446 else
1447 #endif
1448 rc = btm_sec_execute_procedure (p_dev_rec);
1449
1450 if (rc != BTM_CMD_STARTED && rc != BTM_BUSY)
1451 {
1452 if (p_callback)
1453 {
1454 p_dev_rec->p_callback = NULL;
1455 (*p_callback) (bd_addr, transport, p_dev_rec->p_ref_data, rc);
1456 }
1457 }
1458
1459 return(rc);
1460 }
1461
1462 /*******************************************************************************
1463 * disconnect the ACL link, if it's not done yet.
1464 *******************************************************************************/
btm_sec_send_hci_disconnect(tBTM_SEC_DEV_REC * p_dev_rec,UINT8 reason,UINT16 conn_handle)1465 static tBTM_STATUS btm_sec_send_hci_disconnect (tBTM_SEC_DEV_REC *p_dev_rec, UINT8 reason, UINT16 conn_handle)
1466 {
1467 UINT8 old_state = p_dev_rec->sec_state;
1468 tBTM_STATUS status = BTM_CMD_STARTED;
1469
1470 BTM_TRACE_EVENT ("btm_sec_send_hci_disconnect: handle:0x%x, reason=0x%x",
1471 conn_handle, reason);
1472
1473 /* send HCI_Disconnect on a transport only once */
1474 switch (old_state)
1475 {
1476 case BTM_SEC_STATE_DISCONNECTING:
1477 if (conn_handle == p_dev_rec->hci_handle)
1478 return status;
1479
1480 p_dev_rec->sec_state = BTM_SEC_STATE_DISCONNECTING_BOTH;
1481 break;
1482
1483 #if BLE_INCLUDED == TRUE && SMP_INCLUDED == TRUE
1484 case BTM_SEC_STATE_DISCONNECTING_BLE:
1485 if (conn_handle == p_dev_rec->ble_hci_handle)
1486 return status;
1487
1488 p_dev_rec->sec_state = BTM_SEC_STATE_DISCONNECTING_BOTH;
1489 break;
1490
1491 case BTM_SEC_STATE_DISCONNECTING_BOTH:
1492 return status;
1493 #endif
1494
1495 default:
1496 p_dev_rec->sec_state = (conn_handle == p_dev_rec->hci_handle) ?
1497 BTM_SEC_STATE_DISCONNECTING : BTM_SEC_STATE_DISCONNECTING_BLE;
1498
1499 break;
1500 }
1501
1502 /* If a role switch is in progress, delay the HCI Disconnect to avoid controller problem */
1503 if (p_dev_rec->rs_disc_pending == BTM_SEC_RS_PENDING && p_dev_rec->hci_handle == conn_handle)
1504 {
1505 BTM_TRACE_DEBUG("RS in progress - Set DISC Pending flag in btm_sec_send_hci_disconnect to delay disconnect");
1506 p_dev_rec->rs_disc_pending = BTM_SEC_DISC_PENDING;
1507 status = BTM_SUCCESS;
1508 }
1509 /* Tear down the HCI link */
1510 else if (!btsnd_hcic_disconnect (conn_handle, reason))
1511 {
1512 /* could not send disconnect. restore old state */
1513 p_dev_rec->sec_state = old_state;
1514 status = BTM_NO_RESOURCES;
1515 }
1516
1517 return status;
1518 }
1519
1520 /*******************************************************************************
1521 **
1522 ** Function BTM_ConfirmReqReply
1523 **
1524 ** Description This function is called to confirm the numeric value for
1525 ** Simple Pairing in response to BTM_SP_CFM_REQ_EVT
1526 **
1527 ** Parameters: res - result of the operation BTM_SUCCESS if success
1528 ** bd_addr - Address of the peer device
1529 **
1530 *******************************************************************************/
BTM_ConfirmReqReply(tBTM_STATUS res,BD_ADDR bd_addr)1531 void BTM_ConfirmReqReply(tBTM_STATUS res, BD_ADDR bd_addr)
1532 {
1533 tBTM_SEC_DEV_REC *p_dev_rec;
1534
1535 BTM_TRACE_EVENT ("BTM_ConfirmReqReply() State: %s Res: %u",
1536 btm_pair_state_descr(btm_cb.pairing_state), res);
1537
1538 /* If timeout already expired or has been canceled, ignore the reply */
1539 if ( (btm_cb.pairing_state != BTM_PAIR_STATE_WAIT_NUMERIC_CONFIRM)
1540 || (memcmp (btm_cb.pairing_bda, bd_addr, BD_ADDR_LEN) != 0) )
1541 return;
1542
1543 btm_sec_change_pairing_state (BTM_PAIR_STATE_WAIT_AUTH_COMPLETE);
1544
1545 if ( (res == BTM_SUCCESS) || (res == BTM_SUCCESS_NO_SECURITY) )
1546 {
1547 btm_cb.acl_disc_reason = HCI_SUCCESS;
1548
1549 if (res == BTM_SUCCESS)
1550 {
1551 if ((p_dev_rec = btm_find_dev (bd_addr)) != NULL)
1552 p_dev_rec->sec_flags |= BTM_SEC_LINK_KEY_AUTHED;
1553 p_dev_rec->sec_flags |= BTM_SEC_16_DIGIT_PIN_AUTHED;
1554 }
1555
1556 btsnd_hcic_user_conf_reply (bd_addr, TRUE);
1557 }
1558 else
1559 {
1560 /* Report authentication failed event from state BTM_PAIR_STATE_WAIT_AUTH_COMPLETE */
1561 btm_cb.acl_disc_reason = HCI_ERR_HOST_REJECT_SECURITY;
1562 btsnd_hcic_user_conf_reply (bd_addr, FALSE);
1563 }
1564 }
1565
1566 /*******************************************************************************
1567 **
1568 ** Function BTM_PasskeyReqReply
1569 **
1570 ** Description This function is called to provide the passkey for
1571 ** Simple Pairing in response to BTM_SP_KEY_REQ_EVT
1572 **
1573 ** Parameters: res - result of the operation BTM_SUCCESS if success
1574 ** bd_addr - Address of the peer device
1575 ** passkey - numeric value in the range of
1576 ** BTM_MIN_PASSKEY_VAL(0) - BTM_MAX_PASSKEY_VAL(999999(0xF423F)).
1577 **
1578 *******************************************************************************/
1579 #if (BTM_LOCAL_IO_CAPS != BTM_IO_CAP_NONE)
BTM_PasskeyReqReply(tBTM_STATUS res,BD_ADDR bd_addr,UINT32 passkey)1580 void BTM_PasskeyReqReply(tBTM_STATUS res, BD_ADDR bd_addr, UINT32 passkey)
1581 {
1582 BTM_TRACE_API ("BTM_PasskeyReqReply: State: %s res:%d",
1583 btm_pair_state_descr(btm_cb.pairing_state), res);
1584
1585 if ( (btm_cb.pairing_state == BTM_PAIR_STATE_IDLE)
1586 || (memcmp (btm_cb.pairing_bda, bd_addr, BD_ADDR_LEN) != 0) )
1587 {
1588 return;
1589 }
1590
1591 /* If timeout already expired or has been canceled, ignore the reply */
1592 if ( (btm_cb.pairing_state == BTM_PAIR_STATE_WAIT_AUTH_COMPLETE) && (res != BTM_SUCCESS) )
1593 {
1594 tBTM_SEC_DEV_REC *p_dev_rec = btm_find_dev (bd_addr);
1595 if (p_dev_rec != NULL)
1596 {
1597 btm_cb.acl_disc_reason = HCI_ERR_HOST_REJECT_SECURITY;
1598
1599 if (p_dev_rec->hci_handle != BTM_SEC_INVALID_HANDLE)
1600 btm_sec_send_hci_disconnect (p_dev_rec, HCI_ERR_AUTH_FAILURE, p_dev_rec->hci_handle);
1601 else
1602 BTM_SecBondCancel(bd_addr);
1603
1604 p_dev_rec->sec_flags &= ~(BTM_SEC_LINK_KEY_AUTHED | BTM_SEC_LINK_KEY_KNOWN);
1605
1606 btm_sec_change_pairing_state (BTM_PAIR_STATE_IDLE);
1607 return;
1608 }
1609 }
1610 else if (btm_cb.pairing_state != BTM_PAIR_STATE_KEY_ENTRY)
1611 return;
1612
1613 if (passkey > BTM_MAX_PASSKEY_VAL)
1614 res = BTM_ILLEGAL_VALUE;
1615
1616 btm_sec_change_pairing_state (BTM_PAIR_STATE_WAIT_AUTH_COMPLETE);
1617
1618 if (res != BTM_SUCCESS)
1619 {
1620 /* use BTM_PAIR_STATE_WAIT_AUTH_COMPLETE to report authentication failed event */
1621 btm_cb.acl_disc_reason = HCI_ERR_HOST_REJECT_SECURITY;
1622 btsnd_hcic_user_passkey_neg_reply (bd_addr);
1623 } else {
1624 btm_cb.acl_disc_reason = HCI_SUCCESS;
1625 btsnd_hcic_user_passkey_reply (bd_addr, passkey);
1626 }
1627 }
1628 #endif
1629
1630 /*******************************************************************************
1631 **
1632 ** Function BTM_SendKeypressNotif
1633 **
1634 ** Description This function is used during the passkey entry model
1635 ** by a device with KeyboardOnly IO capabilities
1636 ** (very likely to be a HID Device).
1637 ** It is called by a HID Device to inform the remote device when
1638 ** a key has been entered or erased.
1639 **
1640 ** Parameters: bd_addr - Address of the peer device
1641 ** type - notification type
1642 **
1643 *******************************************************************************/
1644 #if (BTM_LOCAL_IO_CAPS != BTM_IO_CAP_NONE)
BTM_SendKeypressNotif(BD_ADDR bd_addr,tBTM_SP_KEY_TYPE type)1645 void BTM_SendKeypressNotif(BD_ADDR bd_addr, tBTM_SP_KEY_TYPE type)
1646 {
1647 /* This API only make sense between PASSKEY_REQ and SP complete */
1648 if (btm_cb.pairing_state == BTM_PAIR_STATE_KEY_ENTRY)
1649 btsnd_hcic_send_keypress_notif (bd_addr, type);
1650 }
1651 #endif
1652
1653 #if BTM_OOB_INCLUDED == TRUE
1654 /*******************************************************************************
1655 **
1656 ** Function BTM_IoCapRsp
1657 **
1658 ** Description This function is called in response to BTM_SP_IO_REQ_EVT
1659 ** When the event data io_req.oob_data is set to BTM_OOB_UNKNOWN
1660 ** by the tBTM_SP_CALLBACK implementation, this function is
1661 ** called to provide the actual response
1662 **
1663 ** Parameters: bd_addr - Address of the peer device
1664 ** io_cap - The IO capability of local device.
1665 ** oob - BTM_OOB_NONE or BTM_OOB_PRESENT.
1666 ** auth_req- MITM protection required or not.
1667 **
1668 *******************************************************************************/
BTM_IoCapRsp(BD_ADDR bd_addr,tBTM_IO_CAP io_cap,tBTM_OOB_DATA oob,tBTM_AUTH_REQ auth_req)1669 void BTM_IoCapRsp(BD_ADDR bd_addr, tBTM_IO_CAP io_cap, tBTM_OOB_DATA oob, tBTM_AUTH_REQ auth_req)
1670 {
1671 BTM_TRACE_EVENT ("BTM_IoCapRsp: state: %s oob: %d io_cap: %d",
1672 btm_pair_state_descr(btm_cb.pairing_state), oob, io_cap);
1673
1674 if ( (btm_cb.pairing_state != BTM_PAIR_STATE_WAIT_LOCAL_IOCAPS)
1675 || (memcmp (btm_cb.pairing_bda, bd_addr, BD_ADDR_LEN) != 0) )
1676 return;
1677
1678 if (oob < BTM_OOB_UNKNOWN && io_cap < BTM_IO_CAP_MAX)
1679 {
1680 btm_cb.devcb.loc_auth_req = auth_req;
1681 btm_cb.devcb.loc_io_caps = io_cap;
1682
1683 if (btm_cb.pairing_flags & BTM_PAIR_FLAGS_WE_STARTED_DD)
1684 auth_req = (BTM_AUTH_DD_BOND | (auth_req&BTM_AUTH_YN_BIT));
1685
1686 btsnd_hcic_io_cap_req_reply (bd_addr, io_cap, oob, auth_req);
1687 }
1688 }
1689
1690 /*******************************************************************************
1691 **
1692 ** Function BTM_ReadLocalOobData
1693 **
1694 ** Description This function is called to read the local OOB data from
1695 ** LM
1696 **
1697 *******************************************************************************/
BTM_ReadLocalOobData(void)1698 tBTM_STATUS BTM_ReadLocalOobData(void)
1699 {
1700 tBTM_STATUS status = BTM_SUCCESS;
1701
1702 if (btsnd_hcic_read_local_oob_data() == FALSE)
1703 status = BTM_NO_RESOURCES;
1704
1705 return status;
1706 }
1707
1708 /*******************************************************************************
1709 **
1710 ** Function BTM_RemoteOobDataReply
1711 **
1712 ** Description This function is called to provide the remote OOB data for
1713 ** Simple Pairing in response to BTM_SP_RMT_OOB_EVT
1714 **
1715 ** Parameters: bd_addr - Address of the peer device
1716 ** c - simple pairing Hash C.
1717 ** r - simple pairing Randomizer C.
1718 **
1719 *******************************************************************************/
BTM_RemoteOobDataReply(tBTM_STATUS res,BD_ADDR bd_addr,BT_OCTET16 c,BT_OCTET16 r)1720 void BTM_RemoteOobDataReply(tBTM_STATUS res, BD_ADDR bd_addr, BT_OCTET16 c, BT_OCTET16 r)
1721 {
1722 BTM_TRACE_EVENT ("%s() - State: %s res: %d", __func__,
1723 btm_pair_state_descr(btm_cb.pairing_state), res);
1724
1725 /* If timeout already expired or has been canceled, ignore the reply */
1726 if (btm_cb.pairing_state != BTM_PAIR_STATE_WAIT_LOCAL_OOB_RSP)
1727 return;
1728
1729 btm_sec_change_pairing_state (BTM_PAIR_STATE_WAIT_AUTH_COMPLETE);
1730
1731 if (res != BTM_SUCCESS)
1732 {
1733 /* use BTM_PAIR_STATE_WAIT_AUTH_COMPLETE to report authentication failed event */
1734 btm_cb.acl_disc_reason = HCI_ERR_HOST_REJECT_SECURITY;
1735 btsnd_hcic_rem_oob_neg_reply (bd_addr);
1736 } else {
1737 btm_cb.acl_disc_reason = HCI_SUCCESS;
1738 btsnd_hcic_rem_oob_reply (bd_addr, c, r);
1739 }
1740 }
1741
1742 /*******************************************************************************
1743 **
1744 ** Function BTM_BuildOobData
1745 **
1746 ** Description This function is called to build the OOB data payload to
1747 ** be sent over OOB (non-Bluetooth) link
1748 **
1749 ** Parameters: p_data - the location for OOB data
1750 ** max_len - p_data size.
1751 ** c - simple pairing Hash C.
1752 ** r - simple pairing Randomizer C.
1753 ** name_len- 0, local device name would not be included.
1754 ** otherwise, the local device name is included for
1755 ** up to this specified length
1756 **
1757 ** Returns Number of bytes in p_data.
1758 **
1759 *******************************************************************************/
BTM_BuildOobData(UINT8 * p_data,UINT16 max_len,BT_OCTET16 c,BT_OCTET16 r,UINT8 name_len)1760 UINT16 BTM_BuildOobData(UINT8 *p_data, UINT16 max_len, BT_OCTET16 c,
1761 BT_OCTET16 r, UINT8 name_len)
1762 {
1763 UINT8 *p = p_data;
1764 UINT16 len = 0;
1765 #if BTM_MAX_LOC_BD_NAME_LEN > 0
1766 UINT16 name_size;
1767 UINT8 name_type = BTM_EIR_SHORTENED_LOCAL_NAME_TYPE;
1768 #endif
1769
1770 if (p_data && max_len >= BTM_OOB_MANDATORY_SIZE)
1771 {
1772 /* add mandatory part */
1773 UINT16_TO_STREAM(p, len);
1774 BDADDR_TO_STREAM(p, controller_get_interface()->get_address()->address);
1775
1776 len = BTM_OOB_MANDATORY_SIZE;
1777 max_len -= len;
1778
1779 /* now optional part */
1780
1781 /* add Hash C */
1782 UINT16 delta = BTM_OOB_HASH_C_SIZE + 2;
1783 if (max_len >= delta)
1784 {
1785 *p++ = BTM_OOB_HASH_C_SIZE + 1;
1786 *p++ = BTM_EIR_OOB_SSP_HASH_C_TYPE;
1787 ARRAY_TO_STREAM(p, c, BTM_OOB_HASH_C_SIZE);
1788 len += delta;
1789 max_len -= delta;
1790 }
1791
1792 /* add Rand R */
1793 delta = BTM_OOB_RAND_R_SIZE + 2;
1794 if (max_len >= delta)
1795 {
1796 *p++ = BTM_OOB_RAND_R_SIZE + 1;
1797 *p++ = BTM_EIR_OOB_SSP_RAND_R_TYPE;
1798 ARRAY_TO_STREAM(p, r, BTM_OOB_RAND_R_SIZE);
1799 len += delta;
1800 max_len -= delta;
1801 }
1802
1803 /* add class of device */
1804 delta = BTM_OOB_COD_SIZE + 2;
1805 if (max_len >= delta)
1806 {
1807 *p++ = BTM_OOB_COD_SIZE + 1;
1808 *p++ = BTM_EIR_OOB_COD_TYPE;
1809 DEVCLASS_TO_STREAM(p, btm_cb.devcb.dev_class);
1810 len += delta;
1811 max_len -= delta;
1812 }
1813 #if BTM_MAX_LOC_BD_NAME_LEN > 0
1814 name_size = name_len;
1815 if (name_size > strlen(btm_cb.cfg.bd_name))
1816 {
1817 name_type = BTM_EIR_COMPLETE_LOCAL_NAME_TYPE;
1818 name_size = (UINT16)strlen(btm_cb.cfg.bd_name);
1819 }
1820 delta = name_size + 2;
1821 if (max_len >= delta)
1822 {
1823 *p++ = name_size + 1;
1824 *p++ = name_type;
1825 ARRAY_TO_STREAM (p, btm_cb.cfg.bd_name, name_size);
1826 len += delta;
1827 max_len -= delta;
1828 }
1829 #endif
1830 /* update len */
1831 p = p_data;
1832 UINT16_TO_STREAM(p, len);
1833 }
1834 return len;
1835 }
1836
1837 /*******************************************************************************
1838 **
1839 ** Function BTM_BothEndsSupportSecureConnections
1840 **
1841 ** Description This function is called to check if both the local device and the peer device
1842 ** specified by bd_addr support BR/EDR Secure Connections.
1843 **
1844 ** Parameters: bd_addr - address of the peer
1845 **
1846 ** Returns TRUE if BR/EDR Secure Connections are supported by both local
1847 ** and the remote device.
1848 ** else FALSE.
1849 **
1850 *******************************************************************************/
BTM_BothEndsSupportSecureConnections(BD_ADDR bd_addr)1851 BOOLEAN BTM_BothEndsSupportSecureConnections(BD_ADDR bd_addr)
1852 {
1853 return ((controller_get_interface()->supports_secure_connections()) &&
1854 (BTM_PeerSupportsSecureConnections(bd_addr)));
1855 }
1856
1857 /*******************************************************************************
1858 **
1859 ** Function BTM_PeerSupportsSecureConnections
1860 **
1861 ** Description This function is called to check if the peer supports
1862 ** BR/EDR Secure Connections.
1863 **
1864 ** Parameters: bd_addr - address of the peer
1865 **
1866 ** Returns TRUE if BR/EDR Secure Connections are supported by the peer,
1867 ** else FALSE.
1868 **
1869 *******************************************************************************/
BTM_PeerSupportsSecureConnections(BD_ADDR bd_addr)1870 BOOLEAN BTM_PeerSupportsSecureConnections(BD_ADDR bd_addr)
1871 {
1872 tBTM_SEC_DEV_REC *p_dev_rec;
1873
1874 if ((p_dev_rec = btm_find_dev(bd_addr)) == NULL)
1875 {
1876 BTM_TRACE_WARNING("%s: unknown BDA: %08x%04x", __FUNCTION__,
1877 (bd_addr[0]<<24) + (bd_addr[1]<<16) + (bd_addr[2]<<8) + bd_addr[3],
1878 (bd_addr[4]<< 8) + bd_addr[5]);
1879 return FALSE;
1880 }
1881
1882 return (p_dev_rec->remote_supports_secure_connections);
1883 }
1884
1885 /*******************************************************************************
1886 **
1887 ** Function BTM_ReadOobData
1888 **
1889 ** Description This function is called to parse the OOB data payload
1890 ** received over OOB (non-Bluetooth) link
1891 **
1892 ** Parameters: p_data - the location for OOB data
1893 ** eir_tag - The associated EIR tag to read the data.
1894 ** *p_len(output) - the length of the data with the given tag.
1895 **
1896 ** Returns the beginning of the data with the given tag.
1897 ** NULL, if the tag is not found.
1898 **
1899 *******************************************************************************/
BTM_ReadOobData(UINT8 * p_data,UINT8 eir_tag,UINT8 * p_len)1900 UINT8 * BTM_ReadOobData(UINT8 *p_data, UINT8 eir_tag, UINT8 *p_len)
1901 {
1902 UINT8 *p = p_data;
1903 UINT16 max_len;
1904 UINT8 len, type;
1905 UINT8 *p_ret = NULL;
1906 UINT8 ret_len = 0;
1907
1908 if (p_data)
1909 {
1910 STREAM_TO_UINT16(max_len, p);
1911 if (max_len >= BTM_OOB_MANDATORY_SIZE)
1912 {
1913 if (BTM_EIR_OOB_BD_ADDR_TYPE == eir_tag)
1914 {
1915 p_ret = p; /* the location for bd_addr */
1916 ret_len = BTM_OOB_BD_ADDR_SIZE;
1917 }
1918 else
1919 {
1920 p += BD_ADDR_LEN;
1921 max_len -= BTM_OOB_MANDATORY_SIZE;
1922 /* now the optional data in EIR format */
1923 while (max_len > 0)
1924 {
1925 len = *p++; /* tag data len + 1 */
1926 type = *p++;
1927 if (eir_tag == type)
1928 {
1929 p_ret = p;
1930 ret_len = len - 1;
1931 break;
1932 }
1933 /* the data size of this tag is len + 1 (tag data len + 2) */
1934 if (max_len > len)
1935 {
1936 max_len -= len;
1937 max_len--;
1938 len--;
1939 p += len;
1940 }
1941 else
1942 max_len = 0;
1943 }
1944 }
1945 }
1946 }
1947
1948 if (p_len)
1949 *p_len = ret_len;
1950
1951 return p_ret;
1952 }
1953 #endif
1954
1955 /*******************************************************************************
1956 **
1957 ** Function BTM_SetOutService
1958 **
1959 ** Description This function is called to set the service for
1960 ** outgoing connections.
1961 **
1962 ** If the profile/application calls BTM_SetSecurityLevel
1963 ** before initiating a connection, this function does not
1964 ** need to be called.
1965 **
1966 ** Returns void
1967 **
1968 *******************************************************************************/
BTM_SetOutService(BD_ADDR bd_addr,UINT8 service_id,UINT32 mx_chan_id)1969 void BTM_SetOutService(BD_ADDR bd_addr, UINT8 service_id, UINT32 mx_chan_id)
1970 {
1971 tBTM_SEC_DEV_REC *p_dev_rec;
1972 tBTM_SEC_SERV_REC *p_serv_rec = &btm_cb.sec_serv_rec[0];
1973
1974 btm_cb.p_out_serv = p_serv_rec;
1975 p_dev_rec = btm_find_dev (bd_addr);
1976
1977 for (int i = 0; i < BTM_SEC_MAX_SERVICE_RECORDS; i++, p_serv_rec++)
1978 {
1979 if ((p_serv_rec->security_flags & BTM_SEC_IN_USE)
1980 && (p_serv_rec->service_id == service_id)
1981 && (p_serv_rec->orig_mx_chan_id == mx_chan_id))
1982 {
1983 BTM_TRACE_API("BTM_SetOutService p_out_serv id %d, psm 0x%04x, proto_id %d, chan_id %d",
1984 p_serv_rec->service_id, p_serv_rec->psm, p_serv_rec->mx_proto_id, p_serv_rec->orig_mx_chan_id);
1985 btm_cb.p_out_serv = p_serv_rec;
1986 if (p_dev_rec)
1987 p_dev_rec->p_cur_service = p_serv_rec;
1988 break;
1989 }
1990 }
1991 }
1992
1993 /************************************************************************
1994 ** I N T E R N A L F U N C T I O N S
1995 *************************************************************************/
1996 /*******************************************************************************
1997 **
1998 ** Function btm_sec_is_upgrade_possible
1999 **
2000 ** Description This function returns TRUE if the existing link key
2001 ** can be upgraded or if the link key does not exist.
2002 **
2003 ** Returns BOOLEAN
2004 **
2005 *******************************************************************************/
btm_sec_is_upgrade_possible(tBTM_SEC_DEV_REC * p_dev_rec,BOOLEAN is_originator)2006 static BOOLEAN btm_sec_is_upgrade_possible(tBTM_SEC_DEV_REC *p_dev_rec, BOOLEAN is_originator)
2007 {
2008 UINT16 mtm_check = is_originator ? BTM_SEC_OUT_MITM : BTM_SEC_IN_MITM;
2009 BOOLEAN is_possible = TRUE;
2010
2011 if (p_dev_rec->sec_flags & BTM_SEC_LINK_KEY_KNOWN)
2012 {
2013 is_possible = FALSE;
2014 if(p_dev_rec->p_cur_service)
2015 {
2016 BTM_TRACE_DEBUG ("%s() id: %d, link_key_typet: %d, rmt_io_caps: %d, chk flags: 0x%x, flags: 0x%x",
2017 __func__, p_dev_rec->p_cur_service->service_id, p_dev_rec->link_key_type,
2018 p_dev_rec->rmt_io_caps, mtm_check, p_dev_rec->p_cur_service->security_flags);
2019 }
2020 else
2021 {
2022 BTM_TRACE_DEBUG ("%s() link_key_typet: %d, rmt_io_caps: %d, chk flags: 0x%x",
2023 __func__, p_dev_rec->link_key_type, p_dev_rec->rmt_io_caps, mtm_check);
2024 }
2025 /* Already have a link key to the connected peer. Is the link key secure enough?
2026 ** Is a link key upgrade even possible?
2027 */
2028 if ((p_dev_rec->security_required & mtm_check) /* needs MITM */
2029 && ((p_dev_rec->link_key_type == BTM_LKEY_TYPE_UNAUTH_COMB) ||
2030 (p_dev_rec->link_key_type == BTM_LKEY_TYPE_UNAUTH_COMB_P_256))
2031 /* has unauthenticated
2032 link key */
2033 && (p_dev_rec->rmt_io_caps < BTM_IO_CAP_MAX) /* a valid peer IO cap */
2034 && (btm_sec_io_map[p_dev_rec->rmt_io_caps][btm_cb.devcb.loc_io_caps]))
2035 /* authenticated
2036 link key is possible */
2037 {
2038 /* upgrade is possible: check if the application wants the upgrade.
2039 * If the application is configured to use a global MITM flag,
2040 * it probably would not want to upgrade the link key based on the security level database */
2041 is_possible = TRUE;
2042 }
2043 }
2044 BTM_TRACE_DEBUG ("%s() is_possible: %d sec_flags: 0x%x", __func__, is_possible, p_dev_rec->sec_flags);
2045 return is_possible;
2046 }
2047
2048 /*******************************************************************************
2049 **
2050 ** Function btm_sec_check_upgrade
2051 **
2052 ** Description This function is called to check if the existing link key
2053 ** needs to be upgraded.
2054 **
2055 ** Returns void
2056 **
2057 *******************************************************************************/
btm_sec_check_upgrade(tBTM_SEC_DEV_REC * p_dev_rec,BOOLEAN is_originator)2058 static void btm_sec_check_upgrade(tBTM_SEC_DEV_REC *p_dev_rec, BOOLEAN is_originator)
2059 {
2060
2061 BTM_TRACE_DEBUG ("%s()", __func__);
2062
2063 /* Only check if link key already exists */
2064 if (!(p_dev_rec->sec_flags & BTM_SEC_LINK_KEY_KNOWN))
2065 return;
2066
2067 if (btm_sec_is_upgrade_possible (p_dev_rec, is_originator) == TRUE)
2068 {
2069 BTM_TRACE_DEBUG ("need upgrade!! sec_flags:0x%x", p_dev_rec->sec_flags);
2070 /* upgrade is possible: check if the application wants the upgrade.
2071 * If the application is configured to use a global MITM flag,
2072 * it probably would not want to upgrade the link key based on the security level database */
2073 tBTM_SP_UPGRADE evt_data;
2074 memcpy (evt_data.bd_addr, p_dev_rec->bd_addr, BD_ADDR_LEN);
2075 evt_data.upgrade = TRUE;
2076 if (btm_cb.api.p_sp_callback)
2077 (*btm_cb.api.p_sp_callback) (BTM_SP_UPGRADE_EVT, (tBTM_SP_EVT_DATA *)&evt_data);
2078
2079 BTM_TRACE_DEBUG ("evt_data.upgrade:0x%x", evt_data.upgrade);
2080 if (evt_data.upgrade)
2081 {
2082 /* if the application confirms the upgrade, set the upgrade bit */
2083 p_dev_rec->sm4 |= BTM_SM4_UPGRADE;
2084
2085 /* Clear the link key known to go through authentication/pairing again */
2086 p_dev_rec->sec_flags &= ~(BTM_SEC_LINK_KEY_KNOWN | BTM_SEC_LINK_KEY_AUTHED);
2087 p_dev_rec->sec_flags &= ~BTM_SEC_AUTHENTICATED;
2088 BTM_TRACE_DEBUG ("sec_flags:0x%x", p_dev_rec->sec_flags);
2089 }
2090 }
2091 }
2092
2093 /*******************************************************************************
2094 **
2095 ** Function btm_sec_l2cap_access_req
2096 **
2097 ** Description This function is called by the L2CAP to grant permission to
2098 ** establish L2CAP connection to or from the peer device.
2099 **
2100 ** Parameters: bd_addr - Address of the peer device
2101 ** psm - L2CAP PSM
2102 ** is_originator - TRUE if protocol above L2CAP originates
2103 ** connection
2104 ** p_callback - Pointer to callback function called if
2105 ** this function returns PENDING after required
2106 ** procedures are complete. MUST NOT BE NULL.
2107 **
2108 ** Returns tBTM_STATUS
2109 **
2110 *******************************************************************************/
2111 #define BTM_SEC_OUT_FLAGS (BTM_SEC_OUT_AUTHENTICATE | BTM_SEC_OUT_ENCRYPT | BTM_SEC_OUT_AUTHORIZE)
2112 #define BTM_SEC_IN_FLAGS (BTM_SEC_IN_AUTHENTICATE | BTM_SEC_IN_ENCRYPT | BTM_SEC_IN_AUTHORIZE)
2113
2114 #define BTM_SEC_OUT_LEVEL4_FLAGS (BTM_SEC_OUT_AUTHENTICATE | BTM_SEC_OUT_ENCRYPT | \
2115 BTM_SEC_OUT_MITM | BTM_SEC_MODE4_LEVEL4)
2116
2117 #define BTM_SEC_IN_LEVEL4_FLAGS (BTM_SEC_IN_AUTHENTICATE | BTM_SEC_IN_ENCRYPT | \
2118 BTM_SEC_IN_MITM | BTM_SEC_MODE4_LEVEL4)
2119
btm_sec_l2cap_access_req(BD_ADDR bd_addr,UINT16 psm,UINT16 handle,CONNECTION_TYPE conn_type,tBTM_SEC_CALLBACK * p_callback,void * p_ref_data)2120 tBTM_STATUS btm_sec_l2cap_access_req (BD_ADDR bd_addr, UINT16 psm, UINT16 handle,
2121 CONNECTION_TYPE conn_type,
2122 tBTM_SEC_CALLBACK *p_callback,
2123 void *p_ref_data)
2124 {
2125 tBTM_SEC_DEV_REC *p_dev_rec;
2126 tBTM_SEC_SERV_REC *p_serv_rec;
2127 UINT16 security_required;
2128 UINT16 old_security_required;
2129 BOOLEAN old_is_originator;
2130 tBTM_STATUS rc = BTM_SUCCESS;
2131 BOOLEAN chk_acp_auth_done = FALSE;
2132 BOOLEAN is_originator;
2133 BOOLEAN transport = FALSE; /* should check PSM range in LE connection oriented L2CAP connection */
2134
2135 #if (L2CAP_UCD_INCLUDED == TRUE)
2136 if (conn_type & CONNECTION_TYPE_ORIG_MASK)
2137 is_originator = TRUE;
2138 else
2139 is_originator = FALSE;
2140
2141 BTM_TRACE_DEBUG ("%s() conn_type: 0x%x, 0x%x", __func__, conn_type, p_ref_data);
2142 #else
2143 is_originator = conn_type;
2144
2145 BTM_TRACE_DEBUG ("%s() is_originator:%d, 0x%x", __func__, is_originator, p_ref_data);
2146 #endif
2147
2148 /* Find or get oldest record */
2149 p_dev_rec = btm_find_or_alloc_dev (bd_addr);
2150
2151 p_dev_rec->hci_handle = handle;
2152
2153 /* Find the service record for the PSM */
2154 p_serv_rec = btm_sec_find_first_serv (conn_type, psm);
2155
2156 /* If there is no application registered with this PSM do not allow connection */
2157 if (!p_serv_rec)
2158 {
2159 BTM_TRACE_WARNING ("%s() PSM: %d no application registerd", __func__, psm);
2160 (*p_callback) (bd_addr, transport, p_ref_data, BTM_MODE_UNSUPPORTED);
2161 return(BTM_MODE_UNSUPPORTED);
2162 }
2163
2164 /* Services level0 by default have no security */
2165 if ((btm_sec_is_serv_level0(psm)) && (!btm_cb.devcb.secure_connections_only))
2166 {
2167 (*p_callback) (bd_addr,transport, p_ref_data, BTM_SUCCESS_NO_SECURITY);
2168 return(BTM_SUCCESS);
2169 }
2170 #if (L2CAP_UCD_INCLUDED == TRUE)
2171 if ( conn_type & CONNECTION_TYPE_CONNLESS_MASK )
2172 {
2173 if (btm_cb.security_mode == BTM_SEC_MODE_SC)
2174 {
2175 security_required = btm_sec_set_serv_level4_flags (p_serv_rec->ucd_security_flags,
2176 is_originator);
2177 }
2178 else
2179 {
2180 security_required = p_serv_rec->ucd_security_flags;
2181 }
2182
2183 rc = BTM_CMD_STARTED;
2184 if (is_originator)
2185 {
2186 if (((security_required & BTM_SEC_OUT_FLAGS) == 0) ||
2187 ((((security_required & BTM_SEC_OUT_FLAGS) == BTM_SEC_OUT_AUTHENTICATE) && (p_dev_rec->sec_flags & BTM_SEC_AUTHENTICATED))) ||
2188 ((((security_required & BTM_SEC_OUT_FLAGS) == (BTM_SEC_OUT_AUTHENTICATE | BTM_SEC_OUT_ENCRYPT)) && (p_dev_rec->sec_flags & BTM_SEC_ENCRYPTED))) ||
2189 ((((security_required & BTM_SEC_OUT_FLAGS) == BTM_SEC_OUT_FLAGS) && (p_dev_rec->sec_flags & BTM_SEC_AUTHORIZED))) )
2190 {
2191 rc = BTM_SUCCESS;
2192 }
2193 }
2194 else
2195 {
2196 if (((security_required & BTM_SEC_IN_FLAGS) == 0) ||
2197 ((((security_required & BTM_SEC_IN_FLAGS) == BTM_SEC_IN_AUTHENTICATE) && (p_dev_rec->sec_flags & BTM_SEC_AUTHENTICATED))) ||
2198 ((((security_required & BTM_SEC_IN_FLAGS) == (BTM_SEC_IN_AUTHENTICATE | BTM_SEC_IN_ENCRYPT)) && (p_dev_rec->sec_flags & BTM_SEC_ENCRYPTED))) ||
2199 ((((security_required & BTM_SEC_IN_FLAGS) == BTM_SEC_IN_FLAGS) && (p_dev_rec->sec_flags & BTM_SEC_AUTHORIZED))) )
2200 {
2201 // Check for 16 digits (or MITM)
2202 if (((security_required & BTM_SEC_IN_MIN_16_DIGIT_PIN) == 0) ||
2203 (((security_required & BTM_SEC_IN_MIN_16_DIGIT_PIN) == BTM_SEC_IN_MIN_16_DIGIT_PIN) &&
2204 btm_dev_16_digit_authenticated(p_dev_rec))) {
2205 rc = BTM_SUCCESS;
2206 }
2207 }
2208 }
2209
2210 if ((rc == BTM_SUCCESS) && (security_required & BTM_SEC_MODE4_LEVEL4) &&
2211 (p_dev_rec->link_key_type != BTM_LKEY_TYPE_AUTH_COMB_P_256))
2212 {
2213 rc = BTM_CMD_STARTED;
2214 }
2215
2216 if (rc == BTM_SUCCESS)
2217 {
2218 if (p_callback)
2219 (*p_callback) (bd_addr, transport, (void *)p_ref_data, BTM_SUCCESS);
2220
2221 return(BTM_SUCCESS);
2222 }
2223 }
2224 else
2225 #endif
2226 {
2227 if (btm_cb.security_mode == BTM_SEC_MODE_SC)
2228 {
2229 security_required = btm_sec_set_serv_level4_flags (p_serv_rec->security_flags,
2230 is_originator);
2231 }
2232 else
2233 {
2234 security_required = p_serv_rec->security_flags;
2235 }
2236 }
2237
2238 BTM_TRACE_DEBUG("%s: security_required 0x%04x, is_originator 0x%02x, psm 0x%04x",
2239 __FUNCTION__, security_required, is_originator, psm);
2240
2241 if ((!is_originator) && (security_required & BTM_SEC_MODE4_LEVEL4))
2242 {
2243 BOOLEAN local_supports_sc = controller_get_interface()->supports_secure_connections();
2244 /* acceptor receives L2CAP Channel Connect Request for Secure Connections Only service */
2245 if (!(local_supports_sc) || !(p_dev_rec->remote_supports_secure_connections))
2246 {
2247 BTM_TRACE_DEBUG("%s: SC only service, local_support_for_sc %d",
2248 "rmt_support_for_sc : %d -> fail pairing", __FUNCTION__,
2249 local_supports_sc,
2250 p_dev_rec->remote_supports_secure_connections);
2251 if (p_callback)
2252 (*p_callback) (bd_addr, transport, (void *)p_ref_data,
2253 BTM_MODE4_LEVEL4_NOT_SUPPORTED);
2254
2255 return (BTM_MODE4_LEVEL4_NOT_SUPPORTED);
2256 }
2257 }
2258
2259 /* there are some devices (moto KRZR) which connects to several services at the same time */
2260 /* we will process one after another */
2261 if ( (p_dev_rec->p_callback) || (btm_cb.pairing_state != BTM_PAIR_STATE_IDLE) )
2262 {
2263 BTM_TRACE_EVENT ("%s() - busy - PSM:%d delayed state: %s mode:%d, sm4:0x%x", __func__,
2264 psm, btm_pair_state_descr(btm_cb.pairing_state), btm_cb.security_mode, p_dev_rec->sm4);
2265 BTM_TRACE_EVENT ("security_flags:x%x, sec_flags:x%x", security_required, p_dev_rec->sec_flags);
2266 rc = BTM_CMD_STARTED;
2267 if ((btm_cb.security_mode == BTM_SEC_MODE_UNDEFINED ||
2268 btm_cb.security_mode == BTM_SEC_MODE_NONE ||
2269 btm_cb.security_mode == BTM_SEC_MODE_SERVICE ||
2270 btm_cb.security_mode == BTM_SEC_MODE_LINK) ||
2271 (BTM_SM4_KNOWN == p_dev_rec->sm4) || (BTM_SEC_IS_SM4(p_dev_rec->sm4) &&
2272 (btm_sec_is_upgrade_possible(p_dev_rec, is_originator) == FALSE)))
2273 {
2274 /* legacy mode - local is legacy or local is lisbon/peer is legacy
2275 * or SM4 with no possibility of link key upgrade */
2276 if (is_originator)
2277 {
2278 if (((security_required & BTM_SEC_OUT_FLAGS) == 0) ||
2279 ((((security_required & BTM_SEC_OUT_FLAGS) == BTM_SEC_OUT_AUTHENTICATE) && btm_dev_authenticated(p_dev_rec))) ||
2280 ((((security_required & BTM_SEC_OUT_FLAGS) == (BTM_SEC_OUT_AUTHENTICATE | BTM_SEC_OUT_ENCRYPT)) && btm_dev_encrypted(p_dev_rec))) ||
2281 ((((security_required & BTM_SEC_OUT_FLAGS) == BTM_SEC_OUT_FLAGS) && btm_dev_authorized(p_dev_rec) && btm_dev_encrypted(p_dev_rec))) )
2282 {
2283 rc = BTM_SUCCESS;
2284 }
2285 }
2286 else
2287 {
2288 if (((security_required & BTM_SEC_IN_FLAGS) == 0) ||
2289 (((security_required & BTM_SEC_IN_FLAGS) == BTM_SEC_IN_AUTHENTICATE) && btm_dev_authenticated(p_dev_rec)) ||
2290 (((security_required & BTM_SEC_IN_FLAGS) == (BTM_SEC_IN_AUTHENTICATE | BTM_SEC_IN_ENCRYPT)) && btm_dev_encrypted(p_dev_rec)) ||
2291 (((security_required & BTM_SEC_IN_FLAGS) == BTM_SEC_IN_AUTHORIZE) && (btm_dev_authorized(p_dev_rec)||btm_serv_trusted(p_dev_rec, p_serv_rec))) ||
2292 (((security_required & BTM_SEC_IN_FLAGS) == (BTM_SEC_IN_AUTHENTICATE | BTM_SEC_IN_AUTHORIZE)) && ((btm_dev_authorized(p_dev_rec)||btm_serv_trusted(p_dev_rec, p_serv_rec)) && btm_dev_authenticated(p_dev_rec))) ||
2293 (((security_required & BTM_SEC_IN_FLAGS) == (BTM_SEC_IN_ENCRYPT | BTM_SEC_IN_AUTHORIZE)) && ((btm_dev_authorized(p_dev_rec)||btm_serv_trusted(p_dev_rec, p_serv_rec)) && btm_dev_encrypted(p_dev_rec))) ||
2294 (((security_required & BTM_SEC_IN_FLAGS) == BTM_SEC_IN_FLAGS) && btm_dev_encrypted(p_dev_rec) && (btm_dev_authorized(p_dev_rec)||btm_serv_trusted(p_dev_rec, p_serv_rec))))
2295 {
2296 // Check for 16 digits (or MITM)
2297 if (((security_required & BTM_SEC_IN_MIN_16_DIGIT_PIN) == 0) ||
2298 (((security_required & BTM_SEC_IN_MIN_16_DIGIT_PIN) == BTM_SEC_IN_MIN_16_DIGIT_PIN) && btm_dev_16_digit_authenticated(p_dev_rec))) {
2299 rc = BTM_SUCCESS;
2300 }
2301 }
2302 }
2303
2304 if ((rc == BTM_SUCCESS) && (security_required & BTM_SEC_MODE4_LEVEL4) &&
2305 (p_dev_rec->link_key_type != BTM_LKEY_TYPE_AUTH_COMB_P_256))
2306 {
2307 rc = BTM_CMD_STARTED;
2308 }
2309
2310 if (rc == BTM_SUCCESS)
2311 {
2312 if (p_callback)
2313 (*p_callback) (bd_addr, transport, (void *)p_ref_data, BTM_SUCCESS);
2314 return(BTM_SUCCESS);
2315 }
2316 }
2317
2318 btm_cb.sec_req_pending = TRUE;
2319 return(BTM_CMD_STARTED);
2320 }
2321
2322 /* Save pointer to service record */
2323 p_dev_rec->p_cur_service = p_serv_rec;
2324
2325 /* Modify security_required in btm_sec_l2cap_access_req for Lisbon */
2326 if (btm_cb.security_mode == BTM_SEC_MODE_SP ||
2327 btm_cb.security_mode == BTM_SEC_MODE_SP_DEBUG ||
2328 btm_cb.security_mode == BTM_SEC_MODE_SC)
2329 {
2330 if (BTM_SEC_IS_SM4(p_dev_rec->sm4))
2331 {
2332 if (is_originator)
2333 {
2334 /* SM4 to SM4 -> always authenticate & encrypt */
2335 security_required |= (BTM_SEC_OUT_AUTHENTICATE | BTM_SEC_OUT_ENCRYPT);
2336 }
2337 else /* acceptor */
2338 {
2339 /* SM4 to SM4: the acceptor needs to make sure the authentication is already done */
2340 chk_acp_auth_done = TRUE;
2341 /* SM4 to SM4 -> always authenticate & encrypt */
2342 security_required |= (BTM_SEC_IN_AUTHENTICATE | BTM_SEC_IN_ENCRYPT);
2343 }
2344 }
2345 else if (!(BTM_SM4_KNOWN & p_dev_rec->sm4))
2346 {
2347 /* the remote features are not known yet */
2348 BTM_TRACE_DEBUG("%s: (%s) remote features unknown!!sec_flags:0x%02x", __FUNCTION__,
2349 (is_originator) ? "initiator" : "acceptor", p_dev_rec->sec_flags);
2350
2351 p_dev_rec->sm4 |= BTM_SM4_REQ_PEND;
2352 return (BTM_CMD_STARTED);
2353 }
2354 }
2355
2356 BTM_TRACE_DEBUG ("%s() sm4:0x%x, sec_flags:0x%x, security_required:0x%x chk:%d", __func__,
2357 p_dev_rec->sm4, p_dev_rec->sec_flags, security_required, chk_acp_auth_done);
2358
2359 old_security_required = p_dev_rec->security_required;
2360 old_is_originator = p_dev_rec->is_originator;
2361 p_dev_rec->security_required = security_required;
2362 p_dev_rec->p_ref_data = p_ref_data;
2363 p_dev_rec->is_originator = is_originator;
2364
2365 #if (L2CAP_UCD_INCLUDED == TRUE)
2366 if ( conn_type & CONNECTION_TYPE_CONNLESS_MASK )
2367 p_dev_rec->is_ucd = TRUE;
2368 else
2369 p_dev_rec->is_ucd = FALSE;
2370 #endif
2371
2372 /* If there are multiple service records used through the same PSM */
2373 /* leave security decision for the multiplexor on the top */
2374 #if (L2CAP_UCD_INCLUDED == TRUE)
2375 if (((btm_sec_find_next_serv (p_serv_rec)) != NULL)
2376 &&(!( conn_type & CONNECTION_TYPE_CONNLESS_MASK ))) /* if not UCD */
2377 #else
2378 if ((btm_sec_find_next_serv (p_serv_rec)) != NULL)
2379 #endif
2380 {
2381 BTM_TRACE_DEBUG ("no next_serv sm4:0x%x, chk:%d", p_dev_rec->sm4, chk_acp_auth_done);
2382 if (!BTM_SEC_IS_SM4(p_dev_rec->sm4))
2383 {
2384 BTM_TRACE_EVENT ("Security Manager: l2cap_access_req PSM:%d postponed for multiplexer", psm);
2385 /* pre-Lisbon: restore the old settings */
2386 p_dev_rec->security_required = old_security_required;
2387 p_dev_rec->is_originator = old_is_originator;
2388
2389 (*p_callback) (bd_addr, transport, p_ref_data, BTM_SUCCESS);
2390
2391 return(BTM_SUCCESS);
2392 }
2393 }
2394
2395 /* if the originator is using dynamic PSM in legacy mode, do not start any security process now
2396 * The layer above L2CAP needs to carry out the security requirement after L2CAP connect
2397 * response is received */
2398 if (is_originator &&
2399 ((btm_cb.security_mode == BTM_SEC_MODE_UNDEFINED ||
2400 btm_cb.security_mode == BTM_SEC_MODE_NONE ||
2401 btm_cb.security_mode == BTM_SEC_MODE_SERVICE ||
2402 btm_cb.security_mode == BTM_SEC_MODE_LINK) ||
2403 !BTM_SEC_IS_SM4(p_dev_rec->sm4)) && (psm >= 0x1001))
2404 {
2405 BTM_TRACE_EVENT ("dynamic PSM:0x%x in legacy mode - postponed for upper layer", psm);
2406 /* restore the old settings */
2407 p_dev_rec->security_required = old_security_required;
2408 p_dev_rec->is_originator = old_is_originator;
2409
2410 (*p_callback) (bd_addr, transport, p_ref_data, BTM_SUCCESS);
2411
2412 return(BTM_SUCCESS);
2413 }
2414
2415 if (chk_acp_auth_done)
2416 {
2417 BTM_TRACE_DEBUG ("(SM4 to SM4) btm_sec_l2cap_access_req rspd. authenticated: x%x, enc: x%x",
2418 (p_dev_rec->sec_flags & BTM_SEC_AUTHENTICATED), (p_dev_rec->sec_flags & BTM_SEC_ENCRYPTED));
2419 /* SM4, but we do not know for sure which level of security we need.
2420 * as long as we have a link key, it's OK */
2421 if ((0 == (p_dev_rec->sec_flags & BTM_SEC_AUTHENTICATED))
2422 ||(0 == (p_dev_rec->sec_flags & BTM_SEC_ENCRYPTED)))
2423 {
2424 rc = BTM_DELAY_CHECK;
2425 /*
2426 2046 may report HCI_Encryption_Change and L2C Connection Request out of sequence
2427 because of data path issues. Delay this disconnect a little bit
2428 */
2429 LOG_INFO("%s peer should have initiated security process by now (SM4 to SM4)", __func__);
2430 p_dev_rec->p_callback = p_callback;
2431 p_dev_rec->sec_state = BTM_SEC_STATE_DELAY_FOR_ENC;
2432 (*p_callback) (bd_addr, transport, p_ref_data, rc);
2433
2434 return BTM_SUCCESS;
2435 }
2436 }
2437
2438 p_dev_rec->p_callback = p_callback;
2439
2440 if (p_dev_rec->last_author_service_id == BTM_SEC_NO_LAST_SERVICE_ID
2441 || p_dev_rec->last_author_service_id != p_dev_rec->p_cur_service->service_id)
2442 {
2443 /* Although authentication and encryption are per connection
2444 ** authorization is per access request. For example when serial connection
2445 ** is up and authorized and client requests to read file (access to other
2446 ** scn), we need to request user's permission again.
2447 */
2448 p_dev_rec->sec_flags &= ~BTM_SEC_AUTHORIZED;
2449 }
2450
2451 if (BTM_SEC_IS_SM4(p_dev_rec->sm4))
2452 {
2453 if ((p_dev_rec->security_required & BTM_SEC_MODE4_LEVEL4) &&
2454 (p_dev_rec->link_key_type != BTM_LKEY_TYPE_AUTH_COMB_P_256))
2455 {
2456 /* BTM_LKEY_TYPE_AUTH_COMB_P_256 is the only acceptable key in this case */
2457 if ((p_dev_rec->sec_flags & BTM_SEC_LINK_KEY_KNOWN) != 0)
2458 {
2459 p_dev_rec->sm4 |= BTM_SM4_UPGRADE;
2460 }
2461 p_dev_rec->sec_flags &= ~(BTM_SEC_LINK_KEY_KNOWN | BTM_SEC_LINK_KEY_AUTHED |
2462 BTM_SEC_AUTHENTICATED);
2463 BTM_TRACE_DEBUG ("%s: sec_flags:0x%x", __FUNCTION__, p_dev_rec->sec_flags);
2464 }
2465 else
2466 {
2467 /* If we already have a link key to the connected peer, is it secure enough? */
2468 btm_sec_check_upgrade(p_dev_rec, is_originator);
2469 }
2470 }
2471
2472 BTM_TRACE_EVENT ("%s() PSM:%d Handle:%d State:%d Flags: 0x%x Required: 0x%x Service ID:%d",
2473 __func__, psm, handle, p_dev_rec->sec_state, p_dev_rec->sec_flags,
2474 p_dev_rec->security_required, p_dev_rec->p_cur_service->service_id);
2475
2476 if ((rc = btm_sec_execute_procedure (p_dev_rec)) != BTM_CMD_STARTED)
2477 {
2478 p_dev_rec->p_callback = NULL;
2479 (*p_callback) (bd_addr, transport, p_dev_rec->p_ref_data, (UINT8)rc);
2480 }
2481
2482 return(rc);
2483 }
2484
2485 /*******************************************************************************
2486 **
2487 ** Function btm_sec_mx_access_request
2488 **
2489 ** Description This function is called by all Multiplexing Protocols during
2490 ** establishing connection to or from peer device to grant
2491 ** permission to establish application connection.
2492 **
2493 ** Parameters: bd_addr - Address of the peer device
2494 ** psm - L2CAP PSM
2495 ** is_originator - TRUE if protocol above L2CAP originates
2496 ** connection
2497 ** mx_proto_id - protocol ID of the multiplexer
2498 ** mx_chan_id - multiplexer channel to reach application
2499 ** p_callback - Pointer to callback function called if
2500 ** this function returns PENDING after required
2501 ** procedures are completed
2502 ** p_ref_data - Pointer to any reference data needed by the
2503 ** the callback function.
2504 **
2505 ** Returns BTM_CMD_STARTED
2506 **
2507 *******************************************************************************/
btm_sec_mx_access_request(BD_ADDR bd_addr,UINT16 psm,BOOLEAN is_originator,UINT32 mx_proto_id,UINT32 mx_chan_id,tBTM_SEC_CALLBACK * p_callback,void * p_ref_data)2508 tBTM_STATUS btm_sec_mx_access_request (BD_ADDR bd_addr, UINT16 psm, BOOLEAN is_originator,
2509 UINT32 mx_proto_id, UINT32 mx_chan_id,
2510 tBTM_SEC_CALLBACK *p_callback, void *p_ref_data)
2511 {
2512 tBTM_SEC_DEV_REC *p_dev_rec;
2513 tBTM_SEC_SERV_REC *p_serv_rec;
2514 tBTM_STATUS rc;
2515 UINT16 security_required;
2516 BOOLEAN transport = FALSE;/* should check PSM range in LE connection oriented L2CAP connection */
2517
2518 BTM_TRACE_DEBUG ("%s() is_originator: %d", __func__, is_originator);
2519 /* Find or get oldest record */
2520 p_dev_rec = btm_find_or_alloc_dev (bd_addr);
2521
2522 /* Find the service record for the PSM */
2523 p_serv_rec = btm_sec_find_mx_serv (is_originator, psm, mx_proto_id, mx_chan_id);
2524
2525 /* If there is no application registered with this PSM do not allow connection */
2526 if (!p_serv_rec)
2527 {
2528 if (p_callback)
2529 (*p_callback) (bd_addr, transport, p_ref_data, BTM_MODE_UNSUPPORTED);
2530
2531 BTM_TRACE_ERROR ("Security Manager: MX service not found PSM:%d Proto:%d SCN:%d",
2532 psm, mx_proto_id, mx_chan_id);
2533 return BTM_NO_RESOURCES;
2534 }
2535
2536 if ((btm_cb.security_mode == BTM_SEC_MODE_SC) && (!btm_sec_is_serv_level0(psm)))
2537 {
2538 security_required = btm_sec_set_serv_level4_flags (p_serv_rec->security_flags,
2539 is_originator);
2540 }
2541 else
2542 {
2543 security_required = p_serv_rec->security_flags;
2544 }
2545
2546 /* there are some devices (moto phone) which connects to several services at the same time */
2547 /* we will process one after another */
2548 if ( (p_dev_rec->p_callback) || (btm_cb.pairing_state != BTM_PAIR_STATE_IDLE) )
2549 {
2550 BTM_TRACE_EVENT ("%s() service PSM:%d Proto:%d SCN:%d delayed state: %s", __func__,
2551 psm, mx_proto_id, mx_chan_id, btm_pair_state_descr(btm_cb.pairing_state));
2552
2553 rc = BTM_CMD_STARTED;
2554
2555 if ((btm_cb.security_mode == BTM_SEC_MODE_UNDEFINED ||
2556 btm_cb.security_mode == BTM_SEC_MODE_NONE ||
2557 btm_cb.security_mode == BTM_SEC_MODE_SERVICE ||
2558 btm_cb.security_mode == BTM_SEC_MODE_LINK) ||
2559 (BTM_SM4_KNOWN == p_dev_rec->sm4) || (BTM_SEC_IS_SM4(p_dev_rec->sm4) &&
2560 (btm_sec_is_upgrade_possible(p_dev_rec, is_originator) == FALSE)))
2561 {
2562 /* legacy mode - local is legacy or local is lisbon/peer is legacy
2563 * or SM4 with no possibility of link key upgrade */
2564 if (is_originator)
2565 {
2566 if (((security_required & BTM_SEC_OUT_FLAGS) == 0) ||
2567 ((((security_required & BTM_SEC_OUT_FLAGS) == BTM_SEC_OUT_AUTHENTICATE) && btm_dev_authenticated(p_dev_rec))) ||
2568 ((((security_required & BTM_SEC_OUT_FLAGS) == (BTM_SEC_OUT_AUTHENTICATE | BTM_SEC_OUT_ENCRYPT)) && btm_dev_encrypted(p_dev_rec)))
2569 )
2570 {
2571 rc = BTM_SUCCESS;
2572 }
2573 }
2574 else
2575 {
2576 if (((security_required & BTM_SEC_IN_FLAGS) == 0) ||
2577 ((((security_required & BTM_SEC_IN_FLAGS) == BTM_SEC_IN_AUTHENTICATE) && btm_dev_authenticated(p_dev_rec))) ||
2578 (((security_required & BTM_SEC_IN_FLAGS) == BTM_SEC_IN_AUTHORIZE) && (btm_dev_authorized(p_dev_rec)||btm_serv_trusted(p_dev_rec, p_serv_rec))) ||
2579 (((security_required & BTM_SEC_IN_FLAGS) == (BTM_SEC_IN_AUTHORIZE | BTM_SEC_IN_AUTHENTICATE)) && ((btm_dev_authorized(p_dev_rec)||btm_serv_trusted(p_dev_rec, p_serv_rec)) && btm_dev_authenticated(p_dev_rec))) ||
2580 (((security_required & BTM_SEC_IN_FLAGS) == (BTM_SEC_IN_AUTHORIZE | BTM_SEC_IN_ENCRYPT)) && ((btm_dev_authorized(p_dev_rec)||btm_serv_trusted(p_dev_rec, p_serv_rec))&& btm_dev_encrypted(p_dev_rec))) ||
2581 ((((security_required & BTM_SEC_IN_FLAGS) == (BTM_SEC_IN_AUTHENTICATE | BTM_SEC_IN_ENCRYPT)) && btm_dev_encrypted(p_dev_rec)))
2582 )
2583 {
2584 // Check for 16 digits (or MITM)
2585 if (((security_required & BTM_SEC_IN_MIN_16_DIGIT_PIN) == 0) ||
2586 (((security_required & BTM_SEC_IN_MIN_16_DIGIT_PIN) == BTM_SEC_IN_MIN_16_DIGIT_PIN) && btm_dev_16_digit_authenticated(p_dev_rec))) {
2587 rc = BTM_SUCCESS;
2588 }
2589 }
2590 }
2591 if ((rc == BTM_SUCCESS) && (security_required & BTM_SEC_MODE4_LEVEL4) &&
2592 (p_dev_rec->link_key_type != BTM_LKEY_TYPE_AUTH_COMB_P_256))
2593 {
2594 rc = BTM_CMD_STARTED;
2595 }
2596 }
2597
2598 if (rc == BTM_SUCCESS)
2599 {
2600 BTM_TRACE_EVENT("%s: allow to bypass, checking authorization", __FUNCTION__);
2601 /* the security in BTM_SEC_IN_FLAGS is fullfilled so far, check the requirements in */
2602 /* btm_sec_execute_procedure */
2603 if ((is_originator && (p_serv_rec->security_flags & BTM_SEC_OUT_AUTHORIZE)) ||
2604 (!is_originator && (p_serv_rec->security_flags & BTM_SEC_IN_AUTHORIZE)))
2605 {
2606 BTM_TRACE_EVENT("%s: still need authorization", __FUNCTION__);
2607 rc = BTM_CMD_STARTED;
2608 }
2609 }
2610
2611 /* Check whether there is a pending security procedure, if so we should always queue */
2612 /* the new security request */
2613 if (p_dev_rec->sec_state != BTM_SEC_STATE_IDLE)
2614 {
2615 BTM_TRACE_EVENT("%s: There is a pending security procedure", __FUNCTION__);
2616 rc = BTM_CMD_STARTED;
2617 }
2618 if (rc == BTM_CMD_STARTED)
2619 {
2620 BTM_TRACE_EVENT("%s: call btm_sec_queue_mx_request", __FUNCTION__);
2621 btm_sec_queue_mx_request (bd_addr, psm, is_originator, mx_proto_id,
2622 mx_chan_id, p_callback, p_ref_data);
2623 }
2624 else /* rc == BTM_SUCCESS */
2625 {
2626 /* access granted */
2627 if (p_callback)
2628 {
2629 (*p_callback) (bd_addr, transport, p_ref_data, (UINT8)rc);
2630 }
2631 }
2632
2633 BTM_TRACE_EVENT("%s: return with rc = 0x%02x in delayed state %s", __FUNCTION__, rc,
2634 btm_pair_state_descr(btm_cb.pairing_state));
2635 return rc;
2636 }
2637
2638 if ((!is_originator) && ((security_required & BTM_SEC_MODE4_LEVEL4) ||
2639 (btm_cb.security_mode == BTM_SEC_MODE_SC)))
2640 {
2641 BOOLEAN local_supports_sc = controller_get_interface()->supports_secure_connections();
2642 /* acceptor receives service connection establishment Request for */
2643 /* Secure Connections Only service */
2644 if (!(local_supports_sc) || !(p_dev_rec->remote_supports_secure_connections))
2645 {
2646 BTM_TRACE_DEBUG("%s: SC only service,local_support_for_sc %d,",
2647 "remote_support_for_sc %d: fail pairing",__FUNCTION__,
2648 local_supports_sc, p_dev_rec->remote_supports_secure_connections);
2649
2650 if (p_callback)
2651 (*p_callback) (bd_addr, transport, (void *)p_ref_data,
2652 BTM_MODE4_LEVEL4_NOT_SUPPORTED);
2653
2654 return (BTM_MODE4_LEVEL4_NOT_SUPPORTED);
2655 }
2656 }
2657
2658 p_dev_rec->p_cur_service = p_serv_rec;
2659 p_dev_rec->security_required = security_required;
2660
2661 if (btm_cb.security_mode == BTM_SEC_MODE_SP ||
2662 btm_cb.security_mode == BTM_SEC_MODE_SP_DEBUG ||
2663 btm_cb.security_mode == BTM_SEC_MODE_SC)
2664 {
2665 if (BTM_SEC_IS_SM4(p_dev_rec->sm4))
2666 {
2667 if ((p_dev_rec->security_required & BTM_SEC_MODE4_LEVEL4) &&
2668 (p_dev_rec->link_key_type != BTM_LKEY_TYPE_AUTH_COMB_P_256))
2669 {
2670 /* BTM_LKEY_TYPE_AUTH_COMB_P_256 is the only acceptable key in this case */
2671 if ((p_dev_rec->sec_flags & BTM_SEC_LINK_KEY_KNOWN) != 0)
2672 {
2673 p_dev_rec->sm4 |= BTM_SM4_UPGRADE;
2674 }
2675
2676 p_dev_rec->sec_flags &= ~(BTM_SEC_LINK_KEY_KNOWN | BTM_SEC_LINK_KEY_AUTHED |
2677 BTM_SEC_AUTHENTICATED);
2678 BTM_TRACE_DEBUG("%s: sec_flags:0x%x", __FUNCTION__, p_dev_rec->sec_flags);
2679 }
2680 else
2681 {
2682 /* If we already have a link key, check if that link key is good enough */
2683 btm_sec_check_upgrade(p_dev_rec, is_originator);
2684 }
2685 }
2686 }
2687
2688 p_dev_rec->is_originator = is_originator;
2689 p_dev_rec->p_callback = p_callback;
2690 p_dev_rec->p_ref_data = p_ref_data;
2691
2692 /* Although authentication and encryption are per connection */
2693 /* authorization is per access request. For example when serial connection */
2694 /* is up and authorized and client requests to read file (access to other */
2695 /* scn, we need to request user's permission again. */
2696 p_dev_rec->sec_flags &= ~(BTM_SEC_AUTHORIZED);
2697
2698 BTM_TRACE_EVENT ("%s() proto_id:%d chan_id:%d State:%d Flags:0x%x Required:0x%x Service ID:%d",
2699 __func__, mx_proto_id, mx_chan_id, p_dev_rec->sec_state, p_dev_rec->sec_flags,
2700 p_dev_rec->security_required, p_dev_rec->p_cur_service->service_id);
2701
2702 if ((rc = btm_sec_execute_procedure (p_dev_rec)) != BTM_CMD_STARTED)
2703 {
2704 if (p_callback)
2705 {
2706 p_dev_rec->p_callback = NULL;
2707 (*p_callback) (bd_addr,transport, p_ref_data, (UINT8)rc);
2708 }
2709 }
2710
2711 return rc;
2712 }
2713
2714 /*******************************************************************************
2715 **
2716 ** Function btm_sec_conn_req
2717 **
2718 ** Description This function is when the peer device is requesting
2719 ** connection
2720 **
2721 ** Returns void
2722 **
2723 *******************************************************************************/
btm_sec_conn_req(UINT8 * bda,UINT8 * dc)2724 void btm_sec_conn_req (UINT8 *bda, UINT8 *dc)
2725 {
2726 tBTM_SEC_DEV_REC *p_dev_rec = btm_find_dev (bda);
2727
2728 /* Some device may request a connection before we are done with the HCI_Reset sequence */
2729 if (!controller_get_interface()->get_is_ready())
2730 {
2731 BTM_TRACE_EVENT ("Security Manager: connect request when device not ready");
2732 btsnd_hcic_reject_conn (bda, HCI_ERR_HOST_REJECT_DEVICE);
2733 return;
2734 }
2735
2736 /* Security guys wants us not to allow connection from not paired devices */
2737
2738 /* Check if connection is allowed for only paired devices */
2739 if (btm_cb.connect_only_paired)
2740 {
2741 if (!p_dev_rec || !(p_dev_rec->sec_flags & BTM_SEC_LINK_KEY_AUTHED))
2742 {
2743 BTM_TRACE_EVENT ("Security Manager: connect request from non-paired device");
2744 btsnd_hcic_reject_conn (bda, HCI_ERR_HOST_REJECT_DEVICE);
2745 return;
2746 }
2747 }
2748
2749 #if BTM_ALLOW_CONN_IF_NONDISCOVER == FALSE
2750 /* If non-discoverable, only allow known devices to connect */
2751 if (btm_cb.btm_inq_vars.discoverable_mode == BTM_NON_DISCOVERABLE)
2752 {
2753 if (!p_dev_rec)
2754 {
2755 BTM_TRACE_EVENT ("Security Manager: connect request from not paired device");
2756 btsnd_hcic_reject_conn (bda, HCI_ERR_HOST_REJECT_DEVICE);
2757 return;
2758 }
2759 }
2760 #endif
2761
2762 if ((btm_cb.pairing_state != BTM_PAIR_STATE_IDLE)
2763 &&(btm_cb.pairing_flags & BTM_PAIR_FLAGS_WE_STARTED_DD)
2764 &&(!memcmp (btm_cb.pairing_bda, bda, BD_ADDR_LEN)))
2765 {
2766 BTM_TRACE_EVENT ("Security Manager: reject connect request from bonding device");
2767
2768 /* incoming connection from bonding device is rejected */
2769 btm_cb.pairing_flags |= BTM_PAIR_FLAGS_REJECTED_CONNECT;
2770 btsnd_hcic_reject_conn (bda, HCI_ERR_HOST_REJECT_DEVICE);
2771 return;
2772 }
2773
2774 /* Host is not interested or approved connection. Save BDA and DC and */
2775 /* pass request to L2CAP */
2776 memcpy (btm_cb.connecting_bda, bda, BD_ADDR_LEN);
2777 memcpy (btm_cb.connecting_dc, dc, DEV_CLASS_LEN);
2778
2779 if (l2c_link_hci_conn_req (bda))
2780 {
2781 if (!p_dev_rec)
2782 {
2783 /* accept the connection -> allocate a device record */
2784 p_dev_rec = btm_sec_alloc_dev (bda);
2785 }
2786 if (p_dev_rec)
2787 {
2788 p_dev_rec->sm4 |= BTM_SM4_CONN_PEND;
2789 }
2790 }
2791 }
2792
2793 /*******************************************************************************
2794 **
2795 ** Function btm_sec_bond_cancel_complete
2796 **
2797 ** Description This function is called to report bond cancel complete
2798 ** event.
2799 **
2800 ** Returns void
2801 **
2802 *******************************************************************************/
btm_sec_bond_cancel_complete(void)2803 static void btm_sec_bond_cancel_complete (void)
2804 {
2805 tBTM_SEC_DEV_REC *p_dev_rec;
2806
2807 if ((btm_cb.pairing_flags & BTM_PAIR_FLAGS_DISC_WHEN_DONE) ||
2808 (BTM_PAIR_STATE_WAIT_LOCAL_PIN == btm_cb.pairing_state &&
2809 BTM_PAIR_FLAGS_WE_STARTED_DD & btm_cb.pairing_flags) ||
2810 (btm_cb.pairing_state == BTM_PAIR_STATE_GET_REM_NAME &&
2811 BTM_PAIR_FLAGS_WE_CANCEL_DD & btm_cb.pairing_flags))
2812 {
2813 /* for dedicated bonding in legacy mode, authentication happens at "link level"
2814 * btm_sec_connected is called with failed status.
2815 * In theory, the code that handles is_pairing_device/TRUE should clean out security related code.
2816 * However, this function may clean out the security related flags and btm_sec_connected would not know
2817 * this function also needs to do proper clean up.
2818 */
2819 if ((p_dev_rec = btm_find_dev (btm_cb.pairing_bda)) != NULL)
2820 p_dev_rec->security_required = BTM_SEC_NONE;
2821 btm_sec_change_pairing_state (BTM_PAIR_STATE_IDLE);
2822
2823 /* Notify application that the cancel succeeded */
2824 if (btm_cb.api.p_bond_cancel_cmpl_callback)
2825 btm_cb.api.p_bond_cancel_cmpl_callback(BTM_SUCCESS);
2826 }
2827 }
2828
2829 /*******************************************************************************
2830 **
2831 ** Function btm_create_conn_cancel_complete
2832 **
2833 ** Description This function is called when the command complete message
2834 ** is received from the HCI for the create connection cancel
2835 ** command.
2836 **
2837 ** Returns void
2838 **
2839 *******************************************************************************/
btm_create_conn_cancel_complete(UINT8 * p)2840 void btm_create_conn_cancel_complete (UINT8 *p)
2841 {
2842 UINT8 status;
2843
2844 STREAM_TO_UINT8 (status, p);
2845 BTM_TRACE_EVENT ("btm_create_conn_cancel_complete(): in State: %s status:%d",
2846 btm_pair_state_descr(btm_cb.pairing_state), status);
2847
2848 /* if the create conn cancel cmd was issued by the bond cancel,
2849 ** the application needs to be notified that bond cancel succeeded
2850 */
2851 switch (status)
2852 {
2853 case HCI_SUCCESS:
2854 btm_sec_bond_cancel_complete();
2855 break;
2856 case HCI_ERR_CONNECTION_EXISTS:
2857 case HCI_ERR_NO_CONNECTION:
2858 default:
2859 /* Notify application of the error */
2860 if (btm_cb.api.p_bond_cancel_cmpl_callback)
2861 btm_cb.api.p_bond_cancel_cmpl_callback(BTM_ERR_PROCESSING);
2862 break;
2863 }
2864 }
2865
2866 /*******************************************************************************
2867 **
2868 ** Function btm_sec_check_pending_reqs
2869 **
2870 ** Description This function is called at the end of the security procedure
2871 ** to let L2CAP and RFCOMM know to re-submit any pending requests
2872 **
2873 ** Returns void
2874 **
2875 *******************************************************************************/
btm_sec_check_pending_reqs(void)2876 void btm_sec_check_pending_reqs (void)
2877 {
2878 tBTM_SEC_QUEUE_ENTRY *p_e;
2879 BUFFER_Q bq;
2880
2881 if (btm_cb.pairing_state == BTM_PAIR_STATE_IDLE)
2882 {
2883 /* First, resubmit L2CAP requests */
2884 if (btm_cb.sec_req_pending)
2885 {
2886 btm_cb.sec_req_pending = FALSE;
2887 l2cu_resubmit_pending_sec_req (NULL);
2888 }
2889
2890 /* Now, re-submit anything in the mux queue */
2891 bq = btm_cb.sec_pending_q;
2892
2893 GKI_init_q (&btm_cb.sec_pending_q);
2894
2895 while ((p_e = (tBTM_SEC_QUEUE_ENTRY *)GKI_dequeue (&bq)) != NULL)
2896 {
2897 /* Check that the ACL is still up before starting security procedures */
2898 if (btm_bda_to_acl(p_e->bd_addr, p_e->transport) != NULL)
2899 {
2900 if (p_e->psm != 0)
2901 {
2902 BTM_TRACE_EVENT("%s PSM:0x%04x Is_Orig:%u mx_proto_id:%u mx_chan_id:%u",
2903 __FUNCTION__, p_e->psm, p_e->is_orig,
2904 p_e->mx_proto_id, p_e->mx_chan_id);
2905
2906 btm_sec_mx_access_request (p_e->bd_addr, p_e->psm, p_e->is_orig,
2907 p_e->mx_proto_id, p_e->mx_chan_id,
2908 p_e->p_callback, p_e->p_ref_data);
2909 }
2910 else
2911 {
2912 BTM_SetEncryption(p_e->bd_addr, p_e->transport, p_e->p_callback,
2913 p_e->p_ref_data);
2914 }
2915 }
2916
2917 GKI_freebuf (p_e);
2918 }
2919 }
2920 }
2921
2922 /*******************************************************************************
2923 **
2924 ** Function btm_sec_init
2925 **
2926 ** Description This function is on the SEC startup
2927 **
2928 ** Returns void
2929 **
2930 *******************************************************************************/
btm_sec_init(UINT8 sec_mode)2931 void btm_sec_init (UINT8 sec_mode)
2932 {
2933 btm_cb.security_mode = sec_mode;
2934 memset (btm_cb.pairing_bda, 0xff, BD_ADDR_LEN);
2935 btm_cb.max_collision_delay = BTM_SEC_MAX_COLLISION_DELAY;
2936 }
2937
2938 /*******************************************************************************
2939 **
2940 ** Function btm_sec_device_down
2941 **
2942 ** Description This function should be called when device is disabled or
2943 ** turned off
2944 **
2945 ** Returns void
2946 **
2947 *******************************************************************************/
btm_sec_device_down(void)2948 void btm_sec_device_down (void)
2949 {
2950 BTM_TRACE_EVENT ("%s() State: %s", __func__, btm_pair_state_descr(btm_cb.pairing_state));
2951 btm_sec_change_pairing_state (BTM_PAIR_STATE_IDLE);
2952 }
2953
2954 /*******************************************************************************
2955 **
2956 ** Function btm_sec_dev_reset
2957 **
2958 ** Description This function should be called after device reset
2959 **
2960 ** Returns void
2961 **
2962 *******************************************************************************/
btm_sec_dev_reset(void)2963 void btm_sec_dev_reset (void)
2964 {
2965 if (controller_get_interface()->supports_simple_pairing())
2966 {
2967 /* set the default IO capabilities */
2968 btm_cb.devcb.loc_io_caps = BTM_LOCAL_IO_CAPS;
2969 /* add mx service to use no security */
2970 BTM_SetSecurityLevel(FALSE, "RFC_MUX", BTM_SEC_SERVICE_RFC_MUX,
2971 BTM_SEC_NONE, BT_PSM_RFCOMM, BTM_SEC_PROTO_RFCOMM, 0);
2972 }
2973 else
2974 {
2975 btm_cb.security_mode = BTM_SEC_MODE_SERVICE;
2976 }
2977
2978 BTM_TRACE_DEBUG ("btm_sec_dev_reset sec mode: %d", btm_cb.security_mode);
2979 }
2980
2981 /*******************************************************************************
2982 **
2983 ** Function btm_sec_abort_access_req
2984 **
2985 ** Description This function is called by the L2CAP or RFCOMM to abort
2986 ** the pending operation.
2987 **
2988 ** Parameters: bd_addr - Address of the peer device
2989 **
2990 ** Returns void
2991 **
2992 *******************************************************************************/
btm_sec_abort_access_req(BD_ADDR bd_addr)2993 void btm_sec_abort_access_req (BD_ADDR bd_addr)
2994 {
2995 tBTM_SEC_DEV_REC *p_dev_rec = btm_find_dev (bd_addr);
2996
2997 if (!p_dev_rec)
2998 return;
2999
3000 if ((p_dev_rec->sec_state != BTM_SEC_STATE_AUTHORIZING)
3001 && (p_dev_rec->sec_state != BTM_SEC_STATE_AUTHENTICATING))
3002 return;
3003
3004 p_dev_rec->sec_state = BTM_SEC_STATE_IDLE;
3005 p_dev_rec->p_callback = NULL;
3006 }
3007
3008 /*******************************************************************************
3009 **
3010 ** Function btm_sec_dd_create_conn
3011 **
3012 ** Description This function is called to create the ACL connection for
3013 ** the dedicated boding process
3014 **
3015 ** Returns void
3016 **
3017 *******************************************************************************/
btm_sec_dd_create_conn(tBTM_SEC_DEV_REC * p_dev_rec)3018 static tBTM_STATUS btm_sec_dd_create_conn (tBTM_SEC_DEV_REC *p_dev_rec)
3019 {
3020 tL2C_LCB *p_lcb = l2cu_find_lcb_by_bd_addr(p_dev_rec->bd_addr, BT_TRANSPORT_BR_EDR);
3021 if (p_lcb && (p_lcb->link_state == LST_CONNECTED || p_lcb->link_state == LST_CONNECTING))
3022 {
3023 BTM_TRACE_WARNING("%s Connection already exists", __func__);
3024 return BTM_CMD_STARTED;
3025 }
3026
3027 /* Make sure an L2cap link control block is available */
3028 if (!p_lcb && (p_lcb = l2cu_allocate_lcb (p_dev_rec->bd_addr, TRUE, BT_TRANSPORT_BR_EDR)) == NULL)
3029 {
3030 BTM_TRACE_WARNING ("Security Manager: failed allocate LCB [%02x%02x%02x%02x%02x%02x]",
3031 p_dev_rec->bd_addr[0], p_dev_rec->bd_addr[1], p_dev_rec->bd_addr[2],
3032 p_dev_rec->bd_addr[3], p_dev_rec->bd_addr[4], p_dev_rec->bd_addr[5]);
3033
3034 return(BTM_NO_RESOURCES);
3035 }
3036
3037 /* set up the control block to indicated dedicated bonding */
3038 btm_cb.pairing_flags |= BTM_PAIR_FLAGS_DISC_WHEN_DONE;
3039
3040 if (l2cu_create_conn(p_lcb, BT_TRANSPORT_BR_EDR) == FALSE)
3041 {
3042 BTM_TRACE_WARNING ("Security Manager: failed create [%02x%02x%02x%02x%02x%02x]",
3043 p_dev_rec->bd_addr[0], p_dev_rec->bd_addr[1], p_dev_rec->bd_addr[2],
3044 p_dev_rec->bd_addr[3], p_dev_rec->bd_addr[4], p_dev_rec->bd_addr[5]);
3045
3046 l2cu_release_lcb(p_lcb);
3047 return(BTM_NO_RESOURCES);
3048 }
3049
3050 btm_acl_update_busy_level (BTM_BLI_PAGE_EVT);
3051
3052 BTM_TRACE_DEBUG ("Security Manager: btm_sec_dd_create_conn [%02x%02x%02x%02x%02x%02x]",
3053 p_dev_rec->bd_addr[0], p_dev_rec->bd_addr[1], p_dev_rec->bd_addr[2],
3054 p_dev_rec->bd_addr[3], p_dev_rec->bd_addr[4], p_dev_rec->bd_addr[5]);
3055
3056 btm_sec_change_pairing_state (BTM_PAIR_STATE_WAIT_PIN_REQ);
3057
3058 return(BTM_CMD_STARTED);
3059 }
3060
3061 /*******************************************************************************
3062 **
3063 ** Function btm_sec_rmt_name_request_complete
3064 **
3065 ** Description This function is called when remote name was obtained from
3066 ** the peer device
3067 **
3068 ** Returns void
3069 **
3070 *******************************************************************************/
btm_sec_rmt_name_request_complete(UINT8 * p_bd_addr,UINT8 * p_bd_name,UINT8 status)3071 void btm_sec_rmt_name_request_complete (UINT8 *p_bd_addr, UINT8 *p_bd_name, UINT8 status)
3072 {
3073 tBTM_SEC_DEV_REC *p_dev_rec;
3074 int i;
3075 DEV_CLASS dev_class;
3076 UINT8 old_sec_state;
3077
3078 BTM_TRACE_EVENT ("btm_sec_rmt_name_request_complete");
3079 if (((p_bd_addr == NULL) && !BTM_ACL_IS_CONNECTED(btm_cb.connecting_bda))
3080 || ((p_bd_addr != NULL) && !BTM_ACL_IS_CONNECTED(p_bd_addr)))
3081 {
3082 btm_acl_resubmit_page();
3083 }
3084
3085 /* If remote name request failed, p_bd_addr is null and we need to search */
3086 /* based on state assuming that we are doing 1 at a time */
3087 if (p_bd_addr)
3088 p_dev_rec = btm_find_dev (p_bd_addr);
3089 else
3090 {
3091 p_dev_rec = &btm_cb.sec_dev_rec[0];
3092
3093 for (i = 0; i < BTM_SEC_MAX_DEVICE_RECORDS; i++, p_dev_rec++)
3094 {
3095 if ((p_dev_rec->sec_flags & BTM_SEC_IN_USE)
3096 && (p_dev_rec->sec_state == BTM_SEC_STATE_GETTING_NAME))
3097 {
3098 p_bd_addr = p_dev_rec->bd_addr;
3099 break;
3100 }
3101 }
3102
3103 if (i == BTM_SEC_MAX_DEVICE_RECORDS)
3104 p_dev_rec = NULL;
3105 }
3106
3107
3108 /* Commenting out trace due to obf/compilation problems.
3109 */
3110 #if (BT_USE_TRACES == TRUE)
3111 if (!p_bd_name)
3112 p_bd_name = (UINT8 *)"";
3113
3114 if (p_dev_rec)
3115 {
3116 BTM_TRACE_EVENT ("Security Manager: rmt_name_complete PairState: %s RemName: %s status: %d State:%d p_dev_rec: 0x%08x ",
3117 btm_pair_state_descr (btm_cb.pairing_state), p_bd_name,
3118 status, p_dev_rec->sec_state, p_dev_rec);
3119 }
3120 else
3121 {
3122 BTM_TRACE_EVENT ("Security Manager: rmt_name_complete PairState: %s RemName: %s status: %d",
3123 btm_pair_state_descr (btm_cb.pairing_state), p_bd_name,
3124 status);
3125 }
3126 #endif
3127
3128 if (p_dev_rec)
3129 {
3130 old_sec_state = p_dev_rec->sec_state;
3131 if (status == HCI_SUCCESS)
3132 {
3133 BCM_STRNCPY_S ((char *)p_dev_rec->sec_bd_name, sizeof (p_dev_rec->sec_bd_name), (char *)p_bd_name, BTM_MAX_REM_BD_NAME_LEN);
3134 p_dev_rec->sec_flags |= BTM_SEC_NAME_KNOWN;
3135 BTM_TRACE_EVENT ("setting BTM_SEC_NAME_KNOWN sec_flags:0x%x", p_dev_rec->sec_flags);
3136 }
3137 else
3138 {
3139 /* Notify all clients waiting for name to be resolved even if it failed so clients can continue */
3140 p_dev_rec->sec_bd_name[0] = 0;
3141 }
3142
3143 if (p_dev_rec->sec_state == BTM_SEC_STATE_GETTING_NAME)
3144 p_dev_rec->sec_state = BTM_SEC_STATE_IDLE;
3145
3146 /* Notify all clients waiting for name to be resolved */
3147 for (i = 0;i < BTM_SEC_MAX_RMT_NAME_CALLBACKS; i++)
3148 {
3149 if (btm_cb.p_rmt_name_callback[i] && p_bd_addr)
3150 (*btm_cb.p_rmt_name_callback[i])(p_bd_addr, p_dev_rec->dev_class,
3151 p_dev_rec->sec_bd_name);
3152 }
3153 }
3154 else
3155 {
3156 dev_class[0] = 0;
3157 dev_class[1] = 0;
3158 dev_class[2] = 0;
3159
3160 /* Notify all clients waiting for name to be resolved even if not found so clients can continue */
3161 for (i = 0;i < BTM_SEC_MAX_RMT_NAME_CALLBACKS; i++)
3162 {
3163 if (btm_cb.p_rmt_name_callback[i] && p_bd_addr)
3164 (*btm_cb.p_rmt_name_callback[i])(p_bd_addr, dev_class, (UINT8 *)"");
3165 }
3166
3167 return;
3168 }
3169
3170 /* If we were delaying asking UI for a PIN because name was not resolved, ask now */
3171 if ( (btm_cb.pairing_state == BTM_PAIR_STATE_WAIT_LOCAL_PIN) && p_bd_addr
3172 && (memcmp (btm_cb.pairing_bda, p_bd_addr, BD_ADDR_LEN) == 0) )
3173 {
3174 BTM_TRACE_EVENT ("btm_sec_rmt_name_request_complete() delayed pin now being requested flags:0x%x, (p_pin_callback=0x%p)", btm_cb.pairing_flags, btm_cb.api.p_pin_callback);
3175
3176 if (((btm_cb.pairing_flags & BTM_PAIR_FLAGS_WE_STARTED_DD) == 0) &&
3177 ((btm_cb.pairing_flags & BTM_PAIR_FLAGS_PIN_REQD) == 0) &&
3178 btm_cb.api.p_pin_callback)
3179 {
3180 BTM_TRACE_EVENT ("btm_sec_rmt_name_request_complete() calling pin_callback");
3181 btm_cb.pairing_flags |= BTM_PAIR_FLAGS_PIN_REQD;
3182 (*btm_cb.api.p_pin_callback) (p_dev_rec->bd_addr, p_dev_rec->dev_class, p_bd_name,
3183 (p_dev_rec->p_cur_service==NULL) ? FALSE
3184 : (p_dev_rec->p_cur_service->security_flags & BTM_SEC_IN_MIN_16_DIGIT_PIN));
3185 }
3186
3187 /* Set the same state again to force the timer to be restarted */
3188 btm_sec_change_pairing_state (BTM_PAIR_STATE_WAIT_LOCAL_PIN);
3189 return;
3190 }
3191
3192 /* Check if we were delaying bonding because name was not resolved */
3193 if ( btm_cb.pairing_state == BTM_PAIR_STATE_GET_REM_NAME)
3194 {
3195 if (p_bd_addr && memcmp (btm_cb.pairing_bda, p_bd_addr, BD_ADDR_LEN) == 0)
3196 {
3197 BTM_TRACE_EVENT ("btm_sec_rmt_name_request_complete() continue bonding sm4: 0x%04x, status:0x%x", p_dev_rec->sm4, status);
3198 if(btm_cb.pairing_flags & BTM_PAIR_FLAGS_WE_CANCEL_DD)
3199 {
3200 btm_sec_bond_cancel_complete();
3201 return;
3202 }
3203
3204 if (status != HCI_SUCCESS)
3205 {
3206 btm_sec_change_pairing_state (BTM_PAIR_STATE_IDLE);
3207
3208 if (btm_cb.api.p_auth_complete_callback)
3209 (*btm_cb.api.p_auth_complete_callback) (p_dev_rec->bd_addr, p_dev_rec->dev_class,
3210 p_dev_rec->sec_bd_name, status);
3211 return;
3212 }
3213
3214 /* if peer is very old legacy devices, HCI_RMT_HOST_SUP_FEAT_NOTIFY_EVT is not reported */
3215 if (BTM_SEC_IS_SM4_UNKNOWN(p_dev_rec->sm4))
3216 {
3217 /* set the KNOWN flag only if BTM_PAIR_FLAGS_REJECTED_CONNECT is not set.*/
3218 /* If it is set, there may be a race condition */
3219 BTM_TRACE_DEBUG ("btm_sec_rmt_name_request_complete IS_SM4_UNKNOWN Flags:0x%04x",
3220 btm_cb.pairing_flags);
3221 if ((btm_cb.pairing_flags & BTM_PAIR_FLAGS_REJECTED_CONNECT) == 0)
3222 {
3223 p_dev_rec->sm4 |= BTM_SM4_KNOWN;
3224 }
3225 }
3226
3227 BTM_TRACE_DEBUG("%s, SM4 Value: %x, Legacy:%d,IS SM4:%d, Unknown:%d",__FUNCTION__,
3228 p_dev_rec->sm4, BTM_SEC_IS_SM4_LEGACY(p_dev_rec->sm4),
3229 BTM_SEC_IS_SM4(p_dev_rec->sm4),BTM_SEC_IS_SM4_UNKNOWN(p_dev_rec->sm4));
3230
3231 /* BT 2.1 or carkit, bring up the connection to force the peer to request PIN.
3232 ** Else prefetch (btm_sec_check_prefetch_pin will do the prefetching if needed)
3233 */
3234 if ((p_dev_rec->sm4 != BTM_SM4_KNOWN) || !btm_sec_check_prefetch_pin(p_dev_rec))
3235 {
3236 /* if we rejected incoming connection request, we have to wait HCI_Connection_Complete event */
3237 /* before originating */
3238 if (btm_cb.pairing_flags & BTM_PAIR_FLAGS_REJECTED_CONNECT)
3239 {
3240 BTM_TRACE_WARNING ("btm_sec_rmt_name_request_complete: waiting HCI_Connection_Complete after rejecting connection");
3241 }
3242 /* Both we and the peer are 2.1 - continue to create connection */
3243 else if (btm_sec_dd_create_conn(p_dev_rec) != BTM_CMD_STARTED)
3244 {
3245 BTM_TRACE_WARNING ("btm_sec_rmt_name_request_complete: failed to start connection");
3246
3247 btm_sec_change_pairing_state (BTM_PAIR_STATE_IDLE);
3248
3249 if (btm_cb.api.p_auth_complete_callback)
3250 (*btm_cb.api.p_auth_complete_callback) (p_dev_rec->bd_addr, p_dev_rec->dev_class,
3251 p_dev_rec->sec_bd_name, HCI_ERR_MEMORY_FULL);
3252 }
3253 }
3254 return;
3255 }
3256 else
3257 {
3258 BTM_TRACE_WARNING ("btm_sec_rmt_name_request_complete: wrong BDA, retry with pairing BDA");
3259
3260 BTM_ReadRemoteDeviceName (btm_cb.pairing_bda, NULL, BT_TRANSPORT_BR_EDR);
3261 return;
3262 }
3263 }
3264
3265 /* check if we were delaying link_key_callback because name was not resolved */
3266 if (p_dev_rec->link_key_not_sent)
3267 {
3268 /* If HCI connection complete has not arrived, wait for it */
3269 if (p_dev_rec->hci_handle == BTM_SEC_INVALID_HANDLE)
3270 return;
3271
3272 p_dev_rec->link_key_not_sent = FALSE;
3273 btm_send_link_key_notif(p_dev_rec);
3274
3275 /* If its not us who perform authentication, we should tell stackserver */
3276 /* that some authentication has been completed */
3277 /* This is required when different entities receive link notification and auth complete */
3278 if (!(p_dev_rec->security_required & BTM_SEC_OUT_AUTHENTICATE))
3279 {
3280 if (btm_cb.api.p_auth_complete_callback)
3281 (*btm_cb.api.p_auth_complete_callback) (p_dev_rec->bd_addr,
3282 p_dev_rec->dev_class,
3283 p_dev_rec->sec_bd_name, HCI_SUCCESS);
3284
3285 }
3286 }
3287
3288 /* If this is a bonding procedure can disconnect the link now */
3289 if ((btm_cb.pairing_flags & BTM_PAIR_FLAGS_WE_STARTED_DD)
3290 && (p_dev_rec->sec_flags & BTM_SEC_AUTHENTICATED))
3291 {
3292 BTM_TRACE_WARNING ("btm_sec_rmt_name_request_complete (none/ce)");
3293 p_dev_rec->security_required &= ~(BTM_SEC_OUT_AUTHENTICATE);
3294 l2cu_start_post_bond_timer(p_dev_rec->hci_handle);
3295 return;
3296 }
3297
3298 if (old_sec_state != BTM_SEC_STATE_GETTING_NAME)
3299 return;
3300
3301 /* If get name failed, notify the waiting layer */
3302 if (status != HCI_SUCCESS)
3303 {
3304 btm_sec_dev_rec_cback_event (p_dev_rec, BTM_ERR_PROCESSING, FALSE);
3305 return;
3306 }
3307
3308 if (p_dev_rec->sm4 & BTM_SM4_REQ_PEND)
3309 {
3310 BTM_TRACE_EVENT ("waiting for remote features!!");
3311 return;
3312 }
3313
3314 /* Remote Name succeeded, execute the next security procedure, if any */
3315 status = (UINT8)btm_sec_execute_procedure (p_dev_rec);
3316
3317 /* If result is pending reply from the user or from the device is pending */
3318 if (status == BTM_CMD_STARTED)
3319 return;
3320
3321 /* There is no next procedure or start of procedure failed, notify the waiting layer */
3322 btm_sec_dev_rec_cback_event (p_dev_rec, status, FALSE);
3323 }
3324
3325 /*******************************************************************************
3326 **
3327 ** Function btm_sec_rmt_host_support_feat_evt
3328 **
3329 ** Description This function is called when the
3330 ** HCI_RMT_HOST_SUP_FEAT_NOTIFY_EVT is received
3331 **
3332 ** Returns void
3333 **
3334 *******************************************************************************/
btm_sec_rmt_host_support_feat_evt(UINT8 * p)3335 void btm_sec_rmt_host_support_feat_evt (UINT8 *p)
3336 {
3337 tBTM_SEC_DEV_REC *p_dev_rec;
3338 BD_ADDR bd_addr; /* peer address */
3339 BD_FEATURES features;
3340
3341 STREAM_TO_BDADDR (bd_addr, p);
3342 p_dev_rec = btm_find_or_alloc_dev (bd_addr);
3343
3344 BTM_TRACE_EVENT ("btm_sec_rmt_host_support_feat_evt sm4: 0x%x p[0]: 0x%x", p_dev_rec->sm4, p[0]);
3345
3346 if (BTM_SEC_IS_SM4_UNKNOWN(p_dev_rec->sm4))
3347 {
3348 p_dev_rec->sm4 = BTM_SM4_KNOWN;
3349 STREAM_TO_ARRAY(features, p, HCI_FEATURE_BYTES_PER_PAGE);
3350 if (HCI_SSP_HOST_SUPPORTED(features))
3351 {
3352 p_dev_rec->sm4 = BTM_SM4_TRUE;
3353 }
3354 BTM_TRACE_EVENT ("btm_sec_rmt_host_support_feat_evt sm4: 0x%x features[0]: 0x%x", p_dev_rec->sm4, features[0]);
3355 }
3356 }
3357
3358 /*******************************************************************************
3359 **
3360 ** Function btm_io_capabilities_req
3361 **
3362 ** Description This function is called when LM request for the IO
3363 ** capability of the local device and
3364 ** if the OOB data is present for the device in the event
3365 **
3366 ** Returns void
3367 **
3368 *******************************************************************************/
btm_io_capabilities_req(UINT8 * p)3369 void btm_io_capabilities_req (UINT8 *p)
3370 {
3371 tBTM_SP_IO_REQ evt_data;
3372 UINT8 err_code = 0;
3373 tBTM_SEC_DEV_REC *p_dev_rec;
3374 BOOLEAN is_orig = TRUE;
3375 UINT8 callback_rc = BTM_SUCCESS;
3376
3377 STREAM_TO_BDADDR (evt_data.bd_addr, p);
3378
3379 /* setup the default response according to compile options */
3380 /* assume that the local IO capability does not change
3381 * loc_io_caps is initialized with the default value */
3382 evt_data.io_cap = btm_cb.devcb.loc_io_caps;
3383 evt_data.oob_data = BTM_OOB_NONE;
3384 evt_data.auth_req = BTM_DEFAULT_AUTH_REQ;
3385
3386 BTM_TRACE_EVENT("%s: State: %s", __FUNCTION__, btm_pair_state_descr(btm_cb.pairing_state));
3387
3388 p_dev_rec = btm_find_or_alloc_dev (evt_data.bd_addr);
3389
3390 BTM_TRACE_DEBUG("%s:Security mode: %d, Num Read Remote Feat pages: %d", __FUNCTION__,
3391 btm_cb.security_mode, p_dev_rec->num_read_pages);
3392
3393 if ((btm_cb.security_mode == BTM_SEC_MODE_SC) && (p_dev_rec->num_read_pages == 0))
3394 {
3395 BTM_TRACE_EVENT("%s: Device security mode is SC only.",
3396 "To continue need to know remote features.", __FUNCTION__);
3397
3398 p_dev_rec->remote_features_needed = TRUE;
3399 return;
3400 }
3401
3402 p_dev_rec->sm4 |= BTM_SM4_TRUE;
3403
3404 BTM_TRACE_EVENT("%s: State: %s Flags: 0x%04x p_cur_service: 0x%08x",
3405 __FUNCTION__, btm_pair_state_descr(btm_cb.pairing_state),
3406 btm_cb.pairing_flags, p_dev_rec->p_cur_service);
3407
3408 if (p_dev_rec->p_cur_service)
3409 {
3410 BTM_TRACE_EVENT("%s: cur_service psm: 0x%04x, security_flags: 0x%04x",
3411 __FUNCTION__, p_dev_rec->p_cur_service->psm,
3412 p_dev_rec->p_cur_service->security_flags);
3413 }
3414
3415 switch (btm_cb.pairing_state)
3416 {
3417 /* initiator connecting */
3418 case BTM_PAIR_STATE_IDLE:
3419 //TODO: Handle Idle pairing state
3420 //security_required = p_dev_rec->security_required;
3421 break;
3422
3423 /* received IO capability response already->acceptor */
3424 case BTM_PAIR_STATE_INCOMING_SSP:
3425 is_orig = FALSE;
3426
3427 if (btm_cb.pairing_flags & BTM_PAIR_FLAGS_PEER_STARTED_DD)
3428 {
3429 /* acceptor in dedicated bonding */
3430 evt_data.auth_req = BTM_DEFAULT_DD_AUTH_REQ;
3431 }
3432 break;
3433
3434 /* initiator, at this point it is expected to be dedicated bonding
3435 initiated by local device */
3436 case BTM_PAIR_STATE_WAIT_PIN_REQ:
3437 if (!memcmp (evt_data.bd_addr, btm_cb.pairing_bda, BD_ADDR_LEN))
3438 {
3439 evt_data.auth_req = BTM_DEFAULT_DD_AUTH_REQ;
3440 }
3441 else
3442 {
3443 err_code = HCI_ERR_HOST_BUSY_PAIRING;
3444 }
3445 break;
3446
3447 /* any other state is unexpected */
3448 default:
3449 err_code = HCI_ERR_HOST_BUSY_PAIRING;
3450 BTM_TRACE_ERROR("%s: Unexpected Pairing state received %d", __FUNCTION__,
3451 btm_cb.pairing_state);
3452 break;
3453 }
3454
3455 if (btm_cb.pairing_disabled)
3456 {
3457 /* pairing is not allowed */
3458 BTM_TRACE_DEBUG("%s: Pairing is not allowed -> fail pairing.", __FUNCTION__);
3459 err_code = HCI_ERR_PAIRING_NOT_ALLOWED;
3460 }
3461 else if (btm_cb.security_mode == BTM_SEC_MODE_SC)
3462 {
3463 BOOLEAN local_supports_sc = controller_get_interface()->supports_secure_connections();
3464 /* device in Secure Connections Only mode */
3465 if (!(local_supports_sc) || !(p_dev_rec->remote_supports_secure_connections))
3466 {
3467 BTM_TRACE_DEBUG("%s: SC only service, local_support_for_sc %d,",
3468 " remote_support_for_sc 0x%02x -> fail pairing", __FUNCTION__,
3469 local_supports_sc, p_dev_rec->remote_supports_secure_connections);
3470
3471 err_code = HCI_ERR_PAIRING_NOT_ALLOWED;
3472 }
3473 }
3474
3475 if (err_code != 0)
3476 {
3477 /* coverity[uninit_use_in_call]
3478 Event uninit_use_in_call: Using uninitialized element of array "evt_data.bd_addr" in call to function "memcmp"
3479 False-positive: evt_data.bd_addr is set at the beginning with: STREAM_TO_BDADDR (evt_data.bd_addr, p);
3480 */
3481 btsnd_hcic_io_cap_req_neg_reply(evt_data.bd_addr, err_code);
3482 return;
3483 }
3484
3485 evt_data.is_orig = is_orig;
3486
3487 if (is_orig)
3488 {
3489 /* local device initiated the pairing non-bonding -> use p_cur_service */
3490 if (!(btm_cb.pairing_flags & BTM_PAIR_FLAGS_WE_STARTED_DD) &&
3491 p_dev_rec->p_cur_service &&
3492 (p_dev_rec->p_cur_service->security_flags & BTM_SEC_OUT_AUTHENTICATE))
3493 {
3494 if (btm_cb.security_mode == BTM_SEC_MODE_SC)
3495 {
3496 /* SC only mode device requires MITM protection */
3497 evt_data.auth_req = BTM_AUTH_SP_YES;
3498 }
3499 else
3500 {
3501 evt_data.auth_req = (p_dev_rec->p_cur_service->security_flags &
3502 BTM_SEC_OUT_MITM)? BTM_AUTH_SP_YES : BTM_AUTH_SP_NO;
3503 }
3504 }
3505 }
3506
3507 /* Notify L2CAP to increase timeout */
3508 l2c_pin_code_request (evt_data.bd_addr);
3509
3510 memcpy (btm_cb.pairing_bda, evt_data.bd_addr, BD_ADDR_LEN);
3511
3512 /* coverity[uninit_use_in_call]
3513 Event uninit_use_in_call: Using uninitialized element of array "evt_data.bd_addr" in call to function "memcmp"
3514 False-positive: False-positive: evt_data.bd_addr is set at the beginning with: STREAM_TO_BDADDR (evt_data.bd_addr, p);
3515 */
3516 if (!memcmp (evt_data.bd_addr, btm_cb.connecting_bda, BD_ADDR_LEN))
3517 memcpy (p_dev_rec->dev_class, btm_cb.connecting_dc, DEV_CLASS_LEN);
3518
3519 btm_sec_change_pairing_state (BTM_PAIR_STATE_WAIT_LOCAL_IOCAPS);
3520
3521 callback_rc = BTM_SUCCESS;
3522 if (p_dev_rec->sm4 & BTM_SM4_UPGRADE)
3523 {
3524 p_dev_rec->sm4 &= ~BTM_SM4_UPGRADE;
3525
3526 /* link key upgrade: always use SPGB_YES - assuming we want to save the link key */
3527 evt_data.auth_req = BTM_AUTH_SPGB_YES;
3528 }
3529 else if (btm_cb.api.p_sp_callback)
3530 {
3531 /* the callback function implementation may change the IO capability... */
3532 callback_rc = (*btm_cb.api.p_sp_callback) (BTM_SP_IO_REQ_EVT, (tBTM_SP_EVT_DATA *)&evt_data);
3533 }
3534
3535 #if BTM_OOB_INCLUDED == TRUE
3536 if ((callback_rc == BTM_SUCCESS) || (BTM_OOB_UNKNOWN != evt_data.oob_data))
3537 #else
3538 if (callback_rc == BTM_SUCCESS)
3539 #endif
3540 {
3541 if ((btm_cb.pairing_flags & BTM_PAIR_FLAGS_WE_STARTED_DD))
3542 {
3543 evt_data.auth_req = (BTM_AUTH_DD_BOND | (evt_data.auth_req & BTM_AUTH_YN_BIT));
3544 }
3545
3546 if (btm_cb.security_mode == BTM_SEC_MODE_SC)
3547 {
3548 /* At this moment we know that both sides are SC capable, device in */
3549 /* SC only mode requires MITM for any service so let's set MITM bit */
3550 evt_data.auth_req |= BTM_AUTH_YN_BIT;
3551 BTM_TRACE_DEBUG("%s: for device in \"SC only\" mode set auth_req to 0x%02x",
3552 __FUNCTION__, evt_data.auth_req);
3553 }
3554
3555 /* if the user does not indicate "reply later" by setting the oob_data to unknown */
3556 /* send the response right now. Save the current IO capability in the control block */
3557 btm_cb.devcb.loc_auth_req = evt_data.auth_req;
3558 btm_cb.devcb.loc_io_caps = evt_data.io_cap;
3559
3560 BTM_TRACE_EVENT("%s: State: %s IO_CAP:%d oob_data:%d auth_req:%d",
3561 __FUNCTION__, btm_pair_state_descr(btm_cb.pairing_state), evt_data.io_cap,
3562 evt_data.oob_data, evt_data.auth_req);
3563
3564 btsnd_hcic_io_cap_req_reply(evt_data.bd_addr, evt_data.io_cap,
3565 evt_data.oob_data, evt_data.auth_req);
3566 }
3567 }
3568
3569 /*******************************************************************************
3570 **
3571 ** Function btm_io_capabilities_rsp
3572 **
3573 ** Description This function is called when the IO capability of the
3574 ** specified device is received
3575 **
3576 ** Returns void
3577 **
3578 *******************************************************************************/
btm_io_capabilities_rsp(UINT8 * p)3579 void btm_io_capabilities_rsp (UINT8 *p)
3580 {
3581 tBTM_SEC_DEV_REC *p_dev_rec;
3582 tBTM_SP_IO_RSP evt_data;
3583
3584 STREAM_TO_BDADDR (evt_data.bd_addr, p);
3585 STREAM_TO_UINT8 (evt_data.io_cap, p);
3586 STREAM_TO_UINT8 (evt_data.oob_data, p);
3587 STREAM_TO_UINT8 (evt_data.auth_req, p);
3588
3589 /* Allocate a new device record or reuse the oldest one */
3590 p_dev_rec = btm_find_or_alloc_dev (evt_data.bd_addr);
3591
3592 /* If no security is in progress, this indicates incoming security */
3593 if (btm_cb.pairing_state == BTM_PAIR_STATE_IDLE)
3594 {
3595 memcpy (btm_cb.pairing_bda, evt_data.bd_addr, BD_ADDR_LEN);
3596
3597 btm_sec_change_pairing_state (BTM_PAIR_STATE_INCOMING_SSP);
3598
3599 /* Make sure we reset the trusted mask to help against attacks */
3600 BTM_SEC_CLR_TRUSTED_DEVICE(p_dev_rec->trusted_mask);
3601
3602 /* work around for FW bug */
3603 btm_inq_stop_on_ssp();
3604 }
3605
3606 /* Notify L2CAP to increase timeout */
3607 l2c_pin_code_request (evt_data.bd_addr);
3608
3609 /* We must have a device record here.
3610 * Use the connecting device's CoD for the connection */
3611 /* coverity[uninit_use_in_call]
3612 Event uninit_use_in_call: Using uninitialized element of array "evt_data.bd_addr" in call to function "memcmp"
3613 FALSE-POSITIVE error from Coverity test-tool. evt_data.bd_addr is set at the beginning with: STREAM_TO_BDADDR (evt_data.bd_addr, p);
3614 */
3615 if (!memcmp (evt_data.bd_addr, btm_cb.connecting_bda, BD_ADDR_LEN))
3616 memcpy (p_dev_rec->dev_class, btm_cb.connecting_dc, DEV_CLASS_LEN);
3617
3618 /* peer sets dedicated bonding bit and we did not initiate dedicated bonding */
3619 if (btm_cb.pairing_state == BTM_PAIR_STATE_INCOMING_SSP /* peer initiated bonding */
3620 && (evt_data.auth_req & BTM_AUTH_DD_BOND) ) /* and dedicated bonding bit is set */
3621 {
3622 btm_cb.pairing_flags |= BTM_PAIR_FLAGS_PEER_STARTED_DD;
3623 }
3624
3625 /* save the IO capability in the device record */
3626 p_dev_rec->rmt_io_caps = evt_data.io_cap;
3627 p_dev_rec->rmt_auth_req = evt_data.auth_req;
3628
3629 if (btm_cb.api.p_sp_callback)
3630 (*btm_cb.api.p_sp_callback) (BTM_SP_IO_RSP_EVT, (tBTM_SP_EVT_DATA *)&evt_data);
3631 }
3632
3633 /*******************************************************************************
3634 **
3635 ** Function btm_proc_sp_req_evt
3636 **
3637 ** Description This function is called to process/report
3638 ** HCI_USER_CONFIRMATION_REQUEST_EVT
3639 ** or HCI_USER_PASSKEY_REQUEST_EVT
3640 ** or HCI_USER_PASSKEY_NOTIFY_EVT
3641 **
3642 ** Returns void
3643 **
3644 *******************************************************************************/
btm_proc_sp_req_evt(tBTM_SP_EVT event,UINT8 * p)3645 void btm_proc_sp_req_evt (tBTM_SP_EVT event, UINT8 *p)
3646 {
3647 tBTM_STATUS status = BTM_ERR_PROCESSING;
3648 tBTM_SP_EVT_DATA evt_data;
3649 UINT8 *p_bda = evt_data.cfm_req.bd_addr;
3650 tBTM_SEC_DEV_REC *p_dev_rec;
3651
3652 /* All events start with bd_addr */
3653 STREAM_TO_BDADDR (p_bda, p);
3654
3655 BTM_TRACE_EVENT ("btm_proc_sp_req_evt() BDA: %08x%04x event: 0x%x, State: %s",
3656 (p_bda[0]<<24) + (p_bda[1]<<16) + (p_bda[2]<<8) + p_bda[3], (p_bda[4] << 8) + p_bda[5],
3657 event, btm_pair_state_descr(btm_cb.pairing_state));
3658
3659 if ( ((p_dev_rec = btm_find_dev (p_bda)) != NULL)
3660 && (btm_cb.pairing_state != BTM_PAIR_STATE_IDLE)
3661 && (memcmp (btm_cb.pairing_bda, p_bda, BD_ADDR_LEN) == 0) )
3662 {
3663 memcpy (evt_data.cfm_req.bd_addr, p_dev_rec->bd_addr, BD_ADDR_LEN);
3664 memcpy (evt_data.cfm_req.dev_class, p_dev_rec->dev_class, DEV_CLASS_LEN);
3665
3666 BCM_STRNCPY_S ((char *)evt_data.cfm_req.bd_name, sizeof(evt_data.cfm_req.bd_name), (char *)p_dev_rec->sec_bd_name, BTM_MAX_REM_BD_NAME_LEN);
3667
3668 switch (event)
3669 {
3670 case BTM_SP_CFM_REQ_EVT:
3671 /* Numeric confirmation. Need user to conf the passkey */
3672 btm_sec_change_pairing_state (BTM_PAIR_STATE_WAIT_NUMERIC_CONFIRM);
3673
3674 /* The device record must be allocated in the "IO cap exchange" step */
3675 STREAM_TO_UINT32 (evt_data.cfm_req.num_val, p);
3676
3677 evt_data.cfm_req.just_works = TRUE;
3678
3679 /* process user confirm req in association with the auth_req param */
3680 #if (BTM_LOCAL_IO_CAPS == BTM_IO_CAP_IO)
3681 if ( (p_dev_rec->rmt_io_caps == BTM_IO_CAP_IO)
3682 && (btm_cb.devcb.loc_io_caps == BTM_IO_CAP_IO)
3683 && ((p_dev_rec->rmt_auth_req & BTM_AUTH_SP_YES) || (btm_cb.devcb.loc_auth_req & BTM_AUTH_SP_YES)) )
3684 {
3685 /* Both devices are DisplayYesNo and one or both devices want to authenticate
3686 -> use authenticated link key */
3687 evt_data.cfm_req.just_works = FALSE;
3688 }
3689 #endif
3690 BTM_TRACE_DEBUG ("btm_proc_sp_req_evt() just_works:%d, io loc:%d, rmt:%d, auth loc:%d, rmt:%d",
3691 evt_data.cfm_req.just_works, btm_cb.devcb.loc_io_caps, p_dev_rec->rmt_io_caps,
3692 btm_cb.devcb.loc_auth_req, p_dev_rec->rmt_auth_req);
3693
3694 evt_data.cfm_req.loc_auth_req = btm_cb.devcb.loc_auth_req;
3695 evt_data.cfm_req.rmt_auth_req = p_dev_rec->rmt_auth_req;
3696 evt_data.cfm_req.loc_io_caps = btm_cb.devcb.loc_io_caps;
3697 evt_data.cfm_req.rmt_io_caps = p_dev_rec->rmt_io_caps;
3698 break;
3699
3700 case BTM_SP_KEY_NOTIF_EVT:
3701 /* Passkey notification (other side is a keyboard) */
3702 STREAM_TO_UINT32 (evt_data.key_notif.passkey, p);
3703
3704 BTM_TRACE_DEBUG ("BTM_SP_KEY_NOTIF_EVT: passkey: %u", evt_data.key_notif.passkey);
3705
3706 btm_sec_change_pairing_state (BTM_PAIR_STATE_WAIT_AUTH_COMPLETE);
3707 break;
3708
3709 #if (BTM_LOCAL_IO_CAPS != BTM_IO_CAP_NONE)
3710 case BTM_SP_KEY_REQ_EVT:
3711 /* HCI_USER_PASSKEY_REQUEST_EVT */
3712 btm_sec_change_pairing_state (BTM_PAIR_STATE_KEY_ENTRY);
3713 break;
3714 #endif
3715 }
3716
3717 if (btm_cb.api.p_sp_callback)
3718 {
3719 status = (*btm_cb.api.p_sp_callback) (event, (tBTM_SP_EVT_DATA *)&evt_data);
3720 if (status != BTM_NOT_AUTHORIZED)
3721 {
3722 return;
3723 }
3724 /* else BTM_NOT_AUTHORIZED means when the app wants to reject the req right now */
3725 }
3726 else if ( (event == BTM_SP_CFM_REQ_EVT) && (evt_data.cfm_req.just_works == TRUE) )
3727 {
3728 /* automatically reply with just works if no sp_cback */
3729 status = BTM_SUCCESS;
3730 }
3731
3732 if (event == BTM_SP_CFM_REQ_EVT)
3733 {
3734 BTM_TRACE_DEBUG ("calling BTM_ConfirmReqReply with status: %d", status);
3735 BTM_ConfirmReqReply (status, p_bda);
3736 }
3737 #if (BTM_LOCAL_IO_CAPS != BTM_IO_CAP_NONE)
3738 else if (event == BTM_SP_KEY_REQ_EVT)
3739 {
3740 BTM_PasskeyReqReply(status, p_bda, 0);
3741 }
3742 #endif
3743 return;
3744 }
3745
3746 /* Something bad. we can only fail this connection */
3747 btm_cb.acl_disc_reason = HCI_ERR_HOST_REJECT_SECURITY;
3748
3749 if (BTM_SP_CFM_REQ_EVT == event)
3750 {
3751 btsnd_hcic_user_conf_reply (p_bda, FALSE);
3752 }
3753 else if (BTM_SP_KEY_NOTIF_EVT == event)
3754 {
3755 /* do nothing -> it very unlikely to happen.
3756 This event is most likely to be received by a HID host when it first connects to a HID device.
3757 Usually the Host initiated the connection in this case.
3758 On Mobile platforms, if there's a security process happening,
3759 the host probably can not initiate another connection.
3760 BTW (PC) is another story. */
3761 if (NULL != (p_dev_rec = btm_find_dev (p_bda)) )
3762 {
3763 btm_sec_disconnect (p_dev_rec->hci_handle, HCI_ERR_AUTH_FAILURE);
3764 }
3765 }
3766 #if (BTM_LOCAL_IO_CAPS != BTM_IO_CAP_NONE)
3767 else
3768 {
3769 btsnd_hcic_user_passkey_neg_reply(p_bda);
3770 }
3771 #endif
3772 }
3773
3774 /*******************************************************************************
3775 **
3776 ** Function btm_keypress_notif_evt
3777 **
3778 ** Description This function is called when a key press notification is
3779 ** received
3780 **
3781 ** Returns void
3782 **
3783 *******************************************************************************/
btm_keypress_notif_evt(UINT8 * p)3784 void btm_keypress_notif_evt (UINT8 *p)
3785 {
3786 tBTM_SP_KEYPRESS evt_data;
3787 UINT8 *p_bda;
3788
3789 /* parse & report BTM_SP_KEYPRESS_EVT */
3790 if (btm_cb.api.p_sp_callback)
3791 {
3792 p_bda = evt_data.bd_addr;
3793
3794 STREAM_TO_BDADDR (p_bda, p);
3795 evt_data.notif_type = *p;
3796
3797 (*btm_cb.api.p_sp_callback) (BTM_SP_KEYPRESS_EVT, (tBTM_SP_EVT_DATA *)&evt_data);
3798 }
3799 }
3800
3801 /*******************************************************************************
3802 **
3803 ** Function btm_simple_pair_complete
3804 **
3805 ** Description This function is called when simple pairing process is
3806 ** complete
3807 **
3808 ** Returns void
3809 **
3810 *******************************************************************************/
btm_simple_pair_complete(UINT8 * p)3811 void btm_simple_pair_complete (UINT8 *p)
3812 {
3813 tBTM_SP_COMPLT evt_data;
3814 tBTM_SEC_DEV_REC *p_dev_rec;
3815 UINT8 status;
3816 BOOLEAN disc = FALSE;
3817
3818 status = *p++;
3819 STREAM_TO_BDADDR (evt_data.bd_addr, p);
3820
3821 if ((p_dev_rec = btm_find_dev (evt_data.bd_addr)) == NULL)
3822 {
3823 BTM_TRACE_ERROR ("btm_simple_pair_complete() with unknown BDA: %08x%04x",
3824 (evt_data.bd_addr[0]<<24) + (evt_data.bd_addr[1]<<16) + (evt_data.bd_addr[2]<<8) + evt_data.bd_addr[3],
3825 (evt_data.bd_addr[4] << 8) + evt_data.bd_addr[5]);
3826 return;
3827 }
3828
3829 BTM_TRACE_EVENT ("btm_simple_pair_complete() Pair State: %s Status:%d sec_state: %u",
3830 btm_pair_state_descr(btm_cb.pairing_state), status, p_dev_rec->sec_state);
3831
3832 evt_data.status = BTM_ERR_PROCESSING;
3833 if (status == HCI_SUCCESS)
3834 {
3835 evt_data.status = BTM_SUCCESS;
3836 p_dev_rec->sec_flags |= BTM_SEC_AUTHENTICATED;
3837 }
3838 else
3839 {
3840 if (status == HCI_ERR_PAIRING_NOT_ALLOWED)
3841 {
3842 /* The test spec wants the peer device to get this failure code. */
3843 btm_sec_change_pairing_state (BTM_PAIR_STATE_WAIT_DISCONNECT);
3844
3845 /* Change the timer to 1 second */
3846 btu_start_timer (&btm_cb.pairing_tle, BTU_TTYPE_USER_FUNC, BT_1SEC_TIMEOUT);
3847 }
3848 else if (memcmp (btm_cb.pairing_bda, evt_data.bd_addr, BD_ADDR_LEN) == 0)
3849 {
3850 /* stop the timer */
3851 btu_stop_timer (&btm_cb.pairing_tle);
3852
3853 if (p_dev_rec->sec_state != BTM_SEC_STATE_AUTHENTICATING)
3854 {
3855 /* the initiating side: will receive auth complete event. disconnect ACL at that time */
3856 disc = TRUE;
3857 }
3858 }
3859 else
3860 disc = TRUE;
3861 }
3862
3863 /* Let the pairing state stay active, p_auth_complete_callback will report the failure */
3864 memcpy (evt_data.bd_addr, p_dev_rec->bd_addr, BD_ADDR_LEN);
3865 memcpy (evt_data.dev_class, p_dev_rec->dev_class, DEV_CLASS_LEN);
3866
3867 if (btm_cb.api.p_sp_callback)
3868 (*btm_cb.api.p_sp_callback) (BTM_SP_COMPLT_EVT, (tBTM_SP_EVT_DATA *)&evt_data);
3869
3870 if (disc)
3871 {
3872 /* simple pairing failed */
3873 /* Avoid sending disconnect on HCI_ERR_PEER_USER */
3874 if ((status != HCI_ERR_PEER_USER) && (status != HCI_ERR_CONN_CAUSE_LOCAL_HOST))
3875 {
3876 btm_sec_send_hci_disconnect (p_dev_rec, HCI_ERR_AUTH_FAILURE, p_dev_rec->hci_handle);
3877 }
3878 }
3879 }
3880
3881 #if BTM_OOB_INCLUDED == TRUE
3882 /*******************************************************************************
3883 **
3884 ** Function btm_rem_oob_req
3885 **
3886 ** Description This function is called to process/report
3887 ** HCI_REMOTE_OOB_DATA_REQUEST_EVT
3888 **
3889 ** Returns void
3890 **
3891 *******************************************************************************/
btm_rem_oob_req(UINT8 * p)3892 void btm_rem_oob_req (UINT8 *p)
3893 {
3894 UINT8 *p_bda;
3895 tBTM_SP_RMT_OOB evt_data;
3896 tBTM_SEC_DEV_REC *p_dev_rec;
3897 BT_OCTET16 c;
3898 BT_OCTET16 r;
3899
3900 p_bda = evt_data.bd_addr;
3901
3902 STREAM_TO_BDADDR (p_bda, p);
3903
3904 BTM_TRACE_EVENT ("btm_rem_oob_req() BDA: %02x:%02x:%02x:%02x:%02x:%02x",
3905 p_bda[0], p_bda[1], p_bda[2], p_bda[3], p_bda[4], p_bda[5]);
3906
3907 if ( (NULL != (p_dev_rec = btm_find_dev (p_bda))) &&
3908 btm_cb.api.p_sp_callback)
3909 {
3910 memcpy (evt_data.bd_addr, p_dev_rec->bd_addr, BD_ADDR_LEN);
3911 memcpy (evt_data.dev_class, p_dev_rec->dev_class, DEV_CLASS_LEN);
3912 BCM_STRNCPY_S((char *)evt_data.bd_name, sizeof(evt_data.bd_name), (char *)p_dev_rec->sec_bd_name, BTM_MAX_REM_BD_NAME_LEN+1);
3913 evt_data.bd_name[BTM_MAX_REM_BD_NAME_LEN] = 0;
3914
3915 btm_sec_change_pairing_state(BTM_PAIR_STATE_WAIT_LOCAL_OOB_RSP);
3916 if ((*btm_cb.api.p_sp_callback) (BTM_SP_RMT_OOB_EVT, (tBTM_SP_EVT_DATA *)&evt_data) == BTM_NOT_AUTHORIZED)
3917 {
3918 BTM_RemoteOobDataReply(TRUE, p_bda, c, r);
3919 }
3920 return;
3921 }
3922
3923 /* something bad. we can only fail this connection */
3924 btm_cb.acl_disc_reason = HCI_ERR_HOST_REJECT_SECURITY;
3925 btsnd_hcic_rem_oob_neg_reply (p_bda);
3926 }
3927
3928 /*******************************************************************************
3929 **
3930 ** Function btm_read_local_oob_complete
3931 **
3932 ** Description This function is called when read local oob data is
3933 ** completed by the LM
3934 **
3935 ** Returns void
3936 **
3937 *******************************************************************************/
btm_read_local_oob_complete(UINT8 * p)3938 void btm_read_local_oob_complete (UINT8 *p)
3939 {
3940 tBTM_SP_LOC_OOB evt_data;
3941 UINT8 status = *p++;
3942
3943 BTM_TRACE_EVENT ("btm_read_local_oob_complete:%d", status);
3944 if (status == HCI_SUCCESS)
3945 {
3946 evt_data.status = BTM_SUCCESS;
3947 STREAM_TO_ARRAY16(evt_data.c, p);
3948 STREAM_TO_ARRAY16(evt_data.r, p);
3949 }
3950 else
3951 evt_data.status = BTM_ERR_PROCESSING;
3952
3953 if (btm_cb.api.p_sp_callback)
3954 (*btm_cb.api.p_sp_callback) (BTM_SP_LOC_OOB_EVT, (tBTM_SP_EVT_DATA *)&evt_data);
3955 }
3956 #endif /* BTM_OOB_INCLUDED */
3957
3958 /*******************************************************************************
3959 **
3960 ** Function btm_sec_auth_collision
3961 **
3962 ** Description This function is called when authentication or encryption
3963 ** needs to be retried at a later time.
3964 **
3965 ** Returns void
3966 **
3967 *******************************************************************************/
btm_sec_auth_collision(UINT16 handle)3968 static void btm_sec_auth_collision (UINT16 handle)
3969 {
3970 tBTM_SEC_DEV_REC *p_dev_rec;
3971
3972 if (!btm_cb.collision_start_time)
3973 btm_cb.collision_start_time = GKI_get_os_tick_count();
3974
3975 if ((GKI_get_os_tick_count() - btm_cb.collision_start_time) < btm_cb.max_collision_delay)
3976 {
3977 if (handle == BTM_SEC_INVALID_HANDLE)
3978 {
3979 if ((p_dev_rec = btm_sec_find_dev_by_sec_state (BTM_SEC_STATE_AUTHENTICATING)) == NULL)
3980 p_dev_rec = btm_sec_find_dev_by_sec_state (BTM_SEC_STATE_ENCRYPTING);
3981 }
3982 else
3983 p_dev_rec = btm_find_dev_by_handle (handle);
3984
3985 if (p_dev_rec != NULL)
3986 {
3987 BTM_TRACE_DEBUG ("btm_sec_auth_collision: state %d (retrying in a moment...)", p_dev_rec->sec_state);
3988 /* We will restart authentication after timeout */
3989 if (p_dev_rec->sec_state == BTM_SEC_STATE_AUTHENTICATING || p_dev_rec->sec_state == BTM_SEC_STATE_ENCRYPTING)
3990 p_dev_rec->sec_state = 0;
3991
3992 btm_cb.p_collided_dev_rec = p_dev_rec;
3993 btm_cb.sec_collision_tle.param = (UINT32) btm_sec_collision_timeout;
3994 btu_start_timer (&btm_cb.sec_collision_tle, BTU_TTYPE_USER_FUNC, BT_1SEC_TIMEOUT);
3995 }
3996 }
3997 }
3998
3999 /*******************************************************************************
4000 **
4001 ** Function btm_sec_auth_complete
4002 **
4003 ** Description This function is when authentication of the connection is
4004 ** completed by the LM
4005 **
4006 ** Returns void
4007 **
4008 *******************************************************************************/
btm_sec_auth_complete(UINT16 handle,UINT8 status)4009 void btm_sec_auth_complete (UINT16 handle, UINT8 status)
4010 {
4011 UINT8 old_sm4;
4012 tBTM_PAIRING_STATE old_state = btm_cb.pairing_state;
4013 tBTM_SEC_DEV_REC *p_dev_rec = btm_find_dev_by_handle (handle);
4014 BOOLEAN are_bonding = FALSE;
4015
4016 /* Commenting out trace due to obf/compilation problems.
4017 */
4018 #if (BT_USE_TRACES == TRUE)
4019 if (p_dev_rec)
4020 {
4021 BTM_TRACE_EVENT ("Security Manager: auth_complete PairState: %s handle:%u status:%d dev->sec_state: %u Bda:%08x, RName:%s",
4022 btm_pair_state_descr (btm_cb.pairing_state),
4023 handle, status,
4024 p_dev_rec->sec_state,
4025 (p_dev_rec->bd_addr[2]<<24)+(p_dev_rec->bd_addr[3]<<16)+(p_dev_rec->bd_addr[4]<<8)+p_dev_rec->bd_addr[5],
4026 p_dev_rec->sec_bd_name);
4027 }
4028 else
4029 {
4030 BTM_TRACE_EVENT ("Security Manager: auth_complete PairState: %s handle:%u status:%d",
4031 btm_pair_state_descr (btm_cb.pairing_state),
4032 handle, status);
4033 }
4034 #endif
4035
4036 /* For transaction collision we need to wait and repeat. There is no need */
4037 /* for random timeout because only slave should receive the result */
4038 if ((status == HCI_ERR_LMP_ERR_TRANS_COLLISION) || (status == HCI_ERR_DIFF_TRANSACTION_COLLISION))
4039 {
4040 btm_sec_auth_collision(handle);
4041 return;
4042 }
4043 btm_cb.collision_start_time = 0;
4044
4045 btm_restore_mode();
4046
4047 /* Check if connection was made just to do bonding. If we authenticate
4048 the connection that is up, this is the last event received.
4049 */
4050 if (p_dev_rec
4051 && (btm_cb.pairing_flags & BTM_PAIR_FLAGS_WE_STARTED_DD)
4052 && !(btm_cb.pairing_flags & BTM_PAIR_FLAGS_DISC_WHEN_DONE))
4053 {
4054 p_dev_rec->security_required &= ~BTM_SEC_OUT_AUTHENTICATE;
4055
4056 l2cu_start_post_bond_timer (p_dev_rec->hci_handle);
4057 }
4058
4059 if (!p_dev_rec)
4060 return;
4061
4062 /* keep the old sm4 flag and clear the retry bit in control block */
4063 old_sm4 = p_dev_rec->sm4;
4064 p_dev_rec->sm4 &= ~BTM_SM4_RETRY;
4065
4066 if ( (btm_cb.pairing_state != BTM_PAIR_STATE_IDLE)
4067 && (btm_cb.pairing_flags & BTM_PAIR_FLAGS_WE_STARTED_DD)
4068 && (memcmp (p_dev_rec->bd_addr, btm_cb.pairing_bda, BD_ADDR_LEN) == 0) )
4069 are_bonding = TRUE;
4070
4071 if ( (btm_cb.pairing_state != BTM_PAIR_STATE_IDLE)
4072 && (memcmp (p_dev_rec->bd_addr, btm_cb.pairing_bda, BD_ADDR_LEN) == 0) )
4073 btm_sec_change_pairing_state (BTM_PAIR_STATE_IDLE);
4074
4075 if (p_dev_rec->sec_state != BTM_SEC_STATE_AUTHENTICATING)
4076 {
4077 if ( (btm_cb.api.p_auth_complete_callback && status != HCI_SUCCESS)
4078 && (old_state != BTM_PAIR_STATE_IDLE) )
4079 {
4080 (*btm_cb.api.p_auth_complete_callback) (p_dev_rec->bd_addr,
4081 p_dev_rec->dev_class,
4082 p_dev_rec->sec_bd_name, status);
4083 }
4084 return;
4085 }
4086
4087 /* There can be a race condition, when we are starting authentication and
4088 ** the peer device is doing encryption.
4089 ** If first we receive encryption change up, then initiated authentication
4090 ** can not be performed. According to the spec we can not do authentication
4091 ** on the encrypted link, so device is correct.
4092 */
4093 if ((status == HCI_ERR_COMMAND_DISALLOWED)
4094 && ((p_dev_rec->sec_flags & (BTM_SEC_AUTHENTICATED | BTM_SEC_ENCRYPTED)) ==
4095 (BTM_SEC_AUTHENTICATED | BTM_SEC_ENCRYPTED)))
4096 {
4097 status = HCI_SUCCESS;
4098 }
4099 /* Currently we do not notify user if it is a keyboard which connects */
4100 /* User probably Disabled the keyboard while it was asleap. Let her try */
4101 if (btm_cb.api.p_auth_complete_callback)
4102 {
4103 /* report the suthentication status */
4104 if (old_state != BTM_PAIR_STATE_IDLE)
4105 (*btm_cb.api.p_auth_complete_callback) (p_dev_rec->bd_addr,
4106 p_dev_rec->dev_class,
4107 p_dev_rec->sec_bd_name, status);
4108 }
4109
4110 p_dev_rec->sec_state = BTM_SEC_STATE_IDLE;
4111
4112 /* If this is a bonding procedure can disconnect the link now */
4113 if (are_bonding)
4114 {
4115 p_dev_rec->security_required &= ~BTM_SEC_OUT_AUTHENTICATE;
4116
4117 if (status != HCI_SUCCESS)
4118 {
4119 if(((status != HCI_ERR_PEER_USER) && (status != HCI_ERR_CONN_CAUSE_LOCAL_HOST)))
4120 btm_sec_send_hci_disconnect (p_dev_rec, HCI_ERR_PEER_USER, p_dev_rec->hci_handle);
4121 }
4122 else
4123 {
4124 BTM_TRACE_DEBUG ("TRYING TO DECIDE IF CAN USE SMP_BR_CHNL");
4125 if (p_dev_rec->new_encryption_key_is_p256 && (btm_sec_use_smp_br_chnl(p_dev_rec))
4126 /* no LE keys are available, do deriving */
4127 && (!(p_dev_rec->sec_flags &BTM_SEC_LE_LINK_KEY_KNOWN) ||
4128 /* or BR key is higher security than existing LE keys */
4129 (!(p_dev_rec->sec_flags & BTM_SEC_LE_LINK_KEY_AUTHED) &&
4130 (p_dev_rec->sec_flags & BTM_SEC_LINK_KEY_AUTHED))))
4131 {
4132 BTM_TRACE_DEBUG ("link encrypted afer dedic bonding can use SMP_BR_CHNL");
4133
4134 if (btm_sec_is_master(p_dev_rec))
4135 {
4136 // Encryption is required to start SM over BR/EDR
4137 // indicate that this is encryption after authentication
4138 BTM_SetEncryption(p_dev_rec->bd_addr, BT_TRANSPORT_BR_EDR, NULL, NULL);
4139 }
4140 }
4141 l2cu_start_post_bond_timer (p_dev_rec->hci_handle);
4142 }
4143
4144 return;
4145 }
4146
4147 /* If authentication failed, notify the waiting layer */
4148 if (status != HCI_SUCCESS)
4149 {
4150 if ((old_sm4 & BTM_SM4_RETRY) == 0)
4151 {
4152 /* allow retry only once */
4153 if (status == HCI_ERR_LMP_ERR_TRANS_COLLISION)
4154 {
4155 /* not retried yet. set the retry bit */
4156 p_dev_rec->sm4 |= BTM_SM4_RETRY;
4157 BTM_TRACE_DEBUG ("Collision retry sm4:x%x sec_flags:0x%x", p_dev_rec->sm4, p_dev_rec->sec_flags);
4158 }
4159 /* this retry for missing key is for Lisbon or later only.
4160 * Legacy device do not need this. the controller will drive the retry automatically */
4161 else if (HCI_ERR_KEY_MISSING == status && BTM_SEC_IS_SM4(p_dev_rec->sm4))
4162 {
4163 /* not retried yet. set the retry bit */
4164 p_dev_rec->sm4 |= BTM_SM4_RETRY;
4165 p_dev_rec->sec_flags &= ~BTM_SEC_LINK_KEY_KNOWN;
4166 BTM_TRACE_DEBUG ("Retry for missing key sm4:x%x sec_flags:0x%x", p_dev_rec->sm4, p_dev_rec->sec_flags);
4167
4168 /* With BRCM controller, we do not need to delete the stored link key in controller.
4169 If the stack may sit on top of other controller, we may need this
4170 BTM_DeleteStoredLinkKey (bd_addr, NULL); */
4171 }
4172
4173 if (p_dev_rec->sm4 & BTM_SM4_RETRY)
4174 {
4175 btm_sec_execute_procedure (p_dev_rec);
4176 return;
4177 }
4178 }
4179
4180 btm_sec_dev_rec_cback_event (p_dev_rec, BTM_ERR_PROCESSING, FALSE);
4181
4182 if (btm_cb.pairing_flags & BTM_PAIR_FLAGS_DISC_WHEN_DONE)
4183 {
4184 btm_sec_send_hci_disconnect (p_dev_rec, HCI_ERR_AUTH_FAILURE, p_dev_rec->hci_handle);
4185 }
4186 return;
4187 }
4188
4189 p_dev_rec->sec_flags |= BTM_SEC_AUTHENTICATED;
4190
4191 if (p_dev_rec->pin_code_length >= 16 ||
4192 p_dev_rec->link_key_type == BTM_LKEY_TYPE_AUTH_COMB ||
4193 p_dev_rec->link_key_type == BTM_LKEY_TYPE_AUTH_COMB_P_256) {
4194 // If we have MITM protection we have a higher level of security than
4195 // provided by 16 digits PIN
4196 p_dev_rec->sec_flags |= BTM_SEC_16_DIGIT_PIN_AUTHED;
4197 }
4198
4199 /* Authentication succeeded, execute the next security procedure, if any */
4200 status = btm_sec_execute_procedure (p_dev_rec);
4201
4202 /* If there is no next procedure, or procedure failed to start, notify the caller */
4203 if (status != BTM_CMD_STARTED)
4204 btm_sec_dev_rec_cback_event (p_dev_rec, status, FALSE);
4205 }
4206
4207 /*******************************************************************************
4208 **
4209 ** Function btm_sec_encrypt_change
4210 **
4211 ** Description This function is when encryption of the connection is
4212 ** completed by the LM
4213 **
4214 ** Returns void
4215 **
4216 *******************************************************************************/
btm_sec_encrypt_change(UINT16 handle,UINT8 status,UINT8 encr_enable)4217 void btm_sec_encrypt_change (UINT16 handle, UINT8 status, UINT8 encr_enable)
4218 {
4219 tBTM_SEC_DEV_REC *p_dev_rec = btm_find_dev_by_handle (handle);
4220 #if BLE_INCLUDED == TRUE && SMP_INCLUDED == TRUE
4221 tACL_CONN *p_acl = NULL;
4222 UINT8 acl_idx = btm_handle_to_acl_index(handle);
4223 #endif
4224 BTM_TRACE_EVENT ("Security Manager: encrypt_change status:%d State:%d, encr_enable = %d",
4225 status, (p_dev_rec) ? p_dev_rec->sec_state : 0, encr_enable);
4226 BTM_TRACE_DEBUG ("before update p_dev_rec->sec_flags=0x%x", (p_dev_rec) ? p_dev_rec->sec_flags : 0 );
4227
4228 /* For transaction collision we need to wait and repeat. There is no need */
4229 /* for random timeout because only slave should receive the result */
4230 if ((status == HCI_ERR_LMP_ERR_TRANS_COLLISION) ||
4231 (status == HCI_ERR_DIFF_TRANSACTION_COLLISION))
4232 {
4233 btm_sec_auth_collision(handle);
4234 return;
4235 }
4236 btm_cb.collision_start_time = 0;
4237
4238 if (!p_dev_rec)
4239 return;
4240
4241 if ((status == HCI_SUCCESS) && encr_enable)
4242 {
4243 if (p_dev_rec->hci_handle == handle) {
4244 p_dev_rec->sec_flags |= (BTM_SEC_AUTHENTICATED | BTM_SEC_ENCRYPTED);
4245 if (p_dev_rec->pin_code_length >= 16 ||
4246 p_dev_rec->link_key_type == BTM_LKEY_TYPE_AUTH_COMB ||
4247 p_dev_rec->link_key_type == BTM_LKEY_TYPE_AUTH_COMB_P_256) {
4248 p_dev_rec->sec_flags |= BTM_SEC_16_DIGIT_PIN_AUTHED;
4249 }
4250 }
4251 else
4252 {
4253 p_dev_rec->sec_flags |= (BTM_SEC_LE_AUTHENTICATED | BTM_SEC_LE_ENCRYPTED);
4254 }
4255 }
4256
4257 /* It is possible that we decrypted the link to perform role switch */
4258 /* mark link not to be encrypted, so that when we execute security next time it will kick in again */
4259 if ((status == HCI_SUCCESS) && !encr_enable)
4260 {
4261 if (p_dev_rec->hci_handle == handle)
4262 p_dev_rec->sec_flags &= ~BTM_SEC_ENCRYPTED;
4263 else
4264 p_dev_rec->sec_flags &= ~BTM_SEC_LE_ENCRYPTED;
4265 }
4266
4267 BTM_TRACE_DEBUG ("after update p_dev_rec->sec_flags=0x%x", p_dev_rec->sec_flags );
4268
4269 #if BLE_INCLUDED == TRUE && SMP_INCLUDED == TRUE
4270 if (acl_idx != MAX_L2CAP_LINKS)
4271 p_acl = &btm_cb.acl_db[acl_idx];
4272
4273 if (p_acl != NULL)
4274 btm_sec_check_pending_enc_req(p_dev_rec, p_acl->transport, encr_enable);
4275
4276 if (p_acl && p_acl->transport == BT_TRANSPORT_LE)
4277 {
4278 if (status == HCI_ERR_KEY_MISSING || status == HCI_ERR_AUTH_FAILURE ||
4279 status == HCI_ERR_ENCRY_MODE_NOT_ACCEPTABLE)
4280 {
4281 p_dev_rec->sec_flags &= ~ (BTM_SEC_LE_LINK_KEY_KNOWN);
4282 p_dev_rec->ble.key_type = BTM_LE_KEY_NONE;
4283 }
4284 btm_ble_link_encrypted(p_dev_rec->ble.pseudo_addr, encr_enable);
4285 return;
4286 }
4287 else
4288 {
4289 /* BR/EDR connection, update the encryption key size to be 16 as always */
4290 p_dev_rec->enc_key_size = 16;
4291 }
4292
4293 BTM_TRACE_DEBUG ("in %s new_encr_key_256 is %d",
4294 __func__, p_dev_rec->new_encryption_key_is_p256);
4295
4296 if ((status == HCI_SUCCESS) && encr_enable && (p_dev_rec->hci_handle == handle))
4297 {
4298 if (p_dev_rec->new_encryption_key_is_p256)
4299 {
4300 if (btm_sec_use_smp_br_chnl(p_dev_rec) &&
4301 btm_sec_is_master(p_dev_rec) &&
4302 /* if LE key is not known, do deriving */
4303 (!(p_dev_rec->sec_flags &BTM_SEC_LE_LINK_KEY_KNOWN) ||
4304 /* or BR key is higher security than existing LE keys */
4305 (!(p_dev_rec->sec_flags & BTM_SEC_LE_LINK_KEY_AUTHED)
4306 && (p_dev_rec->sec_flags & BTM_SEC_LINK_KEY_AUTHED))))
4307 {
4308 /* BR/EDR is encrypted with LK that can be used to derive LE LTK */
4309 p_dev_rec->new_encryption_key_is_p256 = FALSE;
4310
4311 if (p_dev_rec->no_smp_on_br)
4312 {
4313 BTM_TRACE_DEBUG ("%s NO SM over BR/EDR", __func__);
4314 }
4315 else
4316 {
4317 BTM_TRACE_DEBUG ("%s start SM over BR/EDR", __func__);
4318 SMP_BR_PairWith(p_dev_rec->bd_addr);
4319 }
4320 }
4321 }
4322 else
4323 {
4324 // BR/EDR is successfully encrypted. Correct LK type if needed
4325 // (BR/EDR LK derived from LE LTK was used for encryption)
4326 if ((encr_enable == 1) && /* encryption is ON for SSP */
4327 /* LK type is for BR/EDR SC */
4328 (p_dev_rec->link_key_type == BTM_LKEY_TYPE_UNAUTH_COMB_P_256 ||
4329 p_dev_rec->link_key_type == BTM_LKEY_TYPE_AUTH_COMB_P_256))
4330 {
4331 if (p_dev_rec->link_key_type == BTM_LKEY_TYPE_UNAUTH_COMB_P_256)
4332 p_dev_rec->link_key_type = BTM_LKEY_TYPE_UNAUTH_COMB;
4333 else /* BTM_LKEY_TYPE_AUTH_COMB_P_256 */
4334 p_dev_rec->link_key_type = BTM_LKEY_TYPE_AUTH_COMB;
4335
4336 BTM_TRACE_DEBUG("updated link key type to %d", p_dev_rec->link_key_type);
4337 btm_send_link_key_notif(p_dev_rec);
4338 }
4339 }
4340 }
4341 #else
4342 btm_sec_check_pending_enc_req (p_dev_rec, BT_TRANSPORT_BR_EDR, encr_enable);
4343 #endif /* BLE_INCLUDED == TRUE && SMP_INCLUDED == TRUE */
4344
4345 /* If this encryption was started by peer do not need to do anything */
4346 if (p_dev_rec->sec_state != BTM_SEC_STATE_ENCRYPTING)
4347 {
4348 if (BTM_SEC_STATE_DELAY_FOR_ENC == p_dev_rec->sec_state)
4349 {
4350 p_dev_rec->sec_state = BTM_SEC_STATE_IDLE;
4351 p_dev_rec->p_callback = NULL;
4352 l2cu_resubmit_pending_sec_req (p_dev_rec->bd_addr);
4353 }
4354 return;
4355 }
4356
4357 p_dev_rec->sec_state = BTM_SEC_STATE_IDLE;
4358 /* If encryption setup failed, notify the waiting layer */
4359 if (status != HCI_SUCCESS)
4360 {
4361 btm_sec_dev_rec_cback_event (p_dev_rec, BTM_ERR_PROCESSING, FALSE);
4362 return;
4363 }
4364
4365 /* Encryption setup succeeded, execute the next security procedure, if any */
4366 status = (UINT8)btm_sec_execute_procedure (p_dev_rec);
4367 /* If there is no next procedure, or procedure failed to start, notify the caller */
4368 if (status != BTM_CMD_STARTED)
4369 btm_sec_dev_rec_cback_event (p_dev_rec, status, FALSE);
4370 }
4371
4372 /*******************************************************************************
4373 **
4374 ** Function btm_sec_connect_after_reject_timeout
4375 **
4376 ** Description Connection for bonding could not start because of the collision
4377 ** Initiate outgoing connection
4378 **
4379 ** Returns Pointer to the TLE struct
4380 **
4381 *******************************************************************************/
btm_sec_connect_after_reject_timeout(TIMER_LIST_ENT * p_tle)4382 static void btm_sec_connect_after_reject_timeout (TIMER_LIST_ENT *p_tle)
4383 {
4384 tBTM_SEC_DEV_REC *p_dev_rec = btm_cb.p_collided_dev_rec;
4385 UNUSED(p_tle);
4386
4387 BTM_TRACE_EVENT ("btm_sec_connect_after_reject_timeout()");
4388 btm_cb.sec_collision_tle.param = 0;
4389 btm_cb.p_collided_dev_rec = 0;
4390
4391 if (btm_sec_dd_create_conn(p_dev_rec) != BTM_CMD_STARTED)
4392 {
4393 BTM_TRACE_WARNING ("Security Manager: btm_sec_connect_after_reject_timeout: failed to start connection");
4394
4395 btm_sec_change_pairing_state (BTM_PAIR_STATE_IDLE);
4396
4397 if (btm_cb.api.p_auth_complete_callback)
4398 (*btm_cb.api.p_auth_complete_callback) (p_dev_rec->bd_addr, p_dev_rec->dev_class,
4399 p_dev_rec->sec_bd_name, HCI_ERR_MEMORY_FULL);
4400 }
4401 }
4402
4403 /*******************************************************************************
4404 **
4405 ** Function btm_sec_connected
4406 **
4407 ** Description This function is when a connection to the peer device is
4408 ** establsihed
4409 **
4410 ** Returns void
4411 **
4412 *******************************************************************************/
btm_sec_connected(UINT8 * bda,UINT16 handle,UINT8 status,UINT8 enc_mode)4413 void btm_sec_connected (UINT8 *bda, UINT16 handle, UINT8 status, UINT8 enc_mode)
4414 {
4415 tBTM_SEC_DEV_REC *p_dev_rec = btm_find_dev (bda);
4416 UINT8 res;
4417 BOOLEAN is_pairing_device = FALSE;
4418 tACL_CONN *p_acl_cb;
4419 UINT8 bit_shift = 0;
4420
4421 btm_acl_resubmit_page();
4422
4423 /* Commenting out trace due to obf/compilation problems.
4424 */
4425 #if (BT_USE_TRACES == TRUE)
4426 if (p_dev_rec)
4427 {
4428 BTM_TRACE_EVENT ("Security Manager: btm_sec_connected in state: %s handle:%d status:%d enc_mode:%d bda:%x RName:%s",
4429 btm_pair_state_descr(btm_cb.pairing_state), handle, status, enc_mode,
4430 (bda[2]<<24)+(bda[3]<<16)+(bda[4]<<8)+bda[5],
4431 p_dev_rec->sec_bd_name);
4432 }
4433 else
4434 {
4435 BTM_TRACE_EVENT ("Security Manager: btm_sec_connected in state: %s handle:%d status:%d enc_mode:%d bda:%x ",
4436 btm_pair_state_descr(btm_cb.pairing_state), handle, status, enc_mode,
4437 (bda[2]<<24)+(bda[3]<<16)+(bda[4]<<8)+bda[5]);
4438 }
4439 #endif
4440
4441 if (!p_dev_rec)
4442 {
4443 /* There is no device record for new connection. Allocate one */
4444 if (status == HCI_SUCCESS)
4445 {
4446 p_dev_rec = btm_sec_alloc_dev (bda);
4447 }
4448 else
4449 {
4450 /* If the device matches with stored paring address
4451 * reset the paring state to idle */
4452 if ((btm_cb.pairing_state != BTM_PAIR_STATE_IDLE) &&
4453 (memcmp (btm_cb.pairing_bda, bda, BD_ADDR_LEN) == 0))
4454 {
4455 btm_sec_change_pairing_state(BTM_PAIR_STATE_IDLE);
4456 }
4457
4458 /* can not find the device record and the status is error,
4459 * just ignore it */
4460 return;
4461 }
4462 }
4463 else /* Update the timestamp for this device */
4464 {
4465
4466 #if BLE_INCLUDED == TRUE
4467 bit_shift = (handle == p_dev_rec->ble_hci_handle) ? 8 :0;
4468 #endif
4469 p_dev_rec->timestamp = btm_cb.dev_rec_count++;
4470 if (p_dev_rec->sm4 & BTM_SM4_CONN_PEND)
4471 {
4472 /* tell L2CAP it's a bonding connection. */
4473 if ( (btm_cb.pairing_state != BTM_PAIR_STATE_IDLE)
4474 && (memcmp (btm_cb.pairing_bda, p_dev_rec->bd_addr, BD_ADDR_LEN) == 0)
4475 && (btm_cb.pairing_flags & BTM_PAIR_FLAGS_WE_STARTED_DD) )
4476 {
4477 /* if incoming connection failed while pairing, then try to connect and continue */
4478 /* Motorola S9 disconnects without asking pin code */
4479 if ((status != HCI_SUCCESS)&&(btm_cb.pairing_state == BTM_PAIR_STATE_WAIT_PIN_REQ))
4480 {
4481 BTM_TRACE_WARNING ("Security Manager: btm_sec_connected: incoming connection failed without asking PIN");
4482
4483 p_dev_rec->sm4 &= ~BTM_SM4_CONN_PEND;
4484 if (p_dev_rec->sec_flags & BTM_SEC_NAME_KNOWN)
4485 {
4486 /* Start timer with 0 to initiate connection with new LCB */
4487 /* because L2CAP will delete current LCB with this event */
4488 btm_cb.p_collided_dev_rec = p_dev_rec;
4489 btm_cb.sec_collision_tle.param = (UINT32) btm_sec_connect_after_reject_timeout;
4490 btu_start_timer (&btm_cb.sec_collision_tle, BTU_TTYPE_USER_FUNC, 0);
4491 }
4492 else
4493 {
4494 btm_sec_change_pairing_state (BTM_PAIR_STATE_GET_REM_NAME);
4495 BTM_ReadRemoteDeviceName(p_dev_rec->bd_addr, NULL, BT_TRANSPORT_BR_EDR);
4496 }
4497 #if BTM_DISC_DURING_RS == TRUE
4498 p_dev_rec->rs_disc_pending = BTM_SEC_RS_NOT_PENDING; /* reset flag */
4499 #endif
4500 return;
4501 }
4502 else
4503 {
4504 l2cu_update_lcb_4_bonding(p_dev_rec->bd_addr, TRUE);
4505 }
4506 }
4507 /* always clear the pending flag */
4508 p_dev_rec->sm4 &= ~BTM_SM4_CONN_PEND;
4509 }
4510 }
4511
4512 #if BLE_INCLUDED == TRUE
4513 p_dev_rec->device_type |= BT_DEVICE_TYPE_BREDR;
4514 #endif
4515
4516 #if BTM_DISC_DURING_RS == TRUE
4517 p_dev_rec->rs_disc_pending = BTM_SEC_RS_NOT_PENDING; /* reset flag */
4518 #endif
4519
4520 p_dev_rec->rs_disc_pending = BTM_SEC_RS_NOT_PENDING; /* reset flag */
4521
4522 if ( (btm_cb.pairing_state != BTM_PAIR_STATE_IDLE)
4523 && (memcmp (btm_cb.pairing_bda, bda, BD_ADDR_LEN) == 0) )
4524 {
4525 /* if we rejected incoming connection from bonding device */
4526 if ((status == HCI_ERR_HOST_REJECT_DEVICE)
4527 &&(btm_cb.pairing_flags & BTM_PAIR_FLAGS_REJECTED_CONNECT))
4528 {
4529 BTM_TRACE_WARNING ("Security Manager: btm_sec_connected: HCI_Conn_Comp Flags:0x%04x, sm4: 0x%x",
4530 btm_cb.pairing_flags, p_dev_rec->sm4);
4531
4532 btm_cb.pairing_flags &= ~BTM_PAIR_FLAGS_REJECTED_CONNECT;
4533 if (BTM_SEC_IS_SM4_UNKNOWN(p_dev_rec->sm4))
4534 {
4535 /* Try again: RNR when no ACL causes HCI_RMT_HOST_SUP_FEAT_NOTIFY_EVT */
4536 btm_sec_change_pairing_state (BTM_PAIR_STATE_GET_REM_NAME);
4537 BTM_ReadRemoteDeviceName(bda, NULL, BT_TRANSPORT_BR_EDR);
4538 return;
4539 }
4540
4541 /* if we already have pin code */
4542 if (btm_cb.pairing_state != BTM_PAIR_STATE_WAIT_LOCAL_PIN)
4543 {
4544 /* Start timer with 0 to initiate connection with new LCB */
4545 /* because L2CAP will delete current LCB with this event */
4546 btm_cb.p_collided_dev_rec = p_dev_rec;
4547 btm_cb.sec_collision_tle.param = (UINT32) btm_sec_connect_after_reject_timeout;
4548 btu_start_timer (&btm_cb.sec_collision_tle, BTU_TTYPE_USER_FUNC, 0);
4549 }
4550
4551 return;
4552 }
4553 /* wait for incoming connection without resetting pairing state */
4554 else if (status == HCI_ERR_CONNECTION_EXISTS)
4555 {
4556 BTM_TRACE_WARNING ("Security Manager: btm_sec_connected: Wait for incoming connection");
4557 return;
4558 }
4559
4560 is_pairing_device = TRUE;
4561 }
4562
4563 /* If connection was made to do bonding restore link security if changed */
4564 btm_restore_mode();
4565
4566 /* if connection fails during pin request, notify application */
4567 if (status != HCI_SUCCESS)
4568 {
4569 /* If connection failed because of during pairing, need to tell user */
4570 if (is_pairing_device)
4571 {
4572 p_dev_rec->security_required &= ~BTM_SEC_OUT_AUTHENTICATE;
4573 p_dev_rec->sec_flags &= ~((BTM_SEC_LINK_KEY_KNOWN | BTM_SEC_LINK_KEY_AUTHED) << bit_shift);
4574 BTM_TRACE_DEBUG ("security_required:%x ", p_dev_rec->security_required );
4575
4576 btm_sec_change_pairing_state (BTM_PAIR_STATE_IDLE);
4577
4578 /* We need to notify host that the key is not known any more */
4579 if (btm_cb.api.p_auth_complete_callback)
4580 {
4581 (*btm_cb.api.p_auth_complete_callback) (p_dev_rec->bd_addr,
4582 p_dev_rec->dev_class,
4583 p_dev_rec->sec_bd_name, status);
4584 }
4585 }
4586 /*
4587 Do not send authentication failure, if following conditions hold good
4588 1. BTM Sec Pairing state is idle
4589 2. Link key for the remote device is present.
4590 3. Remote is SSP capable.
4591 */
4592 else if ((p_dev_rec->link_key_type <= BTM_LKEY_TYPE_REMOTE_UNIT) &&
4593 (((status == HCI_ERR_AUTH_FAILURE) ||
4594 (status == HCI_ERR_KEY_MISSING) ||
4595 (status == HCI_ERR_HOST_REJECT_SECURITY) ||
4596 (status == HCI_ERR_PAIRING_NOT_ALLOWED) ||
4597 (status == HCI_ERR_UNIT_KEY_USED) ||
4598 (status == HCI_ERR_PAIRING_WITH_UNIT_KEY_NOT_SUPPORTED) ||
4599 (status == HCI_ERR_ENCRY_MODE_NOT_ACCEPTABLE) ||
4600 (status == HCI_ERR_REPEATED_ATTEMPTS))))
4601 {
4602 p_dev_rec->security_required &= ~BTM_SEC_OUT_AUTHENTICATE;
4603 p_dev_rec->sec_flags &= ~ (BTM_SEC_LE_LINK_KEY_KNOWN << bit_shift);
4604
4605
4606 #ifdef BRCM_NOT_4_BTE
4607 /* If we rejected pairing, pass this special result code */
4608 if (btm_cb.acl_disc_reason == HCI_ERR_HOST_REJECT_SECURITY)
4609 {
4610 status = HCI_ERR_HOST_REJECT_SECURITY;
4611 }
4612 #endif
4613
4614 /* We need to notify host that the key is not known any more */
4615 if (btm_cb.api.p_auth_complete_callback)
4616 {
4617 (*btm_cb.api.p_auth_complete_callback) (p_dev_rec->bd_addr,
4618 p_dev_rec->dev_class,
4619 p_dev_rec->sec_bd_name, status);
4620 }
4621 }
4622
4623 if (status == HCI_ERR_CONNECTION_TOUT || status == HCI_ERR_LMP_RESPONSE_TIMEOUT ||
4624 status == HCI_ERR_UNSPECIFIED || status == HCI_ERR_PAGE_TIMEOUT)
4625 btm_sec_dev_rec_cback_event (p_dev_rec, BTM_DEVICE_TIMEOUT, FALSE);
4626 else
4627 btm_sec_dev_rec_cback_event (p_dev_rec, BTM_ERR_PROCESSING, FALSE);
4628
4629 return;
4630 }
4631
4632 /* If initiated dedicated bonding, return the link key now, and initiate disconnect */
4633 /* If dedicated bonding, and we now have a link key, we are all done */
4634 if ( is_pairing_device
4635 && (p_dev_rec->sec_flags & BTM_SEC_LINK_KEY_KNOWN) )
4636 {
4637 if (p_dev_rec->link_key_not_sent)
4638 {
4639 p_dev_rec->link_key_not_sent = FALSE;
4640 btm_send_link_key_notif(p_dev_rec);
4641 }
4642
4643 p_dev_rec->security_required &= ~BTM_SEC_OUT_AUTHENTICATE;
4644
4645 /* remember flag before it is initialized */
4646 if (btm_cb.pairing_flags & BTM_PAIR_FLAGS_WE_STARTED_DD)
4647 res = TRUE;
4648 else
4649 res = FALSE;
4650
4651 if (btm_cb.api.p_auth_complete_callback)
4652 (*btm_cb.api.p_auth_complete_callback) (p_dev_rec->bd_addr,
4653 p_dev_rec->dev_class,
4654 p_dev_rec->sec_bd_name, HCI_SUCCESS);
4655
4656 btm_sec_change_pairing_state (BTM_PAIR_STATE_IDLE);
4657
4658 if ( res )
4659 {
4660 /* Let l2cap start bond timer */
4661 l2cu_update_lcb_4_bonding (p_dev_rec->bd_addr, TRUE);
4662 }
4663
4664 return;
4665 }
4666
4667 p_dev_rec->hci_handle = handle;
4668
4669 /* role may not be correct here, it will be updated by l2cap, but we need to */
4670 /* notify btm_acl that link is up, so starting of rmt name request will not */
4671 /* set paging flag up */
4672 p_acl_cb = btm_bda_to_acl(bda, BT_TRANSPORT_BR_EDR);
4673 if (p_acl_cb)
4674 {
4675 /* whatever is in btm_establish_continue() without reporting the BTM_BL_CONN_EVT event */
4676 #if (!defined(BTM_BYPASS_EXTRA_ACL_SETUP) || BTM_BYPASS_EXTRA_ACL_SETUP == FALSE)
4677 /* For now there are a some devices that do not like sending */
4678 /* commands events and data at the same time. */
4679 /* Set the packet types to the default allowed by the device */
4680 btm_set_packet_types (p_acl_cb, btm_cb.btm_acl_pkt_types_supported);
4681
4682 if (btm_cb.btm_def_link_policy)
4683 BTM_SetLinkPolicy (p_acl_cb->remote_addr, &btm_cb.btm_def_link_policy);
4684 #endif
4685 }
4686 btm_acl_created (bda, p_dev_rec->dev_class, p_dev_rec->sec_bd_name, handle, HCI_ROLE_SLAVE, BT_TRANSPORT_BR_EDR);
4687
4688 /* Initialize security flags. We need to do that because some */
4689 /* authorization complete could have come after the connection is dropped */
4690 /* and that would set wrong flag that link has been authorized already */
4691 p_dev_rec->sec_flags &= ~((BTM_SEC_AUTHORIZED | BTM_SEC_AUTHENTICATED |
4692 BTM_SEC_ENCRYPTED | BTM_SEC_ROLE_SWITCHED) << bit_shift);
4693
4694 if (enc_mode != HCI_ENCRYPT_MODE_DISABLED)
4695 p_dev_rec->sec_flags |= ((BTM_SEC_AUTHENTICATED | BTM_SEC_ENCRYPTED) << bit_shift);
4696
4697 if (btm_cb.security_mode == BTM_SEC_MODE_LINK)
4698 p_dev_rec->sec_flags |= (BTM_SEC_AUTHENTICATED << bit_shift);
4699
4700 if (p_dev_rec->pin_code_length >= 16 ||
4701 p_dev_rec->link_key_type == BTM_LKEY_TYPE_AUTH_COMB ||
4702 p_dev_rec->link_key_type == BTM_LKEY_TYPE_AUTH_COMB_P_256) {
4703 p_dev_rec->sec_flags |= (BTM_SEC_16_DIGIT_PIN_AUTHED << bit_shift);
4704 }
4705
4706 p_dev_rec->link_key_changed = FALSE;
4707
4708 /* After connection is established we perform security if we do not know */
4709 /* the name, or if we are originator because some procedure can have */
4710 /* been scheduled while connection was down */
4711 BTM_TRACE_DEBUG ("is_originator:%d ", p_dev_rec->is_originator);
4712 if (!(p_dev_rec->sec_flags & BTM_SEC_NAME_KNOWN) || p_dev_rec->is_originator)
4713 {
4714 if ((res = btm_sec_execute_procedure (p_dev_rec)) != BTM_CMD_STARTED)
4715 btm_sec_dev_rec_cback_event (p_dev_rec, res, FALSE);
4716 }
4717 return;
4718 }
4719
4720 /*******************************************************************************
4721 **
4722 ** Function btm_sec_disconnect
4723 **
4724 ** Description This function is called to disconnect HCI link
4725 **
4726 ** Returns btm status
4727 **
4728 *******************************************************************************/
btm_sec_disconnect(UINT16 handle,UINT8 reason)4729 tBTM_STATUS btm_sec_disconnect (UINT16 handle, UINT8 reason)
4730 {
4731 tBTM_SEC_DEV_REC *p_dev_rec = btm_find_dev_by_handle (handle);
4732
4733 /* In some weird race condition we may not have a record */
4734 if (!p_dev_rec)
4735 {
4736 btsnd_hcic_disconnect (handle, reason);
4737 return(BTM_SUCCESS);
4738 }
4739
4740 /* If we are in the process of bonding we need to tell client that auth failed */
4741 if ( (btm_cb.pairing_state != BTM_PAIR_STATE_IDLE)
4742 && (memcmp (btm_cb.pairing_bda, p_dev_rec->bd_addr, BD_ADDR_LEN) == 0)
4743 && (btm_cb.pairing_flags & BTM_PAIR_FLAGS_WE_STARTED_DD) )
4744 {
4745 /* we are currently doing bonding. Link will be disconnected when done */
4746 btm_cb.pairing_flags |= BTM_PAIR_FLAGS_DISC_WHEN_DONE;
4747 return(BTM_BUSY);
4748 }
4749
4750 return(btm_sec_send_hci_disconnect(p_dev_rec, reason, handle));
4751 }
4752
4753 /*******************************************************************************
4754 **
4755 ** Function btm_sec_disconnected
4756 **
4757 ** Description This function is when a connection to the peer device is
4758 ** dropped
4759 **
4760 ** Returns void
4761 **
4762 *******************************************************************************/
btm_sec_disconnected(UINT16 handle,UINT8 reason)4763 void btm_sec_disconnected (UINT16 handle, UINT8 reason)
4764 {
4765 tBTM_SEC_DEV_REC *p_dev_rec = btm_find_dev_by_handle (handle);
4766 UINT8 old_pairing_flags = btm_cb.pairing_flags;
4767 int result = HCI_ERR_AUTH_FAILURE;
4768 tBTM_SEC_CALLBACK *p_callback = NULL;
4769 tBT_TRANSPORT transport = BT_TRANSPORT_BR_EDR;
4770
4771 /* If page was delayed for disc complete, can do it now */
4772 btm_cb.discing = FALSE;
4773
4774 btm_acl_resubmit_page();
4775
4776 if (!p_dev_rec)
4777 return;
4778
4779 transport = (handle == p_dev_rec->hci_handle) ? BT_TRANSPORT_BR_EDR: BT_TRANSPORT_LE;
4780
4781 p_dev_rec->rs_disc_pending = BTM_SEC_RS_NOT_PENDING; /* reset flag */
4782
4783 #if BTM_DISC_DURING_RS == TRUE
4784 LOG_INFO("%s clearing pending flag handle:%d reason:%d", __func__, handle, reason);
4785 p_dev_rec->rs_disc_pending = BTM_SEC_RS_NOT_PENDING; /* reset flag */
4786 #endif
4787
4788 /* clear unused flags */
4789 p_dev_rec->sm4 &= BTM_SM4_TRUE;
4790
4791 uint8_t *bd_addr = (uint8_t *)p_dev_rec->bd_addr;
4792 BTM_TRACE_EVENT("%s sec_req:x%x state:%s reason:%d bd_addr:%02x:%02x:%02x:%02x:%02x:%02x"
4793 " remote_name:%s", __func__, p_dev_rec->security_required, btm_pair_state_descr(btm_cb.pairing_state),
4794 reason, bd_addr[0], bd_addr[1], bd_addr[2], bd_addr[3], bd_addr[4], bd_addr[5], p_dev_rec->sec_bd_name);
4795
4796 BTM_TRACE_EVENT("%s before update sec_flags=0x%x", __func__, p_dev_rec->sec_flags);
4797
4798 /* If we are in the process of bonding we need to tell client that auth failed */
4799 if ( (btm_cb.pairing_state != BTM_PAIR_STATE_IDLE)
4800 && (memcmp (btm_cb.pairing_bda, p_dev_rec->bd_addr, BD_ADDR_LEN) == 0))
4801 {
4802 btm_sec_change_pairing_state (BTM_PAIR_STATE_IDLE);
4803 p_dev_rec->sec_flags &= ~BTM_SEC_LINK_KEY_KNOWN;
4804 if (btm_cb.api.p_auth_complete_callback)
4805 {
4806 /* If the disconnection reason is REPEATED_ATTEMPTS,
4807 send this error message to complete callback function
4808 to display the error message of Repeated attempts.
4809 All others, send HCI_ERR_AUTH_FAILURE. */
4810 if (reason == HCI_ERR_REPEATED_ATTEMPTS)
4811 {
4812 result = HCI_ERR_REPEATED_ATTEMPTS;
4813 }
4814 else if (old_pairing_flags & BTM_PAIR_FLAGS_WE_STARTED_DD)
4815 {
4816 result = HCI_ERR_HOST_REJECT_SECURITY;
4817 }
4818 (*btm_cb.api.p_auth_complete_callback) (p_dev_rec->bd_addr, p_dev_rec->dev_class,
4819 p_dev_rec->sec_bd_name, result);
4820 }
4821 }
4822
4823 #if BLE_INCLUDED == TRUE && SMP_INCLUDED == TRUE
4824 btm_ble_update_mode_operation(HCI_ROLE_UNKNOWN, p_dev_rec->bd_addr, HCI_SUCCESS);
4825 /* see sec_flags processing in btm_acl_removed */
4826
4827 if (transport == BT_TRANSPORT_LE)
4828 {
4829 p_dev_rec->ble_hci_handle = BTM_SEC_INVALID_HANDLE;
4830 p_dev_rec->sec_flags &= ~(BTM_SEC_LE_AUTHENTICATED|BTM_SEC_LE_ENCRYPTED);
4831 p_dev_rec->enc_key_size = 0;
4832 }
4833 else
4834 #endif
4835 {
4836 p_dev_rec->hci_handle = BTM_SEC_INVALID_HANDLE;
4837 p_dev_rec->sec_flags &= ~(BTM_SEC_AUTHORIZED | BTM_SEC_AUTHENTICATED | BTM_SEC_ENCRYPTED
4838 | BTM_SEC_ROLE_SWITCHED | BTM_SEC_16_DIGIT_PIN_AUTHED);
4839 }
4840
4841 #if BLE_INCLUDED == TRUE && SMP_INCLUDED == TRUE
4842 if (p_dev_rec->sec_state == BTM_SEC_STATE_DISCONNECTING_BOTH)
4843 {
4844 p_dev_rec->sec_state = (transport == BT_TRANSPORT_LE) ?
4845 BTM_SEC_STATE_DISCONNECTING : BTM_SEC_STATE_DISCONNECTING_BLE;
4846 return;
4847 }
4848 #endif
4849 p_dev_rec->sec_state = BTM_SEC_STATE_IDLE;
4850 p_dev_rec->security_required = BTM_SEC_NONE;
4851
4852 p_callback = p_dev_rec->p_callback;
4853
4854 /* if security is pending, send callback to clean up the security state */
4855 if(p_callback)
4856 {
4857 p_dev_rec->p_callback = NULL; /* when the peer device time out the authentication before
4858 we do, this call back must be reset here */
4859 (*p_callback) (p_dev_rec->bd_addr, transport, p_dev_rec->p_ref_data, BTM_ERR_PROCESSING);
4860 }
4861
4862 BTM_TRACE_EVENT("%s after update sec_flags=0x%x", __func__, p_dev_rec->sec_flags);
4863 }
4864
4865 /*******************************************************************************
4866 **
4867 ** Function btm_sec_link_key_notification
4868 **
4869 ** Description This function is called when a new connection link key is
4870 ** generated
4871 **
4872 ** Returns Pointer to the record or NULL
4873 **
4874 *******************************************************************************/
btm_sec_link_key_notification(UINT8 * p_bda,UINT8 * p_link_key,UINT8 key_type)4875 void btm_sec_link_key_notification (UINT8 *p_bda, UINT8 *p_link_key, UINT8 key_type)
4876 {
4877 tBTM_SEC_DEV_REC *p_dev_rec = btm_find_or_alloc_dev (p_bda);
4878 BOOLEAN we_are_bonding = FALSE;
4879 BOOLEAN ltk_derived_lk = FALSE;
4880
4881 BTM_TRACE_EVENT ("btm_sec_link_key_notification() BDA:%04x%08x, TYPE: %d",
4882 (p_bda[0]<<8)+p_bda[1], (p_bda[2]<<24)+(p_bda[3]<<16)+(p_bda[4]<<8)+p_bda[5],
4883 key_type);
4884
4885 if ((key_type >= BTM_LTK_DERIVED_LKEY_OFFSET + BTM_LKEY_TYPE_COMBINATION) &&
4886 (key_type <= BTM_LTK_DERIVED_LKEY_OFFSET + BTM_LKEY_TYPE_AUTH_COMB_P_256))
4887 {
4888 ltk_derived_lk = TRUE;
4889 key_type -= BTM_LTK_DERIVED_LKEY_OFFSET;
4890 }
4891 /* If connection was made to do bonding restore link security if changed */
4892 btm_restore_mode();
4893
4894 if (key_type != BTM_LKEY_TYPE_CHANGED_COMB)
4895 p_dev_rec->link_key_type = key_type;
4896
4897 p_dev_rec->sec_flags |= BTM_SEC_LINK_KEY_KNOWN;
4898
4899 /*
4900 * Until this point in time, we do not know if MITM was enabled, hence we
4901 * add the extended security flag here.
4902 */
4903 if (p_dev_rec->pin_code_length >= 16 ||
4904 p_dev_rec->link_key_type == BTM_LKEY_TYPE_AUTH_COMB ||
4905 p_dev_rec->link_key_type == BTM_LKEY_TYPE_AUTH_COMB_P_256) {
4906 p_dev_rec->sec_flags |= BTM_SEC_16_DIGIT_PIN_AUTHED;
4907 }
4908
4909 #if (BLE_INCLUDED == TRUE)
4910 /* BR/EDR connection, update the encryption key size to be 16 as always */
4911 p_dev_rec->enc_key_size = 16;
4912 #endif
4913 memcpy (p_dev_rec->link_key, p_link_key, LINK_KEY_LEN);
4914
4915 if ( (btm_cb.pairing_state != BTM_PAIR_STATE_IDLE)
4916 && (memcmp (btm_cb.pairing_bda, p_bda, BD_ADDR_LEN) == 0) )
4917 {
4918 if (btm_cb.pairing_flags & BTM_PAIR_FLAGS_WE_STARTED_DD)
4919 we_are_bonding = TRUE;
4920 else
4921 btm_sec_change_pairing_state (BTM_PAIR_STATE_IDLE);
4922 }
4923
4924 /* save LTK derived LK no matter what */
4925 if (ltk_derived_lk)
4926 {
4927 if (btm_cb.api.p_link_key_callback)
4928 {
4929 BTM_TRACE_DEBUG ("%s() Save LTK derived LK (key_type = %d)",
4930 __FUNCTION__, p_dev_rec->link_key_type);
4931 (*btm_cb.api.p_link_key_callback) (p_bda, p_dev_rec->dev_class,
4932 p_dev_rec->sec_bd_name,
4933 p_link_key, p_dev_rec->link_key_type);
4934 }
4935 }
4936 else
4937 {
4938 if ((p_dev_rec->link_key_type == BTM_LKEY_TYPE_UNAUTH_COMB_P_256) ||
4939 (p_dev_rec->link_key_type == BTM_LKEY_TYPE_AUTH_COMB_P_256))
4940 {
4941 p_dev_rec->new_encryption_key_is_p256 = TRUE;
4942 BTM_TRACE_DEBUG ("%s set new_encr_key_256 to %d",
4943 __func__, p_dev_rec->new_encryption_key_is_p256);
4944 }
4945 }
4946
4947 /* If name is not known at this point delay calling callback until the name is */
4948 /* resolved. Unless it is a HID Device and we really need to send all link keys. */
4949 if ((!(p_dev_rec->sec_flags & BTM_SEC_NAME_KNOWN)
4950 && ((p_dev_rec->dev_class[1] & BTM_COD_MAJOR_CLASS_MASK) != BTM_COD_MAJOR_PERIPHERAL))
4951 && !ltk_derived_lk)
4952 {
4953 BTM_TRACE_EVENT ("btm_sec_link_key_notification() Delayed BDA: %08x%04x Type:%d",
4954 (p_bda[0]<<24) + (p_bda[1]<<16) + (p_bda[2]<<8) + p_bda[3],
4955 (p_bda[4] << 8) + p_bda[5], key_type);
4956
4957 p_dev_rec->link_key_not_sent = TRUE;
4958
4959 /* If it is for bonding nothing else will follow, so we need to start name resolution */
4960 if (we_are_bonding)
4961 {
4962 if (!(btsnd_hcic_rmt_name_req (p_bda, HCI_PAGE_SCAN_REP_MODE_R1, HCI_MANDATARY_PAGE_SCAN_MODE, 0)))
4963 btm_inq_rmt_name_failed();
4964 }
4965
4966 BTM_TRACE_EVENT ("rmt_io_caps:%d, sec_flags:x%x, dev_class[1]:x%02x", p_dev_rec->rmt_io_caps, p_dev_rec->sec_flags, p_dev_rec->dev_class[1])
4967 return;
4968 }
4969
4970 /* If its not us who perform authentication, we should tell stackserver */
4971 /* that some authentication has been completed */
4972 /* This is required when different entities receive link notification and auth complete */
4973 if (!(p_dev_rec->security_required & BTM_SEC_OUT_AUTHENTICATE)
4974 /* for derived key, always send authentication callback for BR channel */
4975 || ltk_derived_lk)
4976 {
4977 if (btm_cb.api.p_auth_complete_callback)
4978 (*btm_cb.api.p_auth_complete_callback) (p_dev_rec->bd_addr, p_dev_rec->dev_class,
4979 p_dev_rec->sec_bd_name, HCI_SUCCESS);
4980 }
4981
4982 /* We will save link key only if the user authorized it - BTE report link key in all cases */
4983 #ifdef BRCM_NONE_BTE
4984 if (p_dev_rec->sec_flags & BTM_SEC_LINK_KEY_AUTHED)
4985 #endif
4986 {
4987 if (btm_cb.api.p_link_key_callback)
4988 {
4989 if (ltk_derived_lk)
4990 {
4991 BTM_TRACE_DEBUG ("btm_sec_link_key_notification() LTK derived LK is saved already"
4992 " (key_type = %d)", p_dev_rec->link_key_type);
4993 }
4994 else
4995 {
4996 (*btm_cb.api.p_link_key_callback) (p_bda, p_dev_rec->dev_class,
4997 p_dev_rec->sec_bd_name,
4998 p_link_key, p_dev_rec->link_key_type);
4999 }
5000 }
5001 }
5002 }
5003
5004 /*******************************************************************************
5005 **
5006 ** Function btm_sec_link_key_request
5007 **
5008 ** Description This function is called when controller requests link key
5009 **
5010 ** Returns Pointer to the record or NULL
5011 **
5012 *******************************************************************************/
btm_sec_link_key_request(UINT8 * p_bda)5013 void btm_sec_link_key_request (UINT8 *p_bda)
5014 {
5015 tBTM_SEC_DEV_REC *p_dev_rec = btm_find_or_alloc_dev (p_bda);
5016
5017 BTM_TRACE_EVENT ("btm_sec_link_key_request() BDA: %02x:%02x:%02x:%02x:%02x:%02x",
5018 p_bda[0], p_bda[1], p_bda[2], p_bda[3], p_bda[4], p_bda[5]);
5019
5020 if( (btm_cb.pairing_state == BTM_PAIR_STATE_WAIT_PIN_REQ) &&
5021 (btm_cb.collision_start_time != 0) &&
5022 (memcmp (btm_cb.p_collided_dev_rec->bd_addr, p_bda, BD_ADDR_LEN) == 0) )
5023 {
5024 BTM_TRACE_EVENT ("btm_sec_link_key_request() rejecting link key req "
5025 "State: %d START_TIMEOUT : %d",
5026 btm_cb.pairing_state, btm_cb.collision_start_time);
5027 btsnd_hcic_link_key_neg_reply (p_bda);
5028 return;
5029 }
5030 if (p_dev_rec->sec_flags & BTM_SEC_LINK_KEY_KNOWN)
5031 {
5032 btsnd_hcic_link_key_req_reply (p_bda, p_dev_rec->link_key);
5033 return;
5034 }
5035
5036 /* Notify L2CAP to increase timeout */
5037 l2c_pin_code_request (p_bda);
5038
5039 /* The link key is not in the database and it is not known to the manager */
5040 btsnd_hcic_link_key_neg_reply (p_bda);
5041 }
5042
5043 /*******************************************************************************
5044 **
5045 ** Function btm_sec_pairing_timeout
5046 **
5047 ** Description This function is called when host does not provide PIN
5048 ** within requested time
5049 **
5050 ** Returns Pointer to the TLE struct
5051 **
5052 *******************************************************************************/
btm_sec_pairing_timeout(TIMER_LIST_ENT * p_tle)5053 static void btm_sec_pairing_timeout (TIMER_LIST_ENT *p_tle)
5054 {
5055 tBTM_CB *p_cb = &btm_cb;
5056 tBTM_SEC_DEV_REC *p_dev_rec;
5057 #if BTM_OOB_INCLUDED == TRUE
5058 #if (BTM_LOCAL_IO_CAPS == BTM_IO_CAP_NONE)
5059 tBTM_AUTH_REQ auth_req = BTM_AUTH_AP_NO;
5060 #else
5061 tBTM_AUTH_REQ auth_req = BTM_AUTH_AP_YES;
5062 #endif
5063 #endif
5064 UINT8 name[2];
5065 UNUSED(p_tle);
5066
5067 p_cb->pairing_tle.param = 0;
5068 /* Coverity: FALSE-POSITIVE error from Coverity tool. Please do NOT remove following comment. */
5069 /* coverity[UNUSED_VALUE] pointer p_dev_rec is actually used several times... This is a Coverity false-positive, i.e. a fake issue.
5070 */
5071 p_dev_rec = btm_find_dev (p_cb->pairing_bda);
5072
5073 BTM_TRACE_EVENT ("btm_sec_pairing_timeout() State: %s Flags: %u",
5074 btm_pair_state_descr(p_cb->pairing_state), p_cb->pairing_flags);
5075
5076 switch (p_cb->pairing_state)
5077 {
5078 case BTM_PAIR_STATE_WAIT_PIN_REQ:
5079 btm_sec_bond_cancel_complete();
5080 break;
5081
5082 case BTM_PAIR_STATE_WAIT_LOCAL_PIN:
5083 if ( (btm_cb.pairing_flags & BTM_PAIR_FLAGS_PRE_FETCH_PIN) == 0)
5084 btsnd_hcic_pin_code_neg_reply (p_cb->pairing_bda);
5085 btm_sec_change_pairing_state (BTM_PAIR_STATE_IDLE);
5086 /* We need to notify the UI that no longer need the PIN */
5087 if (btm_cb.api.p_auth_complete_callback)
5088 {
5089 if (p_dev_rec == NULL)
5090 {
5091 name[0] = 0;
5092 (*btm_cb.api.p_auth_complete_callback) (p_cb->pairing_bda,
5093 NULL,
5094 name, HCI_ERR_CONNECTION_TOUT);
5095 }
5096 else
5097 (*btm_cb.api.p_auth_complete_callback) (p_dev_rec->bd_addr,
5098 p_dev_rec->dev_class,
5099 p_dev_rec->sec_bd_name, HCI_ERR_CONNECTION_TOUT);
5100 }
5101 break;
5102
5103 case BTM_PAIR_STATE_WAIT_NUMERIC_CONFIRM:
5104 btsnd_hcic_user_conf_reply (p_cb->pairing_bda, FALSE);
5105 /* btm_sec_change_pairing_state (BTM_PAIR_STATE_IDLE); */
5106 break;
5107
5108 #if (BTM_LOCAL_IO_CAPS != BTM_IO_CAP_NONE)
5109 case BTM_PAIR_STATE_KEY_ENTRY:
5110 btsnd_hcic_user_passkey_neg_reply(p_cb->pairing_bda);
5111 /* btm_sec_change_pairing_state (BTM_PAIR_STATE_IDLE); */
5112 break;
5113 #endif /* !BTM_IO_CAP_NONE */
5114
5115 #if BTM_OOB_INCLUDED == TRUE
5116 case BTM_PAIR_STATE_WAIT_LOCAL_IOCAPS:
5117 if (btm_cb.pairing_flags & BTM_PAIR_FLAGS_WE_STARTED_DD)
5118 auth_req |= BTM_AUTH_DD_BOND;
5119
5120 btsnd_hcic_io_cap_req_reply (p_cb->pairing_bda, btm_cb.devcb.loc_io_caps,
5121 BTM_OOB_NONE, auth_req);
5122 btm_sec_change_pairing_state (BTM_PAIR_STATE_IDLE);
5123 break;
5124
5125 case BTM_PAIR_STATE_WAIT_LOCAL_OOB_RSP:
5126 btsnd_hcic_rem_oob_neg_reply (p_cb->pairing_bda);
5127 btm_sec_change_pairing_state (BTM_PAIR_STATE_IDLE);
5128 break;
5129 #endif /* BTM_OOB_INCLUDED */
5130
5131 case BTM_PAIR_STATE_WAIT_DISCONNECT:
5132 /* simple pairing failed. Started a 1-sec timer at simple pairing complete.
5133 * now it's time to tear down the ACL link*/
5134 if (p_dev_rec == NULL)
5135 {
5136 BTM_TRACE_ERROR ("btm_sec_pairing_timeout() BTM_PAIR_STATE_WAIT_DISCONNECT unknown BDA: %08x%04x",
5137 (p_cb->pairing_bda[0]<<24) + (p_cb->pairing_bda[1]<<16) + (p_cb->pairing_bda[2]<<8) + p_cb->pairing_bda[3],
5138 (p_cb->pairing_bda[4] << 8) + p_cb->pairing_bda[5]);
5139 break;
5140 }
5141 btm_sec_send_hci_disconnect (p_dev_rec, HCI_ERR_AUTH_FAILURE, p_dev_rec->hci_handle);
5142 btm_sec_change_pairing_state (BTM_PAIR_STATE_IDLE);
5143 break;
5144
5145 case BTM_PAIR_STATE_WAIT_AUTH_COMPLETE:
5146 case BTM_PAIR_STATE_GET_REM_NAME:
5147 /* We need to notify the UI that timeout has happened while waiting for authentication*/
5148 btm_sec_change_pairing_state (BTM_PAIR_STATE_IDLE);
5149 if (btm_cb.api.p_auth_complete_callback)
5150 {
5151 if (p_dev_rec == NULL)
5152 {
5153 name[0] = 0;
5154 (*btm_cb.api.p_auth_complete_callback) (p_cb->pairing_bda,
5155 NULL,
5156 name, HCI_ERR_CONNECTION_TOUT);
5157 }
5158 else
5159 (*btm_cb.api.p_auth_complete_callback) (p_dev_rec->bd_addr,
5160 p_dev_rec->dev_class,
5161 p_dev_rec->sec_bd_name, HCI_ERR_CONNECTION_TOUT);
5162 }
5163 break;
5164
5165 default:
5166 BTM_TRACE_WARNING ("btm_sec_pairing_timeout() not processed state: %s", btm_pair_state_descr(btm_cb.pairing_state));
5167 btm_sec_change_pairing_state (BTM_PAIR_STATE_IDLE);
5168 break;
5169 }
5170 }
5171
5172 /*******************************************************************************
5173 **
5174 ** Function btm_sec_pin_code_request
5175 **
5176 ** Description This function is called when controller requests PIN code
5177 **
5178 ** Returns Pointer to the record or NULL
5179 **
5180 *******************************************************************************/
btm_sec_pin_code_request(UINT8 * p_bda)5181 void btm_sec_pin_code_request (UINT8 *p_bda)
5182 {
5183 tBTM_SEC_DEV_REC *p_dev_rec;
5184 tBTM_CB *p_cb = &btm_cb;
5185
5186 BTM_TRACE_EVENT ("btm_sec_pin_code_request() State: %s, BDA:%04x%08x",
5187 btm_pair_state_descr(btm_cb.pairing_state),
5188 (p_bda[0]<<8)+p_bda[1], (p_bda[2]<<24)+(p_bda[3]<<16)+(p_bda[4]<<8)+p_bda[5] );
5189
5190 if (btm_cb.pairing_state != BTM_PAIR_STATE_IDLE)
5191 {
5192 if ( (memcmp (p_bda, btm_cb.pairing_bda, BD_ADDR_LEN) == 0) &&
5193 (btm_cb.pairing_state == BTM_PAIR_STATE_WAIT_AUTH_COMPLETE) )
5194 {
5195 btsnd_hcic_pin_code_neg_reply (p_bda);
5196 return;
5197 }
5198 else if ((btm_cb.pairing_state != BTM_PAIR_STATE_WAIT_PIN_REQ)
5199 || memcmp (p_bda, btm_cb.pairing_bda, BD_ADDR_LEN) != 0)
5200 {
5201 BTM_TRACE_WARNING ("btm_sec_pin_code_request() rejected - state: %s",
5202 btm_pair_state_descr(btm_cb.pairing_state));
5203 btsnd_hcic_pin_code_neg_reply (p_bda);
5204 return;
5205 }
5206 }
5207
5208 p_dev_rec = btm_find_or_alloc_dev (p_bda);
5209 /* received PIN code request. must be non-sm4 */
5210 p_dev_rec->sm4 = BTM_SM4_KNOWN;
5211
5212 if (btm_cb.pairing_state == BTM_PAIR_STATE_IDLE)
5213 {
5214 memcpy (btm_cb.pairing_bda, p_bda, BD_ADDR_LEN);
5215
5216 btm_cb.pairing_flags = BTM_PAIR_FLAGS_PEER_STARTED_DD;
5217 /* Make sure we reset the trusted mask to help against attacks */
5218 BTM_SEC_CLR_TRUSTED_DEVICE(p_dev_rec->trusted_mask);
5219 }
5220
5221 if (!p_cb->pairing_disabled && (p_cb->cfg.pin_type == HCI_PIN_TYPE_FIXED))
5222 {
5223 BTM_TRACE_EVENT ("btm_sec_pin_code_request fixed pin replying");
5224 btm_sec_change_pairing_state (BTM_PAIR_STATE_WAIT_AUTH_COMPLETE);
5225 btsnd_hcic_pin_code_req_reply (p_bda, p_cb->cfg.pin_code_len, p_cb->cfg.pin_code);
5226 return;
5227 }
5228
5229 /* Use the connecting device's CoD for the connection */
5230 if ( (!memcmp (p_bda, p_cb->connecting_bda, BD_ADDR_LEN))
5231 && (p_cb->connecting_dc[0] || p_cb->connecting_dc[1] || p_cb->connecting_dc[2]) )
5232 memcpy (p_dev_rec->dev_class, p_cb->connecting_dc, DEV_CLASS_LEN);
5233
5234 /* We could have started connection after asking user for the PIN code */
5235 if (btm_cb.pin_code_len != 0)
5236 {
5237 BTM_TRACE_EVENT ("btm_sec_pin_code_request bonding sending reply");
5238 btsnd_hcic_pin_code_req_reply (p_bda, btm_cb.pin_code_len, p_cb->pin_code);
5239
5240 /* Mark that we forwarded received from the user PIN code */
5241 btm_cb.pin_code_len = 0;
5242
5243 /* We can change mode back right away, that other connection being established */
5244 /* is not forced to be secure - found a FW issue, so we can not do this
5245 btm_restore_mode(); */
5246
5247 btm_sec_change_pairing_state (BTM_PAIR_STATE_WAIT_AUTH_COMPLETE);
5248 }
5249
5250 /* If pairing disabled OR (no PIN callback and not bonding) */
5251 /* OR we could not allocate entry in the database reject pairing request */
5252 else if (p_cb->pairing_disabled
5253 || (p_cb->api.p_pin_callback == NULL)
5254
5255 /* OR Microsoft keyboard can for some reason try to establish connection */
5256 /* the only thing we can do here is to shut it up. Normally we will be originator */
5257 /* for keyboard bonding */
5258 || (!p_dev_rec->is_originator
5259 && ((p_dev_rec->dev_class[1] & BTM_COD_MAJOR_CLASS_MASK) == BTM_COD_MAJOR_PERIPHERAL)
5260 && (p_dev_rec->dev_class[2] & BTM_COD_MINOR_KEYBOARD)) )
5261 {
5262 BTM_TRACE_WARNING("btm_sec_pin_code_request(): Pairing disabled:%d; PIN callback:%x, Dev Rec:%x!",
5263 p_cb->pairing_disabled, p_cb->api.p_pin_callback, p_dev_rec);
5264
5265 btsnd_hcic_pin_code_neg_reply (p_bda);
5266 }
5267 /* Notify upper layer of PIN request and start expiration timer */
5268 else
5269 {
5270 btm_sec_change_pairing_state (BTM_PAIR_STATE_WAIT_LOCAL_PIN);
5271 /* Pin code request can not come at the same time as connection request */
5272 memcpy (p_cb->connecting_bda, p_bda, BD_ADDR_LEN);
5273 memcpy (p_cb->connecting_dc, p_dev_rec->dev_class, DEV_CLASS_LEN);
5274
5275 /* Check if the name is known */
5276 /* Even if name is not known we might not be able to get one */
5277 /* this is the case when we are already getting something from the */
5278 /* device, so HCI level is flow controlled */
5279 /* Also cannot send remote name request while paging, i.e. connection is not completed */
5280 if (p_dev_rec->sec_flags & BTM_SEC_NAME_KNOWN)
5281 {
5282 BTM_TRACE_EVENT ("btm_sec_pin_code_request going for callback");
5283
5284 btm_cb.pairing_flags |= BTM_PAIR_FLAGS_PIN_REQD;
5285 if (p_cb->api.p_pin_callback) {
5286 (*p_cb->api.p_pin_callback) (p_bda, p_dev_rec->dev_class, p_dev_rec->sec_bd_name,
5287 (p_dev_rec->p_cur_service == NULL) ? FALSE
5288 : (p_dev_rec->p_cur_service->security_flags
5289 & BTM_SEC_IN_MIN_16_DIGIT_PIN));
5290 }
5291 }
5292 else
5293 {
5294 BTM_TRACE_EVENT ("btm_sec_pin_code_request going for remote name");
5295
5296 /* We received PIN code request for the device with unknown name */
5297 /* it is not user friendly just to ask for the PIN without name */
5298 /* try to get name at first */
5299 if (!btsnd_hcic_rmt_name_req (p_dev_rec->bd_addr,
5300 HCI_PAGE_SCAN_REP_MODE_R1,
5301 HCI_MANDATARY_PAGE_SCAN_MODE, 0))
5302 {
5303 p_dev_rec->sec_flags |= BTM_SEC_NAME_KNOWN;
5304 p_dev_rec->sec_bd_name[0] = 'f';
5305 p_dev_rec->sec_bd_name[1] = '0';
5306 BTM_TRACE_ERROR ("can not send rmt_name_req?? fake a name and call callback");
5307
5308 btm_cb.pairing_flags |= BTM_PAIR_FLAGS_PIN_REQD;
5309 if (p_cb->api.p_pin_callback)
5310 (*p_cb->api.p_pin_callback) (p_bda, p_dev_rec->dev_class,
5311 p_dev_rec->sec_bd_name, (p_dev_rec->p_cur_service == NULL) ? FALSE
5312 : (p_dev_rec->p_cur_service->security_flags
5313 & BTM_SEC_IN_MIN_16_DIGIT_PIN));
5314 }
5315 }
5316 }
5317
5318 return;
5319 }
5320
5321 /*******************************************************************************
5322 **
5323 ** Function btm_sec_update_clock_offset
5324 **
5325 ** Description This function is called to update clock offset
5326 **
5327 ** Returns void
5328 **
5329 *******************************************************************************/
btm_sec_update_clock_offset(UINT16 handle,UINT16 clock_offset)5330 void btm_sec_update_clock_offset (UINT16 handle, UINT16 clock_offset)
5331 {
5332 tBTM_SEC_DEV_REC *p_dev_rec;
5333 tBTM_INQ_INFO *p_inq_info;
5334
5335 if ((p_dev_rec = btm_find_dev_by_handle (handle)) == NULL)
5336 return;
5337
5338 p_dev_rec->clock_offset = clock_offset | BTM_CLOCK_OFFSET_VALID;
5339
5340 if ((p_inq_info = BTM_InqDbRead(p_dev_rec->bd_addr)) == NULL)
5341 return;
5342
5343 p_inq_info->results.clock_offset = clock_offset | BTM_CLOCK_OFFSET_VALID;
5344 }
5345
5346
5347 /******************************************************************
5348 ** S T A T I C F U N C T I O N S
5349 *******************************************************************/
5350
5351 /*******************************************************************************
5352 **
5353 ** Function btm_sec_execute_procedure
5354 **
5355 ** Description This function is called to start required security
5356 ** procedure. There is a case when multiplexing protocol
5357 ** calls this function on the originating side, connection to
5358 ** the peer will not be established. This function in this
5359 ** case performs only authorization.
5360 **
5361 ** Returns BTM_SUCCESS - permission is granted
5362 ** BTM_CMD_STARTED - in process
5363 ** BTM_NO_RESOURCES - permission declined
5364 **
5365 *******************************************************************************/
btm_sec_execute_procedure(tBTM_SEC_DEV_REC * p_dev_rec)5366 static tBTM_STATUS btm_sec_execute_procedure (tBTM_SEC_DEV_REC *p_dev_rec)
5367 {
5368 BTM_TRACE_EVENT ("btm_sec_execute_procedure: Required:0x%x Flags:0x%x State:%d",
5369 p_dev_rec->security_required, p_dev_rec->sec_flags, p_dev_rec->sec_state);
5370
5371 /* There is a chance that we are getting name. Wait until done. */
5372 if (p_dev_rec->sec_state != 0)
5373 return(BTM_CMD_STARTED);
5374
5375 /* If any security is required, get the name first */
5376 if (!(p_dev_rec->sec_flags & BTM_SEC_NAME_KNOWN)
5377 && (p_dev_rec->hci_handle != BTM_SEC_INVALID_HANDLE))
5378 {
5379 BTM_TRACE_EVENT ("Security Manager: Start get name");
5380 if (!btm_sec_start_get_name (p_dev_rec))
5381 {
5382 return(BTM_NO_RESOURCES);
5383 }
5384 return(BTM_CMD_STARTED);
5385 }
5386
5387 /* If connection is not authenticated and authentication is required */
5388 /* start authentication and return PENDING to the caller */
5389 if ((((!(p_dev_rec->sec_flags & BTM_SEC_AUTHENTICATED))
5390 && (( p_dev_rec->is_originator && (p_dev_rec->security_required & BTM_SEC_OUT_AUTHENTICATE))
5391 || (!p_dev_rec->is_originator && (p_dev_rec->security_required & BTM_SEC_IN_AUTHENTICATE))))
5392 || (!(p_dev_rec->sec_flags & BTM_SEC_16_DIGIT_PIN_AUTHED)
5393 && (!p_dev_rec->is_originator
5394 && (p_dev_rec->security_required & BTM_SEC_IN_MIN_16_DIGIT_PIN))))
5395 && (p_dev_rec->hci_handle != BTM_SEC_INVALID_HANDLE))
5396 {
5397 /*
5398 * We rely on BTM_SEC_16_DIGIT_PIN_AUTHED being set if MITM is in use,
5399 * as 16 DIGIT is only needed if MITM is not used. Unfortunately, the
5400 * BTM_SEC_AUTHENTICATED is used for both MITM and non-MITM
5401 * authenticated connections, hence we cannot distinguish here.
5402 */
5403
5404 #if (L2CAP_UCD_INCLUDED == TRUE)
5405 /* if incoming UCD packet, discard it */
5406 if ( !p_dev_rec->is_originator && (p_dev_rec->is_ucd == TRUE ))
5407 return(BTM_FAILED_ON_SECURITY);
5408 #endif
5409
5410 BTM_TRACE_EVENT ("Security Manager: Start authentication");
5411
5412 /*
5413 * If we do have a link-key, but we end up here because we need an
5414 * upgrade, then clear the link-key known and authenticated flag before
5415 * restarting authentication.
5416 * WARNING: If the controller has link-key, it is optional and
5417 * recommended for the controller to send a Link_Key_Request.
5418 * In case we need an upgrade, the only alternative would be to delete
5419 * the existing link-key. That could lead to very bad user experience
5420 * or even IOP issues, if a reconnect causes a new connection that
5421 * requires an upgrade.
5422 */
5423 if ((p_dev_rec->sec_flags & BTM_SEC_LINK_KEY_KNOWN)
5424 && (!(p_dev_rec->sec_flags & BTM_SEC_16_DIGIT_PIN_AUTHED)
5425 && (!p_dev_rec->is_originator && (p_dev_rec->security_required
5426 & BTM_SEC_IN_MIN_16_DIGIT_PIN)))) {
5427 p_dev_rec->sec_flags &= ~(BTM_SEC_LINK_KEY_KNOWN | BTM_SEC_LINK_KEY_AUTHED
5428 | BTM_SEC_AUTHENTICATED);
5429 }
5430
5431 if (!btm_sec_start_authentication (p_dev_rec))
5432 {
5433 return(BTM_NO_RESOURCES);
5434 }
5435 return(BTM_CMD_STARTED);
5436 }
5437
5438 /* If connection is not encrypted and encryption is required */
5439 /* start encryption and return PENDING to the caller */
5440 if (!(p_dev_rec->sec_flags & BTM_SEC_ENCRYPTED)
5441 && (( p_dev_rec->is_originator && (p_dev_rec->security_required & BTM_SEC_OUT_ENCRYPT))
5442 || (!p_dev_rec->is_originator && (p_dev_rec->security_required & BTM_SEC_IN_ENCRYPT)))
5443 && (p_dev_rec->hci_handle != BTM_SEC_INVALID_HANDLE))
5444 {
5445 #if (L2CAP_UCD_INCLUDED == TRUE)
5446 /* if incoming UCD packet, discard it */
5447 if ( !p_dev_rec->is_originator && (p_dev_rec->is_ucd == TRUE ))
5448 return(BTM_FAILED_ON_SECURITY);
5449 #endif
5450
5451 BTM_TRACE_EVENT ("Security Manager: Start encryption");
5452
5453 if (!btm_sec_start_encryption (p_dev_rec))
5454 {
5455 return(BTM_NO_RESOURCES);
5456 }
5457 return(BTM_CMD_STARTED);
5458 }
5459
5460 if ((p_dev_rec->security_required & BTM_SEC_MODE4_LEVEL4) &&
5461 (p_dev_rec->link_key_type != BTM_LKEY_TYPE_AUTH_COMB_P_256))
5462 {
5463 BTM_TRACE_EVENT("%s: Security Manager: SC only service, but link key type is 0x%02x -",
5464 "security failure", __FUNCTION__, p_dev_rec->link_key_type);
5465 return (BTM_FAILED_ON_SECURITY);
5466 }
5467
5468 /* If connection is not authorized and authorization is required */
5469 /* start authorization and return PENDING to the caller */
5470 if (!(p_dev_rec->sec_flags & BTM_SEC_AUTHORIZED)
5471 && (( p_dev_rec->is_originator && (p_dev_rec->security_required & BTM_SEC_OUT_AUTHORIZE))
5472 || (!p_dev_rec->is_originator && (p_dev_rec->security_required & BTM_SEC_IN_AUTHORIZE))))
5473 {
5474 BTM_TRACE_EVENT ("service id:%d, is trusted:%d",
5475 p_dev_rec->p_cur_service->service_id,
5476 (BTM_SEC_IS_SERVICE_TRUSTED(p_dev_rec->trusted_mask,
5477 p_dev_rec->p_cur_service->service_id)));
5478 if ((btm_sec_are_all_trusted(p_dev_rec->trusted_mask) == FALSE) &&
5479 (p_dev_rec->p_cur_service->service_id < BTM_SEC_MAX_SERVICES) &&
5480 (BTM_SEC_IS_SERVICE_TRUSTED(p_dev_rec->trusted_mask,
5481 p_dev_rec->p_cur_service->service_id) == FALSE))
5482 {
5483 BTM_TRACE_EVENT ("Security Manager: Start authorization");
5484 return(btm_sec_start_authorization (p_dev_rec));
5485 }
5486 }
5487
5488 /* All required security procedures already established */
5489 p_dev_rec->security_required &= ~(BTM_SEC_OUT_AUTHORIZE | BTM_SEC_IN_AUTHORIZE |
5490 BTM_SEC_OUT_AUTHENTICATE | BTM_SEC_IN_AUTHENTICATE |
5491 BTM_SEC_OUT_ENCRYPT | BTM_SEC_IN_ENCRYPT |
5492 BTM_SEC_FORCE_MASTER | BTM_SEC_ATTEMPT_MASTER |
5493 BTM_SEC_FORCE_SLAVE | BTM_SEC_ATTEMPT_SLAVE);
5494
5495 BTM_TRACE_EVENT ("Security Manager: trusted:0x%04x%04x", p_dev_rec->trusted_mask[1], p_dev_rec->trusted_mask[0]);
5496 BTM_TRACE_EVENT ("Security Manager: access granted");
5497
5498 return(BTM_SUCCESS);
5499 }
5500
5501
5502 /*******************************************************************************
5503 **
5504 ** Function btm_sec_start_get_name
5505 **
5506 ** Description This function is called to start get name procedure
5507 **
5508 ** Returns TRUE if started
5509 **
5510 *******************************************************************************/
btm_sec_start_get_name(tBTM_SEC_DEV_REC * p_dev_rec)5511 static BOOLEAN btm_sec_start_get_name (tBTM_SEC_DEV_REC *p_dev_rec)
5512 {
5513 UINT8 tempstate = p_dev_rec->sec_state;
5514
5515 p_dev_rec->sec_state = BTM_SEC_STATE_GETTING_NAME;
5516
5517 /* Device should be connected, no need to provide correct page params */
5518 /* 0 and NULL are as timeout and callback params because they are not used in security get name case */
5519 if ((btm_initiate_rem_name (p_dev_rec->bd_addr, NULL, BTM_RMT_NAME_SEC,
5520 0, NULL)) != BTM_CMD_STARTED)
5521 {
5522 p_dev_rec->sec_state = tempstate;
5523 return(FALSE);
5524 }
5525
5526 return(TRUE);
5527 }
5528
5529 /*******************************************************************************
5530 **
5531 ** Function btm_sec_start_authentication
5532 **
5533 ** Description This function is called to start authentication
5534 **
5535 ** Returns TRUE if started
5536 **
5537 *******************************************************************************/
btm_sec_start_authentication(tBTM_SEC_DEV_REC * p_dev_rec)5538 static BOOLEAN btm_sec_start_authentication (tBTM_SEC_DEV_REC *p_dev_rec)
5539 {
5540 p_dev_rec->sec_state = BTM_SEC_STATE_AUTHENTICATING;
5541
5542 return(btsnd_hcic_auth_request (p_dev_rec->hci_handle));
5543 }
5544
5545 /*******************************************************************************
5546 **
5547 ** Function btm_sec_start_encryption
5548 **
5549 ** Description This function is called to start encryption
5550 **
5551 ** Returns TRUE if started
5552 **
5553 *******************************************************************************/
btm_sec_start_encryption(tBTM_SEC_DEV_REC * p_dev_rec)5554 static BOOLEAN btm_sec_start_encryption (tBTM_SEC_DEV_REC *p_dev_rec)
5555 {
5556 if (!btsnd_hcic_set_conn_encrypt (p_dev_rec->hci_handle, TRUE))
5557 return(FALSE);
5558
5559 p_dev_rec->sec_state = BTM_SEC_STATE_ENCRYPTING;
5560 return(TRUE);
5561 }
5562
5563
5564 /*******************************************************************************
5565 **
5566 ** Function btm_sec_start_authorization
5567 **
5568 ** Description This function is called to start authorization
5569 **
5570 ** Returns TRUE if started
5571 **
5572 *******************************************************************************/
btm_sec_start_authorization(tBTM_SEC_DEV_REC * p_dev_rec)5573 static UINT8 btm_sec_start_authorization (tBTM_SEC_DEV_REC *p_dev_rec)
5574 {
5575 UINT8 result;
5576 UINT8 *p_service_name = NULL;
5577 UINT8 service_id;
5578
5579 if ((p_dev_rec->sec_flags & BTM_SEC_NAME_KNOWN)
5580 || (p_dev_rec->hci_handle == BTM_SEC_INVALID_HANDLE))
5581 {
5582 if (!btm_cb.api.p_authorize_callback)
5583 return(BTM_MODE_UNSUPPORTED);
5584
5585 if (p_dev_rec->p_cur_service)
5586 {
5587 #if BTM_SEC_SERVICE_NAME_LEN > 0
5588 if (p_dev_rec->is_originator)
5589 p_service_name = p_dev_rec->p_cur_service->orig_service_name;
5590 else
5591 p_service_name = p_dev_rec->p_cur_service->term_service_name;
5592 #endif
5593 service_id = p_dev_rec->p_cur_service->service_id;
5594 }
5595 else
5596 service_id = 0;
5597
5598 /* Send authorization request if not already sent during this service connection */
5599 if (p_dev_rec->last_author_service_id == BTM_SEC_NO_LAST_SERVICE_ID
5600 || p_dev_rec->last_author_service_id != service_id)
5601 {
5602 p_dev_rec->sec_state = BTM_SEC_STATE_AUTHORIZING;
5603 result = (*btm_cb.api.p_authorize_callback) (p_dev_rec->bd_addr,
5604 p_dev_rec->dev_class,
5605 p_dev_rec->sec_bd_name,
5606 p_service_name,
5607 service_id,
5608 p_dev_rec->is_originator);
5609 }
5610
5611 else /* Already authorized once for this L2CAP bringup */
5612 {
5613 BTM_TRACE_DEBUG ("btm_sec_start_authorization: (Ignoring extra Authorization prompt for service %d)", service_id);
5614 return (BTM_SUCCESS);
5615 }
5616
5617 if (result == BTM_SUCCESS)
5618 {
5619 p_dev_rec->sec_flags |= BTM_SEC_AUTHORIZED;
5620
5621 /* Save the currently authorized service in case we are asked again by another multiplexer layer */
5622 if (!p_dev_rec->is_originator)
5623 p_dev_rec->last_author_service_id = service_id;
5624
5625 p_dev_rec->sec_state = BTM_SEC_STATE_IDLE;
5626 }
5627 return(result);
5628 }
5629 btm_sec_start_get_name (p_dev_rec);
5630 return(BTM_CMD_STARTED);
5631 }
5632
5633 /*******************************************************************************
5634 **
5635 ** Function btm_sec_are_all_trusted
5636 **
5637 ** Description This function is called check if all services are trusted
5638 **
5639 ** Returns TRUE if all are trusted, otherwise FALSE
5640 **
5641 *******************************************************************************/
btm_sec_are_all_trusted(UINT32 p_mask[])5642 BOOLEAN btm_sec_are_all_trusted(UINT32 p_mask[])
5643 {
5644 UINT32 trusted_inx;
5645 for (trusted_inx = 0; trusted_inx < BTM_SEC_SERVICE_ARRAY_SIZE; trusted_inx++)
5646 {
5647 if (p_mask[trusted_inx] != BTM_SEC_TRUST_ALL)
5648 return(FALSE);
5649 }
5650
5651 return(TRUE);
5652 }
5653
5654 /*******************************************************************************
5655 **
5656 ** Function btm_sec_find_first_serv
5657 **
5658 ** Description Look for the first record in the service database
5659 ** with specified PSM
5660 **
5661 ** Returns Pointer to the record or NULL
5662 **
5663 *******************************************************************************/
btm_sec_find_first_serv(CONNECTION_TYPE conn_type,UINT16 psm)5664 static tBTM_SEC_SERV_REC *btm_sec_find_first_serv (CONNECTION_TYPE conn_type, UINT16 psm)
5665 {
5666 tBTM_SEC_SERV_REC *p_serv_rec = &btm_cb.sec_serv_rec[0];
5667 int i;
5668 BOOLEAN is_originator;
5669
5670 #if (L2CAP_UCD_INCLUDED == TRUE)
5671
5672 if ( conn_type & CONNECTION_TYPE_ORIG_MASK )
5673 is_originator = TRUE;
5674 else
5675 is_originator = FALSE;
5676 #else
5677 is_originator = conn_type;
5678 #endif
5679
5680 if (is_originator && btm_cb.p_out_serv && btm_cb.p_out_serv->psm == psm)
5681 {
5682 /* If this is outgoing connection and the PSM matches p_out_serv,
5683 * use it as the current service */
5684 return btm_cb.p_out_serv;
5685 }
5686
5687 /* otherwise, just find the first record with the specified PSM */
5688 for (i = 0; i < BTM_SEC_MAX_SERVICE_RECORDS; i++, p_serv_rec++)
5689 {
5690 if ( (p_serv_rec->security_flags & BTM_SEC_IN_USE) && (p_serv_rec->psm == psm) )
5691 return(p_serv_rec);
5692 }
5693 return(NULL);
5694 }
5695
5696
5697 /*******************************************************************************
5698 **
5699 ** Function btm_sec_find_next_serv
5700 **
5701 ** Description Look for the next record in the service database
5702 ** with specified PSM
5703 **
5704 ** Returns Pointer to the record or NULL
5705 **
5706 *******************************************************************************/
btm_sec_find_next_serv(tBTM_SEC_SERV_REC * p_cur)5707 static tBTM_SEC_SERV_REC *btm_sec_find_next_serv (tBTM_SEC_SERV_REC *p_cur)
5708 {
5709 tBTM_SEC_SERV_REC *p_serv_rec = &btm_cb.sec_serv_rec[0];
5710 int i;
5711
5712 for (i = 0; i < BTM_SEC_MAX_SERVICE_RECORDS; i++, p_serv_rec++)
5713 {
5714 if ((p_serv_rec->security_flags & BTM_SEC_IN_USE)
5715 && (p_serv_rec->psm == p_cur->psm) )
5716 {
5717 if (p_cur != p_serv_rec)
5718 {
5719 return(p_serv_rec);
5720 }
5721 }
5722 }
5723 return(NULL);
5724 }
5725
5726
5727 /*******************************************************************************
5728 **
5729 ** Function btm_sec_find_mx_serv
5730 **
5731 ** Description Look for the record in the service database with specified
5732 ** PSM and multiplexor channel information
5733 **
5734 ** Returns Pointer to the record or NULL
5735 **
5736 *******************************************************************************/
btm_sec_find_mx_serv(UINT8 is_originator,UINT16 psm,UINT32 mx_proto_id,UINT32 mx_chan_id)5737 static tBTM_SEC_SERV_REC *btm_sec_find_mx_serv (UINT8 is_originator, UINT16 psm,
5738 UINT32 mx_proto_id, UINT32 mx_chan_id)
5739 {
5740 tBTM_SEC_SERV_REC *p_out_serv = btm_cb.p_out_serv;
5741 tBTM_SEC_SERV_REC *p_serv_rec = &btm_cb.sec_serv_rec[0];
5742 int i;
5743
5744 BTM_TRACE_DEBUG ("%s()", __func__);
5745 if (is_originator && p_out_serv && p_out_serv->psm == psm
5746 && p_out_serv->mx_proto_id == mx_proto_id
5747 && p_out_serv->orig_mx_chan_id == mx_chan_id)
5748 {
5749 /* If this is outgoing connection and the parameters match p_out_serv,
5750 * use it as the current service */
5751 return btm_cb.p_out_serv;
5752 }
5753
5754 /* otherwise, the old way */
5755 for (i = 0; i < BTM_SEC_MAX_SERVICE_RECORDS; i++, p_serv_rec++)
5756 {
5757 if ((p_serv_rec->security_flags & BTM_SEC_IN_USE)
5758 && (p_serv_rec->psm == psm)
5759 && (p_serv_rec->mx_proto_id == mx_proto_id)
5760 && (( is_originator && (p_serv_rec->orig_mx_chan_id == mx_chan_id))
5761 || (!is_originator && (p_serv_rec->term_mx_chan_id == mx_chan_id))))
5762 {
5763 return(p_serv_rec);
5764 }
5765 }
5766 return(NULL);
5767 }
5768
5769
5770 /*******************************************************************************
5771 **
5772 ** Function btm_sec_collision_timeout
5773 **
5774 ** Description Encryption could not start because of the collision
5775 ** try to do it again
5776 **
5777 ** Returns Pointer to the TLE struct
5778 **
5779 *******************************************************************************/
btm_sec_collision_timeout(TIMER_LIST_ENT * p_tle)5780 static void btm_sec_collision_timeout (TIMER_LIST_ENT *p_tle)
5781 {
5782 UNUSED(p_tle);
5783
5784 BTM_TRACE_EVENT ("%s()", __func__);
5785 btm_cb.sec_collision_tle.param = 0;
5786
5787 tBTM_STATUS status = btm_sec_execute_procedure (btm_cb.p_collided_dev_rec);
5788
5789 /* If result is pending reply from the user or from the device is pending */
5790 if (status != BTM_CMD_STARTED)
5791 {
5792 /* There is no next procedure or start of procedure failed, notify the waiting layer */
5793 btm_sec_dev_rec_cback_event (btm_cb.p_collided_dev_rec, status, FALSE);
5794 }
5795 }
5796
5797 /*******************************************************************************
5798 **
5799 ** Function btm_sec_link_key_request
5800 **
5801 ** Description This function is called when controller requests link key
5802 **
5803 ** Returns Pointer to the record or NULL
5804 **
5805 *******************************************************************************/
btm_send_link_key_notif(tBTM_SEC_DEV_REC * p_dev_rec)5806 static void btm_send_link_key_notif (tBTM_SEC_DEV_REC *p_dev_rec)
5807 {
5808 if (btm_cb.api.p_link_key_callback)
5809 (*btm_cb.api.p_link_key_callback) (p_dev_rec->bd_addr, p_dev_rec->dev_class,
5810 p_dev_rec->sec_bd_name, p_dev_rec->link_key,
5811 p_dev_rec->link_key_type);
5812 }
5813
5814 /*******************************************************************************
5815 **
5816 ** Function BTM_ReadTrustedMask
5817 **
5818 ** Description Get trusted mask for the peer device
5819 **
5820 ** Parameters: bd_addr - Address of the device
5821 **
5822 ** Returns NULL, if the device record is not found.
5823 ** otherwise, the trusted mask
5824 **
5825 *******************************************************************************/
BTM_ReadTrustedMask(BD_ADDR bd_addr)5826 UINT32 * BTM_ReadTrustedMask (BD_ADDR bd_addr)
5827 {
5828 tBTM_SEC_DEV_REC *p_dev_rec = btm_find_dev (bd_addr);
5829 if (p_dev_rec != NULL)
5830 return(p_dev_rec->trusted_mask);
5831 return NULL;
5832 }
5833
5834 /*******************************************************************************
5835 **
5836 ** Function btm_restore_mode
5837 **
5838 ** Description This function returns the security mode to previous setting
5839 ** if it was changed during bonding.
5840 **
5841 **
5842 ** Parameters: void
5843 **
5844 *******************************************************************************/
btm_restore_mode(void)5845 static void btm_restore_mode(void)
5846 {
5847 if (btm_cb.security_mode_changed)
5848 {
5849 btm_cb.security_mode_changed = FALSE;
5850 BTM_TRACE_DEBUG("%s() Auth enable -> %d", __func__, (btm_cb.security_mode == BTM_SEC_MODE_LINK));
5851 btsnd_hcic_write_auth_enable ((UINT8)(btm_cb.security_mode == BTM_SEC_MODE_LINK));
5852 }
5853
5854 if (btm_cb.pin_type_changed)
5855 {
5856 btm_cb.pin_type_changed = FALSE;
5857 btsnd_hcic_write_pin_type (btm_cb.cfg.pin_type);
5858 }
5859 }
5860
5861
5862 /*******************************************************************************
5863 **
5864 ** Function btm_sec_find_dev_by_sec_state
5865 **
5866 ** Description Look for the record in the device database for the device
5867 ** which is being authenticated or encrypted
5868 **
5869 ** Returns Pointer to the record or NULL
5870 **
5871 *******************************************************************************/
btm_sec_find_dev_by_sec_state(UINT8 state)5872 tBTM_SEC_DEV_REC *btm_sec_find_dev_by_sec_state (UINT8 state)
5873 {
5874 tBTM_SEC_DEV_REC *p_dev_rec = &btm_cb.sec_dev_rec[0];
5875
5876 for (int i = 0; i < BTM_SEC_MAX_DEVICE_RECORDS; i++, p_dev_rec++)
5877 {
5878 if ((p_dev_rec->sec_flags & BTM_SEC_IN_USE)
5879 && (p_dev_rec->sec_state == state))
5880 return(p_dev_rec);
5881 }
5882 return(NULL);
5883 }
5884
5885 /*******************************************************************************
5886 **
5887 ** Function btm_sec_change_pairing_state
5888 **
5889 ** Description This function is called to change pairing state
5890 **
5891 *******************************************************************************/
btm_sec_change_pairing_state(tBTM_PAIRING_STATE new_state)5892 static void btm_sec_change_pairing_state (tBTM_PAIRING_STATE new_state)
5893 {
5894 tBTM_PAIRING_STATE old_state = btm_cb.pairing_state;
5895
5896 BTM_TRACE_EVENT ("%s() Old: %s", __func__, btm_pair_state_descr(btm_cb.pairing_state));
5897 BTM_TRACE_EVENT ("%s() New: %s pairing_flags:0x%x", __func__,
5898 btm_pair_state_descr(new_state), btm_cb.pairing_flags);
5899
5900 btm_cb.pairing_state = new_state;
5901
5902 if (new_state == BTM_PAIR_STATE_IDLE)
5903 {
5904 btu_stop_timer (&btm_cb.pairing_tle);
5905
5906 btm_cb.pairing_flags = 0;
5907 btm_cb.pin_code_len = 0;
5908
5909 /* Make sure the the lcb shows we are not bonding */
5910 l2cu_update_lcb_4_bonding (btm_cb.pairing_bda, FALSE);
5911
5912 btm_restore_mode();
5913 btm_sec_check_pending_reqs();
5914 btm_inq_clear_ssp();
5915
5916 memset (btm_cb.pairing_bda, 0xFF, BD_ADDR_LEN);
5917 }
5918 else
5919 {
5920 /* If transitionng out of idle, mark the lcb as bonding */
5921 if (old_state == BTM_PAIR_STATE_IDLE)
5922 l2cu_update_lcb_4_bonding (btm_cb.pairing_bda, TRUE);
5923
5924 btm_cb.pairing_tle.param = (TIMER_PARAM_TYPE)btm_sec_pairing_timeout;
5925
5926 btu_start_timer (&btm_cb.pairing_tle, BTU_TTYPE_USER_FUNC, BTM_SEC_TIMEOUT_VALUE);
5927 }
5928 }
5929
5930
5931 /*******************************************************************************
5932 **
5933 ** Function btm_pair_state_descr
5934 **
5935 ** Description Return state description for tracing
5936 **
5937 *******************************************************************************/
5938 #if (BT_USE_TRACES == TRUE)
btm_pair_state_descr(tBTM_PAIRING_STATE state)5939 static char *btm_pair_state_descr (tBTM_PAIRING_STATE state)
5940 {
5941 #if (BT_TRACE_VERBOSE == TRUE)
5942 switch (state)
5943 {
5944 case BTM_PAIR_STATE_IDLE: return("IDLE");
5945 case BTM_PAIR_STATE_GET_REM_NAME: return("GET_REM_NAME");
5946 case BTM_PAIR_STATE_WAIT_PIN_REQ: return("WAIT_PIN_REQ");
5947 case BTM_PAIR_STATE_WAIT_LOCAL_PIN: return("WAIT_LOCAL_PIN");
5948 case BTM_PAIR_STATE_WAIT_NUMERIC_CONFIRM: return("WAIT_NUM_CONFIRM");
5949 case BTM_PAIR_STATE_KEY_ENTRY: return("KEY_ENTRY");
5950 case BTM_PAIR_STATE_WAIT_LOCAL_OOB_RSP: return("WAIT_LOCAL_OOB_RSP");
5951 case BTM_PAIR_STATE_WAIT_LOCAL_IOCAPS: return("WAIT_LOCAL_IOCAPS");
5952 case BTM_PAIR_STATE_INCOMING_SSP: return("INCOMING_SSP");
5953 case BTM_PAIR_STATE_WAIT_AUTH_COMPLETE: return("WAIT_AUTH_COMPLETE");
5954 case BTM_PAIR_STATE_WAIT_DISCONNECT: return("WAIT_DISCONNECT");
5955 }
5956
5957 return("???");
5958 #else
5959 sprintf(btm_cb.state_temp_buffer,"%hhu",state);
5960
5961 return(btm_cb.state_temp_buffer);
5962 #endif
5963 }
5964 #endif
5965
5966 /*******************************************************************************
5967 **
5968 ** Function btm_sec_dev_rec_cback_event
5969 **
5970 ** Description This function calls the callback function with the given
5971 ** result and clear the callback function.
5972 **
5973 ** Parameters: void
5974 **
5975 *******************************************************************************/
btm_sec_dev_rec_cback_event(tBTM_SEC_DEV_REC * p_dev_rec,UINT8 res,BOOLEAN is_le_transport)5976 void btm_sec_dev_rec_cback_event (tBTM_SEC_DEV_REC *p_dev_rec, UINT8 res, BOOLEAN is_le_transport)
5977 {
5978 tBTM_SEC_CALLBACK *p_callback = p_dev_rec->p_callback;
5979
5980 if (p_dev_rec->p_callback)
5981 {
5982 p_dev_rec->p_callback = NULL;
5983
5984 #if BLE_INCLUDED == TRUE
5985 if (is_le_transport)
5986 (*p_callback) (p_dev_rec->ble.pseudo_addr, BT_TRANSPORT_LE, p_dev_rec->p_ref_data, res);
5987 else
5988 #endif
5989 (*p_callback) (p_dev_rec->bd_addr, BT_TRANSPORT_BR_EDR, p_dev_rec->p_ref_data, res);
5990 }
5991
5992 btm_sec_check_pending_reqs();
5993 }
5994
5995 /*******************************************************************************
5996 **
5997 ** Function btm_sec_queue_mx_request
5998 **
5999 ** Description Return state description for tracing
6000 **
6001 *******************************************************************************/
btm_sec_queue_mx_request(BD_ADDR bd_addr,UINT16 psm,BOOLEAN is_orig,UINT32 mx_proto_id,UINT32 mx_chan_id,tBTM_SEC_CALLBACK * p_callback,void * p_ref_data)6002 static BOOLEAN btm_sec_queue_mx_request (BD_ADDR bd_addr, UINT16 psm, BOOLEAN is_orig,
6003 UINT32 mx_proto_id, UINT32 mx_chan_id,
6004 tBTM_SEC_CALLBACK *p_callback, void *p_ref_data)
6005 {
6006 tBTM_SEC_QUEUE_ENTRY *p_e = (tBTM_SEC_QUEUE_ENTRY *)GKI_getbuf (sizeof(tBTM_SEC_QUEUE_ENTRY));
6007
6008 if (p_e)
6009 {
6010 p_e->psm = psm;
6011 p_e->is_orig = is_orig;
6012 p_e->p_callback = p_callback;
6013 p_e->p_ref_data = p_ref_data;
6014 p_e->mx_proto_id = mx_proto_id;
6015 p_e->mx_chan_id = mx_chan_id;
6016 p_e->transport = BT_TRANSPORT_BR_EDR;
6017
6018 memcpy (p_e->bd_addr, bd_addr, BD_ADDR_LEN);
6019
6020 BTM_TRACE_EVENT ("%s() PSM: 0x%04x Is_Orig: %u mx_proto_id: %u mx_chan_id: %u",
6021 __func__, psm, is_orig, mx_proto_id, mx_chan_id);
6022
6023 GKI_enqueue (&btm_cb.sec_pending_q, p_e);
6024
6025 return(TRUE);
6026 }
6027
6028 return(FALSE);
6029 }
6030
btm_sec_check_prefetch_pin(tBTM_SEC_DEV_REC * p_dev_rec)6031 static BOOLEAN btm_sec_check_prefetch_pin (tBTM_SEC_DEV_REC *p_dev_rec)
6032 {
6033 UINT8 major = (UINT8)(p_dev_rec->dev_class[1] & BTM_COD_MAJOR_CLASS_MASK);
6034 UINT8 minor = (UINT8)(p_dev_rec->dev_class[2] & BTM_COD_MINOR_CLASS_MASK);
6035 BOOLEAN rv = FALSE;
6036
6037 if ((major == BTM_COD_MAJOR_AUDIO)
6038 && ((minor == BTM_COD_MINOR_CONFM_HANDSFREE) || (minor == BTM_COD_MINOR_CAR_AUDIO)) )
6039 {
6040 BTM_TRACE_EVENT ("%s() Skipping pre-fetch PIN for carkit COD Major: 0x%02x Minor: 0x%02x",
6041 __func__, major, minor);
6042
6043 if (btm_cb.security_mode_changed == FALSE)
6044 {
6045 btm_cb.security_mode_changed = TRUE;
6046 #ifdef APPL_AUTH_WRITE_EXCEPTION
6047 if(!(APPL_AUTH_WRITE_EXCEPTION)(p_dev_rec->bd_addr))
6048 #endif
6049 btsnd_hcic_write_auth_enable (TRUE);
6050 }
6051 }
6052 else
6053 {
6054 btm_sec_change_pairing_state (BTM_PAIR_STATE_WAIT_LOCAL_PIN);
6055
6056 /* If we got a PIN, use that, else try to get one */
6057 if (btm_cb.pin_code_len)
6058 {
6059 BTM_PINCodeReply (p_dev_rec->bd_addr, BTM_SUCCESS, btm_cb.pin_code_len, btm_cb.pin_code, p_dev_rec->trusted_mask);
6060 }
6061 else
6062 {
6063 /* pin was not supplied - pre-fetch pin code now */
6064 if (btm_cb.api.p_pin_callback && ((btm_cb.pairing_flags & BTM_PAIR_FLAGS_PIN_REQD) == 0))
6065 {
6066 BTM_TRACE_DEBUG("%s() PIN code callback called", __func__);
6067 if (btm_bda_to_acl(p_dev_rec->bd_addr, BT_TRANSPORT_BR_EDR) == NULL)
6068 btm_cb.pairing_flags |= BTM_PAIR_FLAGS_PIN_REQD;
6069 (btm_cb.api.p_pin_callback) (p_dev_rec->bd_addr, p_dev_rec->dev_class,
6070 p_dev_rec->sec_bd_name, (p_dev_rec->p_cur_service == NULL) ? FALSE
6071 : (p_dev_rec->p_cur_service->security_flags
6072 & BTM_SEC_IN_MIN_16_DIGIT_PIN));
6073 }
6074 }
6075
6076 rv = TRUE;
6077 }
6078
6079 return rv;
6080 }
6081
6082 /*******************************************************************************
6083 **
6084 ** Function btm_sec_auth_payload_tout
6085 **
6086 ** Description Processes the HCI Autheniticated Payload Timeout Event
6087 ** indicating that a packet containing a valid MIC on the
6088 ** connection handle was not received within the programmed
6089 ** timeout value. (Spec Default is 30 secs, but can be
6090 ** changed via the BTM_SecSetAuthPayloadTimeout() function.
6091 **
6092 *******************************************************************************/
btm_sec_auth_payload_tout(UINT8 * p,UINT16 hci_evt_len)6093 void btm_sec_auth_payload_tout (UINT8 *p, UINT16 hci_evt_len)
6094 {
6095 UINT16 handle;
6096
6097 STREAM_TO_UINT16 (handle, p);
6098 handle = HCID_GET_HANDLE (handle);
6099
6100 /* Will be exposed to upper layers in the future if/when determined necessary */
6101 BTM_TRACE_ERROR ("%s on handle 0x%02x", __func__, handle);
6102 }
6103
6104 /*******************************************************************************
6105 **
6106 ** Function btm_sec_queue_encrypt_request
6107 **
6108 ** Description encqueue encryption request when device has active security
6109 ** process pending.
6110 **
6111 *******************************************************************************/
btm_sec_queue_encrypt_request(BD_ADDR bd_addr,tBT_TRANSPORT transport,tBTM_SEC_CALLBACK * p_callback,void * p_ref_data)6112 static BOOLEAN btm_sec_queue_encrypt_request (BD_ADDR bd_addr, tBT_TRANSPORT transport,
6113 tBTM_SEC_CALLBACK *p_callback, void *p_ref_data)
6114 {
6115 tBTM_SEC_QUEUE_ENTRY *p_e;
6116 p_e = (tBTM_SEC_QUEUE_ENTRY *)GKI_getbuf(sizeof(tBTM_SEC_QUEUE_ENTRY) + 1);
6117
6118 if (p_e)
6119 {
6120 p_e->psm = 0; /* if PSM 0, encryption request */
6121 p_e->p_callback = p_callback;
6122 p_e->p_ref_data = (void *)(p_e + 1);
6123 *(UINT8 *)p_e->p_ref_data = *(UINT8 *)(p_ref_data);
6124 p_e->transport = transport;
6125 memcpy(p_e->bd_addr, bd_addr, BD_ADDR_LEN);
6126 GKI_enqueue(&btm_cb.sec_pending_q, p_e);
6127 return TRUE;
6128 }
6129
6130 return FALSE;
6131 }
6132
6133 /*******************************************************************************
6134 **
6135 ** Function btm_sec_set_peer_sec_caps
6136 **
6137 ** Description This function is called to set sm4 and rmt_sec_caps fields
6138 ** based on the available peer device features.
6139 **
6140 ** Returns void
6141 **
6142 *******************************************************************************/
btm_sec_set_peer_sec_caps(tACL_CONN * p_acl_cb,tBTM_SEC_DEV_REC * p_dev_rec)6143 void btm_sec_set_peer_sec_caps(tACL_CONN *p_acl_cb, tBTM_SEC_DEV_REC *p_dev_rec)
6144 {
6145 BD_ADDR rem_bd_addr;
6146 UINT8 *p_rem_bd_addr;
6147
6148 if ((btm_cb.security_mode == BTM_SEC_MODE_SP ||
6149 btm_cb.security_mode == BTM_SEC_MODE_SP_DEBUG ||
6150 btm_cb.security_mode == BTM_SEC_MODE_SC) &&
6151 HCI_SSP_HOST_SUPPORTED(p_acl_cb->peer_lmp_features[HCI_EXT_FEATURES_PAGE_1]))
6152 {
6153 p_dev_rec->sm4 = BTM_SM4_TRUE;
6154 p_dev_rec->remote_supports_secure_connections =
6155 (HCI_SC_HOST_SUPPORTED(p_acl_cb->peer_lmp_features[HCI_EXT_FEATURES_PAGE_1]));
6156 }
6157 else
6158 {
6159 p_dev_rec->sm4 = BTM_SM4_KNOWN;
6160 p_dev_rec->remote_supports_secure_connections = FALSE;
6161 }
6162
6163 BTM_TRACE_API("%s: sm4: 0x%02x, rmt_support_for_secure_connections %d", __FUNCTION__,
6164 p_dev_rec->sm4, p_dev_rec->remote_supports_secure_connections);
6165
6166
6167 if (p_dev_rec->remote_features_needed)
6168 {
6169 BTM_TRACE_EVENT("%s: Now device in SC Only mode, waiting for peer remote features!",
6170 __FUNCTION__);
6171 p_rem_bd_addr = (UINT8*) rem_bd_addr;
6172 BDADDR_TO_STREAM(p_rem_bd_addr, p_dev_rec->bd_addr);
6173 p_rem_bd_addr = (UINT8*) rem_bd_addr;
6174 btm_io_capabilities_req(p_rem_bd_addr);
6175 p_dev_rec->remote_features_needed = FALSE;
6176 }
6177 }
6178
6179 /*******************************************************************************
6180 **
6181 ** Function btm_sec_clean_pending_req_queue
6182 **
6183 ** Description This function cleans up the pending security request when the
6184 ** link to the target device dropped.
6185 **
6186 ** Returns void
6187 **
6188 *******************************************************************************/
btm_sec_clean_pending_req_queue(BD_ADDR remote_bda,tBT_TRANSPORT transport)6189 static void btm_sec_clean_pending_req_queue (BD_ADDR remote_bda, tBT_TRANSPORT transport)
6190 {
6191 tBTM_SEC_QUEUE_ENTRY *p_e;
6192 BUFFER_Q *bq = &btm_cb.sec_pending_q;
6193
6194 p_e = (tBTM_SEC_QUEUE_ENTRY *)GKI_getfirst(bq);
6195
6196 if (p_e != NULL)
6197 {
6198 if (memcmp(p_e->bd_addr, remote_bda, BD_ADDR_LEN) == 0
6199 #if BLE_INCLUDED == TRUE
6200 && p_e->transport == transport
6201 #endif
6202 )
6203 {
6204 (*p_e->p_callback) (remote_bda, transport, p_e->p_ref_data, BTM_ERR_PROCESSING);
6205 GKI_remove_from_queue(bq, (void *)p_e);
6206 }
6207 p_e = (tBTM_SEC_QUEUE_ENTRY *) GKI_getnext ((void *)p_e);
6208 }
6209 }
6210
6211 /*******************************************************************************
6212 **
6213 ** Function btm_sec_is_serv_level0
6214 **
6215 ** Description This function is called to check if the service corresponding
6216 ** to PSM is security mode 4 level 0 service.
6217 **
6218 ** Returns TRUE if the service is security mode 4 level 0 service
6219 **
6220 *******************************************************************************/
btm_sec_is_serv_level0(UINT16 psm)6221 static BOOLEAN btm_sec_is_serv_level0(UINT16 psm)
6222 {
6223 if (psm == BT_PSM_SDP)
6224 {
6225 BTM_TRACE_DEBUG("%s: PSM: 0x%04x -> mode 4 level 0 service", __FUNCTION__, psm);
6226 return TRUE;
6227 }
6228 return FALSE;
6229 }
6230
6231 /*******************************************************************************
6232 **
6233 ** Function btm_sec_check_pending_enc_req
6234 **
6235 ** Description This function is called to send pending encryption callback if
6236 ** waiting
6237 **
6238 ** Returns void
6239 **
6240 *******************************************************************************/
btm_sec_check_pending_enc_req(tBTM_SEC_DEV_REC * p_dev_rec,tBT_TRANSPORT transport,UINT8 encr_enable)6241 static void btm_sec_check_pending_enc_req (tBTM_SEC_DEV_REC *p_dev_rec, tBT_TRANSPORT transport,
6242 UINT8 encr_enable)
6243 {
6244 tBTM_SEC_QUEUE_ENTRY *p_e;
6245 BUFFER_Q *bq = &btm_cb.sec_pending_q;
6246 UINT8 res = encr_enable ? BTM_SUCCESS : BTM_ERR_PROCESSING;
6247
6248 p_e = (tBTM_SEC_QUEUE_ENTRY *)GKI_getfirst(bq);
6249
6250 while (p_e != NULL)
6251 {
6252 if (memcmp(p_e->bd_addr, p_dev_rec->bd_addr, BD_ADDR_LEN) == 0 && p_e->psm == 0
6253 #if BLE_INCLUDED == TRUE
6254 && p_e->transport == transport
6255 #endif
6256 )
6257 {
6258 #if BLE_INCLUDED == TRUE
6259 UINT8 sec_act = *(UINT8 *)(p_e->p_ref_data);
6260 #endif
6261
6262 if (encr_enable == 0 || transport == BT_TRANSPORT_BR_EDR
6263 #if BLE_INCLUDED == TRUE
6264 || (sec_act == BTM_BLE_SEC_ENCRYPT || sec_act == BTM_BLE_SEC_ENCRYPT_NO_MITM)
6265 || (sec_act == BTM_BLE_SEC_ENCRYPT_MITM && p_dev_rec->sec_flags
6266 & BTM_SEC_LE_AUTHENTICATED)
6267 #endif
6268 )
6269 {
6270 (*p_e->p_callback) (p_dev_rec->bd_addr, transport, p_e->p_ref_data, res);
6271 GKI_remove_from_queue(bq, (void *)p_e);
6272 }
6273 }
6274 p_e = (tBTM_SEC_QUEUE_ENTRY *) GKI_getnext ((void *)p_e);
6275 }
6276 }
6277
6278 /*******************************************************************************
6279 **
6280 ** Function btm_sec_set_serv_level4_flags
6281 **
6282 ** Description This function is called to set security mode 4 level 4 flags.
6283 **
6284 ** Returns service security requirements updated to include secure
6285 ** connections only mode.
6286 **
6287 *******************************************************************************/
btm_sec_set_serv_level4_flags(UINT16 cur_security,BOOLEAN is_originator)6288 static UINT16 btm_sec_set_serv_level4_flags(UINT16 cur_security, BOOLEAN is_originator)
6289 {
6290 UINT16 sec_level4_flags = is_originator ? BTM_SEC_OUT_LEVEL4_FLAGS : BTM_SEC_IN_LEVEL4_FLAGS;
6291
6292 return cur_security | sec_level4_flags;
6293 }
6294
6295 /*******************************************************************************
6296 **
6297 ** Function btm_sec_clear_ble_keys
6298 **
6299 ** Description This function is called to clear out the BLE keys.
6300 ** Typically when devices are removed in BTM_SecDeleteDevice,
6301 ** or when a new BT Link key is generated.
6302 **
6303 ** Returns void
6304 **
6305 *******************************************************************************/
btm_sec_clear_ble_keys(tBTM_SEC_DEV_REC * p_dev_rec)6306 void btm_sec_clear_ble_keys (tBTM_SEC_DEV_REC *p_dev_rec)
6307 {
6308
6309 BTM_TRACE_DEBUG ("%s() Clearing BLE Keys", __func__);
6310 #if (SMP_INCLUDED== TRUE)
6311 p_dev_rec->ble.key_type = BTM_LE_KEY_NONE;
6312 memset (&p_dev_rec->ble.keys, 0, sizeof(tBTM_SEC_BLE_KEYS));
6313
6314 #if (BLE_PRIVACY_SPT == TRUE)
6315 btm_ble_resolving_list_remove_dev(p_dev_rec);
6316 #endif
6317 #endif
6318 }
6319
6320 /*******************************************************************************
6321 **
6322 ** Function btm_sec_is_a_bonded_dev
6323 **
6324 ** Description Is the specified device is a bonded device
6325 **
6326 ** Returns TRUE - dev is bonded
6327 **
6328 *******************************************************************************/
btm_sec_is_a_bonded_dev(BD_ADDR bda)6329 BOOLEAN btm_sec_is_a_bonded_dev (BD_ADDR bda)
6330 {
6331
6332 tBTM_SEC_DEV_REC *p_dev_rec= btm_find_dev (bda);
6333 BOOLEAN is_bonded= FALSE;
6334
6335 if (p_dev_rec &&
6336 #if (SMP_INCLUDED == TRUE)
6337 ((p_dev_rec->ble.key_type && (p_dev_rec->sec_flags & BTM_SEC_LE_LINK_KEY_KNOWN))||
6338 #else
6339 (
6340 #endif
6341 (p_dev_rec->sec_flags & BTM_SEC_LINK_KEY_KNOWN)))
6342 {
6343 is_bonded = TRUE;
6344 }
6345 BTM_TRACE_DEBUG ("%s() is_bonded=%d", __func__, is_bonded);
6346 return(is_bonded);
6347 }
6348
6349 /*******************************************************************************
6350 **
6351 ** Function btm_sec_is_le_capable_dev
6352 **
6353 ** Description Is the specified device is dual mode or LE only device
6354 **
6355 ** Returns TRUE - dev is a dual mode
6356 **
6357 *******************************************************************************/
btm_sec_is_le_capable_dev(BD_ADDR bda)6358 BOOLEAN btm_sec_is_le_capable_dev (BD_ADDR bda)
6359 {
6360 tBTM_SEC_DEV_REC *p_dev_rec= btm_find_dev (bda);
6361 BOOLEAN le_capable = FALSE;
6362
6363 #if (BLE_INCLUDED== TRUE)
6364 if (p_dev_rec && (p_dev_rec->device_type & BT_DEVICE_TYPE_BLE) == BT_DEVICE_TYPE_BLE)
6365 le_capable = TRUE;
6366 #endif
6367 return le_capable;
6368 }
6369
6370 /*******************************************************************************
6371 **
6372 ** Function btm_sec_find_bonded_dev
6373 **
6374 ** Description Find a bonded device starting from the specified index
6375 **
6376 ** Returns TRUE - found a bonded device
6377 **
6378 *******************************************************************************/
btm_sec_find_bonded_dev(UINT8 start_idx,UINT8 * p_found_idx,tBTM_SEC_DEV_REC ** p_rec)6379 BOOLEAN btm_sec_find_bonded_dev (UINT8 start_idx, UINT8 *p_found_idx, tBTM_SEC_DEV_REC **p_rec)
6380 {
6381 BOOLEAN found= FALSE;
6382
6383 #if (SMP_INCLUDED== TRUE)
6384 tBTM_SEC_DEV_REC *p_dev_rec;
6385 int i;
6386 if (start_idx >= BTM_SEC_MAX_DEVICE_RECORDS)
6387 {
6388 BTM_TRACE_DEBUG ("LE bonded device not found");
6389 return found;
6390 }
6391
6392 p_dev_rec = &btm_cb.sec_dev_rec[start_idx];
6393 for (i = start_idx; i < BTM_SEC_MAX_DEVICE_RECORDS; i++, p_dev_rec++)
6394 {
6395 if (p_dev_rec->ble.key_type || (p_dev_rec->sec_flags & BTM_SEC_LINK_KEY_KNOWN))
6396 {
6397 *p_found_idx = i;
6398 *p_rec = p_dev_rec;
6399 break;
6400 }
6401 }
6402 BTM_TRACE_DEBUG ("%s() found=%d", __func__, found);
6403 #endif
6404 return(found);
6405 }
6406
6407 /*******************************************************************************
6408 **
6409 ** Function btm_sec_use_smp_br_chnl
6410 **
6411 ** Description The function checks if SMP BR connection can be used with
6412 ** the peer.
6413 ** Is called when authentication for dedicated bonding is
6414 ** successfully completed.
6415 **
6416 ** Returns TRUE - if SMP BR connection can be used (the link key is
6417 ** generated from P-256 and the peer supports Security
6418 ** Manager over BR).
6419 **
6420 *******************************************************************************/
btm_sec_use_smp_br_chnl(tBTM_SEC_DEV_REC * p_dev_rec)6421 static BOOLEAN btm_sec_use_smp_br_chnl(tBTM_SEC_DEV_REC *p_dev_rec)
6422 {
6423 UINT32 ext_feat;
6424 UINT8 chnl_mask[L2CAP_FIXED_CHNL_ARRAY_SIZE];
6425
6426 BTM_TRACE_DEBUG ("%s() link_key_type = 0x%x", __func__,
6427 p_dev_rec->link_key_type);
6428
6429 if ((p_dev_rec->link_key_type != BTM_LKEY_TYPE_UNAUTH_COMB_P_256) &&
6430 (p_dev_rec->link_key_type != BTM_LKEY_TYPE_AUTH_COMB_P_256))
6431 return FALSE;
6432
6433 if (!L2CA_GetPeerFeatures (p_dev_rec->bd_addr, &ext_feat, chnl_mask))
6434 return FALSE;
6435
6436 if (!(chnl_mask[0] & L2CAP_FIXED_CHNL_SMP_BR_BIT))
6437 return FALSE;
6438
6439 return TRUE;
6440 }
6441
6442 /*******************************************************************************
6443 **
6444 ** Function btm_sec_is_master
6445 **
6446 ** Description The function checks if the device is BR/EDR master after
6447 ** pairing is completed.
6448 **
6449 ** Returns TRUE - if the device is master.
6450 **
6451 *******************************************************************************/
btm_sec_is_master(tBTM_SEC_DEV_REC * p_dev_rec)6452 static BOOLEAN btm_sec_is_master(tBTM_SEC_DEV_REC *p_dev_rec)
6453 {
6454 tACL_CONN *p= btm_bda_to_acl(p_dev_rec->bd_addr, BT_TRANSPORT_BR_EDR);
6455 return (p && (p->link_role == BTM_ROLE_MASTER));
6456 }
6457
6458