1 /******************************************************************************
2 *
3 * Copyright 1999-2012 Broadcom Corporation
4 *
5 * Licensed under the Apache License, Version 2.0 (the "License");
6 * you may not use this file except in compliance with the License.
7 * You may obtain a copy of the License at:
8 *
9 * http://www.apache.org/licenses/LICENSE-2.0
10 *
11 * Unless required by applicable law or agreed to in writing, software
12 * distributed under the License is distributed on an "AS IS" BASIS,
13 * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
14 * See the License for the specific language governing permissions and
15 * limitations under the License.
16 *
17 ******************************************************************************/
18
19 /******************************************************************************
20 *
21 * This file contains functions for BLE device control utilities, and LE
22 * security functions.
23 *
24 ******************************************************************************/
25
26 #define LOG_TAG "bt_btm_ble"
27
28 #include "bt_target.h"
29
30 #include <base/bind.h>
31 #include <string.h>
32
33 #include "bt_types.h"
34 #include "bt_utils.h"
35 #include "btm_ble_api.h"
36 #include "btm_int.h"
37 #include "btu.h"
38 #include "device/include/controller.h"
39 #include "gap_api.h"
40 #include "gatt_api.h"
41 #include "hcimsgs.h"
42 #include "log/log.h"
43 #include "l2c_int.h"
44 #include "osi/include/log.h"
45 #include "osi/include/osi.h"
46 #include "smp_api.h"
47
48 extern bool aes_cipher_msg_auth_code(BT_OCTET16 key, uint8_t* input,
49 uint16_t length, uint16_t tlen,
50 uint8_t* p_signature);
51 extern void gatt_notify_phy_updated(uint8_t status, uint16_t handle,
52 uint8_t tx_phy, uint8_t rx_phy);
53 extern void btm_ble_advertiser_notify_terminated_legacy(
54 uint8_t status, uint16_t connection_handle);
55
56 /******************************************************************************/
57 /* External Function to be called by other modules */
58 /******************************************************************************/
59 /********************************************************
60 *
61 * Function BTM_SecAddBleDevice
62 *
63 * Description Add/modify device. This function will be normally called
64 * during host startup to restore all required information
65 * for a LE device stored in the NVRAM.
66 *
67 * Parameters: bd_addr - BD address of the peer
68 * bd_name - Name of the peer device. NULL if unknown.
69 * dev_type - Remote device's device type.
70 * addr_type - LE device address type.
71 *
72 * Returns true if added OK, else false
73 *
74 ******************************************************************************/
BTM_SecAddBleDevice(const RawAddress & bd_addr,BD_NAME bd_name,tBT_DEVICE_TYPE dev_type,tBLE_ADDR_TYPE addr_type)75 bool BTM_SecAddBleDevice(const RawAddress& bd_addr, BD_NAME bd_name,
76 tBT_DEVICE_TYPE dev_type, tBLE_ADDR_TYPE addr_type) {
77 BTM_TRACE_DEBUG("%s: dev_type=0x%x", __func__, dev_type);
78
79 tBTM_SEC_DEV_REC* p_dev_rec = btm_find_dev(bd_addr);
80 if (!p_dev_rec) {
81 p_dev_rec = btm_sec_allocate_dev_rec();
82
83 p_dev_rec->bd_addr = bd_addr;
84 p_dev_rec->hci_handle = BTM_GetHCIConnHandle(bd_addr, BT_TRANSPORT_BR_EDR);
85 p_dev_rec->ble_hci_handle = BTM_GetHCIConnHandle(bd_addr, BT_TRANSPORT_LE);
86
87 /* update conn params, use default value for background connection params */
88 p_dev_rec->conn_params.min_conn_int = BTM_BLE_CONN_PARAM_UNDEF;
89 p_dev_rec->conn_params.max_conn_int = BTM_BLE_CONN_PARAM_UNDEF;
90 p_dev_rec->conn_params.supervision_tout = BTM_BLE_CONN_PARAM_UNDEF;
91 p_dev_rec->conn_params.slave_latency = BTM_BLE_CONN_PARAM_UNDEF;
92
93 BTM_TRACE_DEBUG("%s: Device added, handle=0x%x, p_dev_rec=%p, bd_addr=%s",
94 __func__, p_dev_rec->ble_hci_handle, p_dev_rec,
95 bd_addr.ToString().c_str());
96 }
97
98 memset(p_dev_rec->sec_bd_name, 0, sizeof(tBTM_BD_NAME));
99
100 if (bd_name && bd_name[0]) {
101 p_dev_rec->sec_flags |= BTM_SEC_NAME_KNOWN;
102 strlcpy((char*)p_dev_rec->sec_bd_name, (char*)bd_name,
103 BTM_MAX_REM_BD_NAME_LEN);
104 }
105 p_dev_rec->device_type |= dev_type;
106 p_dev_rec->ble.ble_addr_type = addr_type;
107
108 p_dev_rec->ble.pseudo_addr = bd_addr;
109 /* sync up with the Inq Data base*/
110 tBTM_INQ_INFO* p_info = BTM_InqDbRead(bd_addr);
111 if (p_info) {
112 p_info->results.ble_addr_type = p_dev_rec->ble.ble_addr_type;
113 p_info->results.device_type = p_dev_rec->device_type;
114 BTM_TRACE_DEBUG("InqDb device_type =0x%x addr_type=0x%x",
115 p_info->results.device_type, p_info->results.ble_addr_type);
116 }
117
118 return true;
119 }
120
121 /*******************************************************************************
122 *
123 * Function BTM_SecAddBleKey
124 *
125 * Description Add/modify LE device information. This function will be
126 * normally called during host startup to restore all required
127 * information stored in the NVRAM.
128 *
129 * Parameters: bd_addr - BD address of the peer
130 * p_le_key - LE key values.
131 * key_type - LE SMP key type.
132 *
133 * Returns true if added OK, else false
134 *
135 ******************************************************************************/
BTM_SecAddBleKey(const RawAddress & bd_addr,tBTM_LE_KEY_VALUE * p_le_key,tBTM_LE_KEY_TYPE key_type)136 bool BTM_SecAddBleKey(const RawAddress& bd_addr, tBTM_LE_KEY_VALUE* p_le_key,
137 tBTM_LE_KEY_TYPE key_type) {
138 tBTM_SEC_DEV_REC* p_dev_rec;
139 BTM_TRACE_DEBUG("BTM_SecAddBleKey");
140 p_dev_rec = btm_find_dev(bd_addr);
141 if (!p_dev_rec || !p_le_key ||
142 (key_type != BTM_LE_KEY_PENC && key_type != BTM_LE_KEY_PID &&
143 key_type != BTM_LE_KEY_PCSRK && key_type != BTM_LE_KEY_LENC &&
144 key_type != BTM_LE_KEY_LCSRK && key_type != BTM_LE_KEY_LID)) {
145 LOG(WARNING) << __func__
146 << " Wrong Type, or No Device record for bdaddr: " << bd_addr
147 << ", Type: " << key_type;
148 return (false);
149 }
150
151 VLOG(1) << __func__ << " BDA: " << bd_addr << ", Type: " << key_type;
152
153 btm_sec_save_le_key(bd_addr, key_type, p_le_key, false);
154
155 #if (BLE_PRIVACY_SPT == TRUE)
156 if (key_type == BTM_LE_KEY_PID || key_type == BTM_LE_KEY_LID)
157 btm_ble_resolving_list_load_dev(p_dev_rec);
158 #endif
159
160 return (true);
161 }
162
163 /*******************************************************************************
164 *
165 * Function BTM_BleLoadLocalKeys
166 *
167 * Description Local local identity key, encryption root or sign counter.
168 *
169 * Parameters: key_type: type of key, can be BTM_BLE_KEY_TYPE_ID,
170 * BTM_BLE_KEY_TYPE_ER
171 * or BTM_BLE_KEY_TYPE_COUNTER.
172 * p_key: pointer to the key.
173 *
174 * Returns non2.
175 *
176 ******************************************************************************/
BTM_BleLoadLocalKeys(uint8_t key_type,tBTM_BLE_LOCAL_KEYS * p_key)177 void BTM_BleLoadLocalKeys(uint8_t key_type, tBTM_BLE_LOCAL_KEYS* p_key) {
178 tBTM_DEVCB* p_devcb = &btm_cb.devcb;
179 BTM_TRACE_DEBUG("%s", __func__);
180 if (p_key != NULL) {
181 switch (key_type) {
182 case BTM_BLE_KEY_TYPE_ID:
183 memcpy(&p_devcb->id_keys, &p_key->id_keys,
184 sizeof(tBTM_BLE_LOCAL_ID_KEYS));
185 break;
186
187 case BTM_BLE_KEY_TYPE_ER:
188 memcpy(p_devcb->ble_encryption_key_value, p_key->er,
189 sizeof(BT_OCTET16));
190 break;
191
192 default:
193 BTM_TRACE_ERROR("unknow local key type: %d", key_type);
194 break;
195 }
196 }
197 }
198
199 /*******************************************************************************
200 *
201 * Function BTM_GetDeviceEncRoot
202 *
203 * Description This function is called to read the local device encryption
204 * root.
205 *
206 * Returns void
207 * the local device ER is copied into ble_encr_key_value
208 *
209 ******************************************************************************/
BTM_GetDeviceEncRoot(BT_OCTET16 ble_encr_key_value)210 void BTM_GetDeviceEncRoot(BT_OCTET16 ble_encr_key_value) {
211 BTM_TRACE_DEBUG("%s", __func__);
212 memcpy(ble_encr_key_value, btm_cb.devcb.ble_encryption_key_value,
213 BT_OCTET16_LEN);
214 }
215
216 /*******************************************************************************
217 *
218 * Function BTM_GetDeviceIDRoot
219 *
220 * Description This function is called to read the local device identity
221 * root.
222 *
223 * Returns void
224 * the local device IR is copied into irk
225 *
226 ******************************************************************************/
BTM_GetDeviceIDRoot(BT_OCTET16 irk)227 void BTM_GetDeviceIDRoot(BT_OCTET16 irk) {
228 BTM_TRACE_DEBUG("BTM_GetDeviceIDRoot ");
229
230 memcpy(irk, btm_cb.devcb.id_keys.irk, BT_OCTET16_LEN);
231 }
232
233 /*******************************************************************************
234 *
235 * Function BTM_GetDeviceDHK
236 *
237 * Description This function is called to read the local device DHK.
238 *
239 * Returns void
240 * the local device DHK is copied into dhk
241 *
242 ******************************************************************************/
BTM_GetDeviceDHK(BT_OCTET16 dhk)243 void BTM_GetDeviceDHK(BT_OCTET16 dhk) {
244 BTM_TRACE_DEBUG("BTM_GetDeviceDHK");
245 memcpy(dhk, btm_cb.devcb.id_keys.dhk, BT_OCTET16_LEN);
246 }
247
248 /*******************************************************************************
249 *
250 * Function BTM_ReadConnectionAddr
251 *
252 * Description This function is called to get the local device address
253 * information.
254 *
255 * Returns void
256 *
257 ******************************************************************************/
BTM_ReadConnectionAddr(const RawAddress & remote_bda,RawAddress & local_conn_addr,tBLE_ADDR_TYPE * p_addr_type)258 void BTM_ReadConnectionAddr(const RawAddress& remote_bda,
259 RawAddress& local_conn_addr,
260 tBLE_ADDR_TYPE* p_addr_type) {
261 tACL_CONN* p_acl = btm_bda_to_acl(remote_bda, BT_TRANSPORT_LE);
262
263 if (p_acl == NULL) {
264 BTM_TRACE_ERROR("No connection exist!");
265 return;
266 }
267 local_conn_addr = p_acl->conn_addr;
268 *p_addr_type = p_acl->conn_addr_type;
269
270 BTM_TRACE_DEBUG("BTM_ReadConnectionAddr address type: %d addr: 0x%02x",
271 p_acl->conn_addr_type, p_acl->conn_addr.address[0]);
272 }
273
274 /*******************************************************************************
275 *
276 * Function BTM_IsBleConnection
277 *
278 * Description This function is called to check if the connection handle
279 * for an LE link
280 *
281 * Returns true if connection is LE link, otherwise false.
282 *
283 ******************************************************************************/
BTM_IsBleConnection(uint16_t conn_handle)284 bool BTM_IsBleConnection(uint16_t conn_handle) {
285 uint8_t xx;
286 tACL_CONN* p;
287
288 BTM_TRACE_API("BTM_IsBleConnection: conn_handle: %d", conn_handle);
289
290 xx = btm_handle_to_acl_index(conn_handle);
291 if (xx >= MAX_L2CAP_LINKS) return false;
292
293 p = &btm_cb.acl_db[xx];
294
295 return (p->transport == BT_TRANSPORT_LE);
296 }
297
298 /*******************************************************************************
299 *
300 * Function BTM_ReadRemoteConnectionAddr
301 *
302 * Description This function is read the remote device address currently used
303 *
304 * Parameters pseudo_addr: pseudo random address available
305 * conn_addr:connection address used
306 * p_addr_type : BD Address type, Public or Random of the address
307 * used
308 *
309 * Returns bool, true if connection to remote device exists, else false
310 *
311 ******************************************************************************/
BTM_ReadRemoteConnectionAddr(const RawAddress & pseudo_addr,RawAddress & conn_addr,tBLE_ADDR_TYPE * p_addr_type)312 bool BTM_ReadRemoteConnectionAddr(const RawAddress& pseudo_addr,
313 RawAddress& conn_addr,
314 tBLE_ADDR_TYPE* p_addr_type) {
315 bool st = true;
316 #if (BLE_PRIVACY_SPT == TRUE)
317 tACL_CONN* p = btm_bda_to_acl(pseudo_addr, BT_TRANSPORT_LE);
318
319 if (p == NULL) {
320 BTM_TRACE_ERROR(
321 "BTM_ReadRemoteConnectionAddr can not find connection"
322 " with matching address");
323 return false;
324 }
325
326 conn_addr = p->active_remote_addr;
327 *p_addr_type = p->active_remote_addr_type;
328 #else
329 tBTM_SEC_DEV_REC* p_dev_rec = btm_find_dev(pseudo_addr);
330
331 conn_addr = pseudo_addr;
332 if (p_dev_rec != NULL) {
333 *p_addr_type = p_dev_rec->ble.ble_addr_type;
334 }
335 #endif
336 return st;
337 }
338 /*******************************************************************************
339 *
340 * Function BTM_SecurityGrant
341 *
342 * Description This function is called to grant security process.
343 *
344 * Parameters bd_addr - peer device bd address.
345 * res - result of the operation BTM_SUCCESS if success.
346 * Otherwise, BTM_REPEATED_ATTEMPTS if too many
347 * attempts.
348 *
349 * Returns None
350 *
351 ******************************************************************************/
BTM_SecurityGrant(const RawAddress & bd_addr,uint8_t res)352 void BTM_SecurityGrant(const RawAddress& bd_addr, uint8_t res) {
353 tSMP_STATUS res_smp =
354 (res == BTM_SUCCESS) ? SMP_SUCCESS : SMP_REPEATED_ATTEMPTS;
355 BTM_TRACE_DEBUG("BTM_SecurityGrant");
356 SMP_SecurityGrant(bd_addr, res_smp);
357 }
358
359 /*******************************************************************************
360 *
361 * Function BTM_BlePasskeyReply
362 *
363 * Description This function is called after Security Manager submitted
364 * passkey request to the application.
365 *
366 * Parameters: bd_addr - Address of the device for which passkey was
367 * requested
368 * res - result of the operation BTM_SUCCESS if success
369 * key_len - length in bytes of the Passkey
370 * p_passkey - pointer to array with the passkey
371 * trusted_mask - bitwise OR of trusted services (array of
372 * uint32_t)
373 *
374 ******************************************************************************/
BTM_BlePasskeyReply(const RawAddress & bd_addr,uint8_t res,uint32_t passkey)375 void BTM_BlePasskeyReply(const RawAddress& bd_addr, uint8_t res,
376 uint32_t passkey) {
377 tBTM_SEC_DEV_REC* p_dev_rec = btm_find_dev(bd_addr);
378 tSMP_STATUS res_smp =
379 (res == BTM_SUCCESS) ? SMP_SUCCESS : SMP_PASSKEY_ENTRY_FAIL;
380
381 if (p_dev_rec == NULL) {
382 BTM_TRACE_ERROR("Passkey reply to Unknown device");
383 return;
384 }
385
386 p_dev_rec->sec_flags |= BTM_SEC_LE_AUTHENTICATED;
387 BTM_TRACE_DEBUG("BTM_BlePasskeyReply");
388 SMP_PasskeyReply(bd_addr, res_smp, passkey);
389 }
390
391 /*******************************************************************************
392 *
393 * Function BTM_BleConfirmReply
394 *
395 * Description This function is called after Security Manager submitted
396 * numeric comparison request to the application.
397 *
398 * Parameters: bd_addr - Address of the device with which numeric
399 * comparison was requested
400 * res - comparison result BTM_SUCCESS if success
401 *
402 ******************************************************************************/
BTM_BleConfirmReply(const RawAddress & bd_addr,uint8_t res)403 void BTM_BleConfirmReply(const RawAddress& bd_addr, uint8_t res) {
404 tBTM_SEC_DEV_REC* p_dev_rec = btm_find_dev(bd_addr);
405 tSMP_STATUS res_smp =
406 (res == BTM_SUCCESS) ? SMP_SUCCESS : SMP_PASSKEY_ENTRY_FAIL;
407
408 if (p_dev_rec == NULL) {
409 BTM_TRACE_ERROR("Passkey reply to Unknown device");
410 return;
411 }
412
413 p_dev_rec->sec_flags |= BTM_SEC_LE_AUTHENTICATED;
414 BTM_TRACE_DEBUG("%s", __func__);
415 SMP_ConfirmReply(bd_addr, res_smp);
416 }
417
418 /*******************************************************************************
419 *
420 * Function BTM_BleOobDataReply
421 *
422 * Description This function is called to provide the OOB data for
423 * SMP in response to BTM_LE_OOB_REQ_EVT
424 *
425 * Parameters: bd_addr - Address of the peer device
426 * res - result of the operation SMP_SUCCESS if success
427 * p_data - oob data, depending on transport and
428 * capabilities.
429 * Might be "Simple Pairing Randomizer", or
430 * "Security Manager TK Value".
431 *
432 ******************************************************************************/
BTM_BleOobDataReply(const RawAddress & bd_addr,uint8_t res,uint8_t len,uint8_t * p_data)433 void BTM_BleOobDataReply(const RawAddress& bd_addr, uint8_t res, uint8_t len,
434 uint8_t* p_data) {
435 tSMP_STATUS res_smp = (res == BTM_SUCCESS) ? SMP_SUCCESS : SMP_OOB_FAIL;
436 tBTM_SEC_DEV_REC* p_dev_rec = btm_find_dev(bd_addr);
437
438 BTM_TRACE_DEBUG("%s:", __func__);
439
440 if (p_dev_rec == NULL) {
441 BTM_TRACE_ERROR("%s: Unknown device", __func__);
442 return;
443 }
444
445 p_dev_rec->sec_flags |= BTM_SEC_LE_AUTHENTICATED;
446 SMP_OobDataReply(bd_addr, res_smp, len, p_data);
447 }
448
449 /*******************************************************************************
450 *
451 * Function BTM_BleSecureConnectionOobDataReply
452 *
453 * Description This function is called to provide the OOB data for
454 * SMP in response to BTM_LE_OOB_REQ_EVT when secure connection
455 * data is available
456 *
457 * Parameters: bd_addr - Address of the peer device
458 * p_c - pointer to Confirmation.
459 * p_r - pointer to Randomizer
460 *
461 ******************************************************************************/
BTM_BleSecureConnectionOobDataReply(const RawAddress & bd_addr,uint8_t * p_c,uint8_t * p_r)462 void BTM_BleSecureConnectionOobDataReply(const RawAddress& bd_addr,
463 uint8_t* p_c, uint8_t* p_r) {
464 tBTM_SEC_DEV_REC* p_dev_rec = btm_find_dev(bd_addr);
465
466 BTM_TRACE_DEBUG("%s:", __func__);
467
468 if (p_dev_rec == NULL) {
469 BTM_TRACE_ERROR("%s: Unknown device", __func__);
470 return;
471 }
472
473 p_dev_rec->sec_flags |= BTM_SEC_LE_AUTHENTICATED;
474
475 tSMP_SC_OOB_DATA oob;
476 memset(&oob, 0, sizeof(tSMP_SC_OOB_DATA));
477
478 oob.peer_oob_data.present = true;
479 memcpy(&oob.peer_oob_data.randomizer, p_r, BT_OCTET16_LEN);
480 memcpy(&oob.peer_oob_data.commitment, p_c, BT_OCTET16_LEN);
481 oob.peer_oob_data.addr_rcvd_from.type = p_dev_rec->ble.ble_addr_type;
482 oob.peer_oob_data.addr_rcvd_from.bda = bd_addr;
483
484 SMP_SecureConnectionOobDataReply((uint8_t*)&oob);
485 }
486
487 /******************************************************************************
488 *
489 * Function BTM_BleSetConnScanParams
490 *
491 * Description Set scan parameter used in BLE connection request
492 *
493 * Parameters: scan_interval: scan interval
494 * scan_window: scan window
495 *
496 * Returns void
497 *
498 ******************************************************************************/
BTM_BleSetConnScanParams(uint32_t scan_interval,uint32_t scan_window)499 void BTM_BleSetConnScanParams(uint32_t scan_interval, uint32_t scan_window) {
500 tBTM_BLE_CB* p_ble_cb = &btm_cb.ble_ctr_cb;
501 bool new_param = false;
502
503 if (BTM_BLE_ISVALID_PARAM(scan_interval, BTM_BLE_SCAN_INT_MIN,
504 BTM_BLE_SCAN_INT_MAX) &&
505 BTM_BLE_ISVALID_PARAM(scan_window, BTM_BLE_SCAN_WIN_MIN,
506 BTM_BLE_SCAN_WIN_MAX)) {
507 if (p_ble_cb->scan_int != scan_interval) {
508 p_ble_cb->scan_int = scan_interval;
509 new_param = true;
510 }
511
512 if (p_ble_cb->scan_win != scan_window) {
513 p_ble_cb->scan_win = scan_window;
514 new_param = true;
515 }
516
517 if (new_param && p_ble_cb->conn_state == BLE_BG_CONN) {
518 btm_ble_suspend_bg_conn();
519 }
520 } else {
521 BTM_TRACE_ERROR("Illegal Connection Scan Parameters");
522 }
523 }
524
525 /********************************************************
526 *
527 * Function BTM_BleSetPrefConnParams
528 *
529 * Description Set a peripheral's preferred connection parameters
530 *
531 * Parameters: bd_addr - BD address of the peripheral
532 * scan_interval: scan interval
533 * scan_window: scan window
534 * min_conn_int - minimum preferred connection interval
535 * max_conn_int - maximum preferred connection interval
536 * slave_latency - preferred slave latency
537 * supervision_tout - preferred supervision timeout
538 *
539 * Returns void
540 *
541 ******************************************************************************/
BTM_BleSetPrefConnParams(const RawAddress & bd_addr,uint16_t min_conn_int,uint16_t max_conn_int,uint16_t slave_latency,uint16_t supervision_tout)542 void BTM_BleSetPrefConnParams(const RawAddress& bd_addr, uint16_t min_conn_int,
543 uint16_t max_conn_int, uint16_t slave_latency,
544 uint16_t supervision_tout) {
545 tBTM_SEC_DEV_REC* p_dev_rec = btm_find_dev(bd_addr);
546
547 BTM_TRACE_API(
548 "BTM_BleSetPrefConnParams min: %u max: %u latency: %u \
549 tout: %u",
550 min_conn_int, max_conn_int, slave_latency, supervision_tout);
551
552 if (BTM_BLE_ISVALID_PARAM(min_conn_int, BTM_BLE_CONN_INT_MIN,
553 BTM_BLE_CONN_INT_MAX) &&
554 BTM_BLE_ISVALID_PARAM(max_conn_int, BTM_BLE_CONN_INT_MIN,
555 BTM_BLE_CONN_INT_MAX) &&
556 BTM_BLE_ISVALID_PARAM(supervision_tout, BTM_BLE_CONN_SUP_TOUT_MIN,
557 BTM_BLE_CONN_SUP_TOUT_MAX) &&
558 (slave_latency <= BTM_BLE_CONN_LATENCY_MAX ||
559 slave_latency == BTM_BLE_CONN_PARAM_UNDEF)) {
560 if (p_dev_rec) {
561 /* expect conn int and stout and slave latency to be updated all together
562 */
563 if (min_conn_int != BTM_BLE_CONN_PARAM_UNDEF ||
564 max_conn_int != BTM_BLE_CONN_PARAM_UNDEF) {
565 if (min_conn_int != BTM_BLE_CONN_PARAM_UNDEF)
566 p_dev_rec->conn_params.min_conn_int = min_conn_int;
567 else
568 p_dev_rec->conn_params.min_conn_int = max_conn_int;
569
570 if (max_conn_int != BTM_BLE_CONN_PARAM_UNDEF)
571 p_dev_rec->conn_params.max_conn_int = max_conn_int;
572 else
573 p_dev_rec->conn_params.max_conn_int = min_conn_int;
574
575 if (slave_latency != BTM_BLE_CONN_PARAM_UNDEF)
576 p_dev_rec->conn_params.slave_latency = slave_latency;
577 else
578 p_dev_rec->conn_params.slave_latency = BTM_BLE_CONN_SLAVE_LATENCY_DEF;
579
580 if (supervision_tout != BTM_BLE_CONN_PARAM_UNDEF)
581 p_dev_rec->conn_params.supervision_tout = supervision_tout;
582 else
583 p_dev_rec->conn_params.supervision_tout = BTM_BLE_CONN_TIMEOUT_DEF;
584 }
585
586 } else {
587 BTM_TRACE_ERROR("Unknown Device, setting rejected");
588 }
589 } else {
590 BTM_TRACE_ERROR("Illegal Connection Parameters");
591 }
592 }
593
594 /*******************************************************************************
595 *
596 * Function BTM_ReadDevInfo
597 *
598 * Description This function is called to read the device/address type
599 * of BD address.
600 *
601 * Parameter remote_bda: remote device address
602 * p_dev_type: output parameter to read the device type.
603 * p_addr_type: output parameter to read the address type.
604 *
605 ******************************************************************************/
BTM_ReadDevInfo(const RawAddress & remote_bda,tBT_DEVICE_TYPE * p_dev_type,tBLE_ADDR_TYPE * p_addr_type)606 void BTM_ReadDevInfo(const RawAddress& remote_bda, tBT_DEVICE_TYPE* p_dev_type,
607 tBLE_ADDR_TYPE* p_addr_type) {
608 tBTM_SEC_DEV_REC* p_dev_rec = btm_find_dev(remote_bda);
609 tBTM_INQ_INFO* p_inq_info = BTM_InqDbRead(remote_bda);
610
611 *p_addr_type = BLE_ADDR_PUBLIC;
612
613 if (!p_dev_rec) {
614 *p_dev_type = BT_DEVICE_TYPE_BREDR;
615 /* Check with the BT manager if details about remote device are known */
616 if (p_inq_info != NULL) {
617 *p_dev_type = p_inq_info->results.device_type;
618 *p_addr_type = p_inq_info->results.ble_addr_type;
619 } else {
620 /* unknown device, assume BR/EDR */
621 BTM_TRACE_DEBUG("btm_find_dev_type - unknown device, BR/EDR assumed");
622 }
623 } else /* there is a security device record exisitng */
624 {
625 /* new inquiry result, overwrite device type in security device record */
626 if (p_inq_info) {
627 p_dev_rec->device_type = p_inq_info->results.device_type;
628 p_dev_rec->ble.ble_addr_type = p_inq_info->results.ble_addr_type;
629 }
630 if (p_dev_rec->bd_addr == remote_bda &&
631 p_dev_rec->ble.pseudo_addr == remote_bda) {
632 *p_dev_type = p_dev_rec->device_type;
633 *p_addr_type = p_dev_rec->ble.ble_addr_type;
634 } else if (p_dev_rec->ble.pseudo_addr == remote_bda) {
635 *p_dev_type = BT_DEVICE_TYPE_BLE;
636 *p_addr_type = p_dev_rec->ble.ble_addr_type;
637 } else /* matching static adddress only */
638 {
639 *p_dev_type = BT_DEVICE_TYPE_BREDR;
640 *p_addr_type = BLE_ADDR_PUBLIC;
641 }
642 }
643
644 BTM_TRACE_DEBUG("btm_find_dev_type - device_type = %d addr_type = %d",
645 *p_dev_type, *p_addr_type);
646 }
647
648 /*******************************************************************************
649 *
650 * Function BTM_ReadConnectedTransportAddress
651 *
652 * Description This function is called to read the paired device/address
653 * type of other device paired corresponding to the BD_address
654 *
655 * Parameter remote_bda: remote device address, carry out the transport
656 * address
657 * transport: active transport
658 *
659 * Return true if an active link is identified; false otherwise
660 *
661 ******************************************************************************/
BTM_ReadConnectedTransportAddress(RawAddress * remote_bda,tBT_TRANSPORT transport)662 bool BTM_ReadConnectedTransportAddress(RawAddress* remote_bda,
663 tBT_TRANSPORT transport) {
664 tBTM_SEC_DEV_REC* p_dev_rec = btm_find_dev(*remote_bda);
665
666 /* if no device can be located, return */
667 if (p_dev_rec == NULL) return false;
668
669 if (transport == BT_TRANSPORT_BR_EDR) {
670 if (btm_bda_to_acl(p_dev_rec->bd_addr, transport) != NULL) {
671 *remote_bda = p_dev_rec->bd_addr;
672 return true;
673 } else if (p_dev_rec->device_type & BT_DEVICE_TYPE_BREDR) {
674 *remote_bda = p_dev_rec->bd_addr;
675 } else
676 *remote_bda = RawAddress::kEmpty;
677 return false;
678 }
679
680 if (transport == BT_TRANSPORT_LE) {
681 *remote_bda = p_dev_rec->ble.pseudo_addr;
682 if (btm_bda_to_acl(p_dev_rec->ble.pseudo_addr, transport) != NULL)
683 return true;
684 else
685 return false;
686 }
687
688 return false;
689 }
690
691 /*******************************************************************************
692 *
693 * Function BTM_BleReceiverTest
694 *
695 * Description This function is called to start the LE Receiver test
696 *
697 * Parameter rx_freq - Frequency Range
698 * p_cmd_cmpl_cback - Command Complete callback
699 *
700 ******************************************************************************/
BTM_BleReceiverTest(uint8_t rx_freq,tBTM_CMPL_CB * p_cmd_cmpl_cback)701 void BTM_BleReceiverTest(uint8_t rx_freq, tBTM_CMPL_CB* p_cmd_cmpl_cback) {
702 btm_cb.devcb.p_le_test_cmd_cmpl_cb = p_cmd_cmpl_cback;
703
704 btsnd_hcic_ble_receiver_test(rx_freq);
705 }
706
707 /*******************************************************************************
708 *
709 * Function BTM_BleTransmitterTest
710 *
711 * Description This function is called to start the LE Transmitter test
712 *
713 * Parameter tx_freq - Frequency Range
714 * test_data_len - Length in bytes of payload data in each
715 * packet
716 * packet_payload - Pattern to use in the payload
717 * p_cmd_cmpl_cback - Command Complete callback
718 *
719 ******************************************************************************/
BTM_BleTransmitterTest(uint8_t tx_freq,uint8_t test_data_len,uint8_t packet_payload,tBTM_CMPL_CB * p_cmd_cmpl_cback)720 void BTM_BleTransmitterTest(uint8_t tx_freq, uint8_t test_data_len,
721 uint8_t packet_payload,
722 tBTM_CMPL_CB* p_cmd_cmpl_cback) {
723 btm_cb.devcb.p_le_test_cmd_cmpl_cb = p_cmd_cmpl_cback;
724 btsnd_hcic_ble_transmitter_test(tx_freq, test_data_len, packet_payload);
725 }
726
727 /*******************************************************************************
728 *
729 * Function BTM_BleTestEnd
730 *
731 * Description This function is called to stop the in-progress TX or RX
732 * test
733 *
734 * Parameter p_cmd_cmpl_cback - Command complete callback
735 *
736 ******************************************************************************/
BTM_BleTestEnd(tBTM_CMPL_CB * p_cmd_cmpl_cback)737 void BTM_BleTestEnd(tBTM_CMPL_CB* p_cmd_cmpl_cback) {
738 btm_cb.devcb.p_le_test_cmd_cmpl_cb = p_cmd_cmpl_cback;
739
740 btsnd_hcic_ble_test_end();
741 }
742
743 /*******************************************************************************
744 * Internal Functions
745 ******************************************************************************/
btm_ble_test_command_complete(uint8_t * p)746 void btm_ble_test_command_complete(uint8_t* p) {
747 tBTM_CMPL_CB* p_cb = btm_cb.devcb.p_le_test_cmd_cmpl_cb;
748
749 btm_cb.devcb.p_le_test_cmd_cmpl_cb = NULL;
750
751 if (p_cb) {
752 (*p_cb)(p);
753 }
754 }
755
756 /*******************************************************************************
757 *
758 * Function BTM_UseLeLink
759 *
760 * Description This function is to select the underlying physical link to
761 * use.
762 *
763 * Returns true to use LE, false use BR/EDR.
764 *
765 ******************************************************************************/
BTM_UseLeLink(const RawAddress & bd_addr)766 bool BTM_UseLeLink(const RawAddress& bd_addr) {
767 tACL_CONN* p;
768 tBT_DEVICE_TYPE dev_type;
769 tBLE_ADDR_TYPE addr_type;
770 bool use_le = false;
771
772 p = btm_bda_to_acl(bd_addr, BT_TRANSPORT_BR_EDR);
773 if (p != NULL) {
774 return use_le;
775 } else {
776 p = btm_bda_to_acl(bd_addr, BT_TRANSPORT_LE);
777 if (p != NULL) {
778 use_le = true;
779 } else {
780 BTM_ReadDevInfo(bd_addr, &dev_type, &addr_type);
781 use_le = (dev_type == BT_DEVICE_TYPE_BLE);
782 }
783 }
784 return use_le;
785 }
786
787 /*******************************************************************************
788 *
789 * Function BTM_SetBleDataLength
790 *
791 * Description This function is to set maximum BLE transmission packet size
792 *
793 * Returns BTM_SUCCESS if success; otherwise failed.
794 *
795 ******************************************************************************/
BTM_SetBleDataLength(const RawAddress & bd_addr,uint16_t tx_pdu_length)796 tBTM_STATUS BTM_SetBleDataLength(const RawAddress& bd_addr,
797 uint16_t tx_pdu_length) {
798 tACL_CONN* p_acl = btm_bda_to_acl(bd_addr, BT_TRANSPORT_LE);
799
800 if (p_acl == NULL) {
801 BTM_TRACE_ERROR("%s: Wrong mode: no LE link exist or LE not supported",
802 __func__);
803 return BTM_WRONG_MODE;
804 }
805
806 BTM_TRACE_DEBUG("%s: tx_pdu_length =%d", __func__, tx_pdu_length);
807
808 if (!controller_get_interface()->supports_ble_packet_extension()) {
809 BTM_TRACE_ERROR("%s failed, request not supported", __func__);
810 return BTM_ILLEGAL_VALUE;
811 }
812
813 if (!HCI_LE_DATA_LEN_EXT_SUPPORTED(p_acl->peer_le_features)) {
814 BTM_TRACE_ERROR("%s failed, peer does not support request", __func__);
815 return BTM_ILLEGAL_VALUE;
816 }
817
818 if (tx_pdu_length > BTM_BLE_DATA_SIZE_MAX)
819 tx_pdu_length = BTM_BLE_DATA_SIZE_MAX;
820 else if (tx_pdu_length < BTM_BLE_DATA_SIZE_MIN)
821 tx_pdu_length = BTM_BLE_DATA_SIZE_MIN;
822
823 /* always set the TxTime to be max, as controller does not care for now */
824 btsnd_hcic_ble_set_data_length(p_acl->hci_handle, tx_pdu_length,
825 BTM_BLE_DATA_TX_TIME_MAX);
826
827 return BTM_SUCCESS;
828 }
829
read_phy_cb(base::Callback<void (uint8_t tx_phy,uint8_t rx_phy,uint8_t status)> cb,uint8_t * data,uint16_t len)830 void read_phy_cb(
831 base::Callback<void(uint8_t tx_phy, uint8_t rx_phy, uint8_t status)> cb,
832 uint8_t* data, uint16_t len) {
833 uint8_t status, tx_phy, rx_phy;
834 uint16_t handle;
835
836 LOG_ASSERT(len == 5) << "Received bad response length: " << len;
837 uint8_t* pp = data;
838 STREAM_TO_UINT8(status, pp);
839 STREAM_TO_UINT16(handle, pp);
840 handle = handle & 0x0FFF;
841 STREAM_TO_UINT8(tx_phy, pp);
842 STREAM_TO_UINT8(rx_phy, pp);
843
844 DVLOG(1) << __func__ << " Received read_phy_cb";
845 cb.Run(tx_phy, rx_phy, status);
846 }
847
848 /*******************************************************************************
849 *
850 * Function BTM_BleReadPhy
851 *
852 * Description To read the current PHYs for specified LE connection
853 *
854 *
855 * Returns BTM_SUCCESS if command successfully sent to controller,
856 * BTM_MODE_UNSUPPORTED if local controller doesn't support LE
857 * 2M or LE Coded PHY,
858 * BTM_WRONG_MODE if Device in wrong mode for request.
859 *
860 ******************************************************************************/
BTM_BleReadPhy(const RawAddress & bd_addr,base::Callback<void (uint8_t tx_phy,uint8_t rx_phy,uint8_t status)> cb)861 void BTM_BleReadPhy(
862 const RawAddress& bd_addr,
863 base::Callback<void(uint8_t tx_phy, uint8_t rx_phy, uint8_t status)> cb) {
864 BTM_TRACE_DEBUG("%s", __func__);
865
866 tACL_CONN* p_acl = btm_bda_to_acl(bd_addr, BT_TRANSPORT_LE);
867
868 if (p_acl == NULL) {
869 BTM_TRACE_ERROR("%s: Wrong mode: no LE link exist or LE not supported",
870 __func__);
871 cb.Run(0, 0, HCI_ERR_NO_CONNECTION);
872 return;
873 }
874
875 // checking if local controller supports it!
876 if (!controller_get_interface()->supports_ble_2m_phy() &&
877 !controller_get_interface()->supports_ble_coded_phy()) {
878 BTM_TRACE_ERROR("%s failed, request not supported in local controller!",
879 __func__);
880 cb.Run(0, 0, GATT_REQ_NOT_SUPPORTED);
881 return;
882 }
883
884 uint16_t handle = p_acl->hci_handle;
885
886 const uint8_t len = HCIC_PARAM_SIZE_BLE_READ_PHY;
887 uint8_t data[len];
888 uint8_t* pp = data;
889 UINT16_TO_STREAM(pp, handle);
890 btu_hcif_send_cmd_with_cb(FROM_HERE, HCI_BLE_READ_PHY, data, len,
891 base::Bind(&read_phy_cb, std::move(cb)));
892 return;
893 }
894
doNothing(uint8_t * data,uint16_t len)895 void doNothing(uint8_t* data, uint16_t len) {}
896
897 /*******************************************************************************
898 *
899 * Function BTM_BleSetDefaultPhy
900 *
901 * Description To set preferred PHY for ensuing LE connections
902 *
903 *
904 * Returns BTM_SUCCESS if command successfully sent to controller,
905 * BTM_MODE_UNSUPPORTED if local controller doesn't support LE
906 * 2M or LE Coded PHY
907 *
908 ******************************************************************************/
BTM_BleSetDefaultPhy(uint8_t all_phys,uint8_t tx_phys,uint8_t rx_phys)909 tBTM_STATUS BTM_BleSetDefaultPhy(uint8_t all_phys, uint8_t tx_phys,
910 uint8_t rx_phys) {
911 BTM_TRACE_DEBUG("%s: all_phys = 0x%02x, tx_phys = 0x%02x, rx_phys = 0x%02x",
912 __func__, all_phys, tx_phys, rx_phys);
913
914 // checking if local controller supports it!
915 if (!controller_get_interface()->supports_ble_2m_phy() &&
916 !controller_get_interface()->supports_ble_coded_phy()) {
917 BTM_TRACE_ERROR("%s failed, request not supported in local controller!",
918 __func__);
919 return BTM_MODE_UNSUPPORTED;
920 }
921
922 const uint8_t len = HCIC_PARAM_SIZE_BLE_SET_DEFAULT_PHY;
923 uint8_t data[len];
924 uint8_t* pp = data;
925 UINT8_TO_STREAM(pp, all_phys);
926 UINT8_TO_STREAM(pp, tx_phys);
927 UINT8_TO_STREAM(pp, rx_phys);
928 btu_hcif_send_cmd_with_cb(FROM_HERE, HCI_BLE_SET_DEFAULT_PHY, data, len,
929 base::Bind(doNothing));
930 return BTM_SUCCESS;
931 }
932
933 /*******************************************************************************
934 *
935 * Function BTM_BleSetPhy
936 *
937 * Description To set PHY preferences for specified LE connection
938 *
939 *
940 * Returns BTM_SUCCESS if command successfully sent to controller,
941 * BTM_MODE_UNSUPPORTED if local controller doesn't support LE
942 * 2M or LE Coded PHY,
943 * BTM_ILLEGAL_VALUE if specified remote doesn't support LE 2M
944 * or LE Coded PHY,
945 * BTM_WRONG_MODE if Device in wrong mode for request.
946 *
947 ******************************************************************************/
BTM_BleSetPhy(const RawAddress & bd_addr,uint8_t tx_phys,uint8_t rx_phys,uint16_t phy_options)948 void BTM_BleSetPhy(const RawAddress& bd_addr, uint8_t tx_phys, uint8_t rx_phys,
949 uint16_t phy_options) {
950 tACL_CONN* p_acl = btm_bda_to_acl(bd_addr, BT_TRANSPORT_LE);
951
952 if (p_acl == NULL) {
953 BTM_TRACE_ERROR("%s: Wrong mode: no LE link exist or LE not supported",
954 __func__);
955 return;
956 }
957
958 uint8_t all_phys = 0;
959 if (tx_phys == 0) all_phys &= 0x01;
960 if (rx_phys == 0) all_phys &= 0x02;
961
962 BTM_TRACE_DEBUG(
963 "%s: all_phys = 0x%02x, tx_phys = 0x%02x, rx_phys = 0x%02x, phy_options "
964 "= 0x%04x",
965 __func__, all_phys, tx_phys, rx_phys, phy_options);
966
967 uint16_t handle = p_acl->hci_handle;
968
969 // checking if local controller supports it!
970 if (!controller_get_interface()->supports_ble_2m_phy() &&
971 !controller_get_interface()->supports_ble_coded_phy()) {
972 BTM_TRACE_ERROR("%s failed, request not supported in local controller!",
973 __func__);
974 gatt_notify_phy_updated(GATT_REQ_NOT_SUPPORTED, handle, tx_phys, rx_phys);
975 return;
976 }
977
978 if (!HCI_LE_2M_PHY_SUPPORTED(p_acl->peer_le_features) &&
979 !HCI_LE_CODED_PHY_SUPPORTED(p_acl->peer_le_features)) {
980 BTM_TRACE_ERROR("%s failed, peer does not support request", __func__);
981 gatt_notify_phy_updated(GATT_REQ_NOT_SUPPORTED, handle, tx_phys, rx_phys);
982 return;
983 }
984
985 const uint8_t len = HCIC_PARAM_SIZE_BLE_SET_PHY;
986 uint8_t data[len];
987 uint8_t* pp = data;
988 UINT16_TO_STREAM(pp, handle);
989 UINT8_TO_STREAM(pp, all_phys);
990 UINT8_TO_STREAM(pp, tx_phys);
991 UINT8_TO_STREAM(pp, rx_phys);
992 UINT16_TO_STREAM(pp, phy_options);
993 btu_hcif_send_cmd_with_cb(FROM_HERE, HCI_BLE_SET_PHY, data, len,
994 base::Bind(doNothing));
995 }
996
997 /*******************************************************************************
998 *
999 * Function btm_ble_determine_security_act
1000 *
1001 * Description This function checks the security of current LE link
1002 * and returns the appropriate action that needs to be
1003 * taken to achieve the required security.
1004 *
1005 * Parameter is_originator - True if outgoing connection
1006 * bdaddr: remote device address
1007 * security_required: Security required for the service.
1008 *
1009 * Returns The appropriate security action required.
1010 *
1011 ******************************************************************************/
btm_ble_determine_security_act(bool is_originator,const RawAddress & bdaddr,uint16_t security_required)1012 tBTM_SEC_ACTION btm_ble_determine_security_act(bool is_originator,
1013 const RawAddress& bdaddr,
1014 uint16_t security_required) {
1015 tBTM_LE_AUTH_REQ auth_req = 0x00;
1016
1017 if (is_originator) {
1018 if ((security_required & BTM_SEC_OUT_FLAGS) == 0 &&
1019 (security_required & BTM_SEC_OUT_MITM) == 0) {
1020 BTM_TRACE_DEBUG("%s No security required for outgoing connection",
1021 __func__);
1022 return BTM_SEC_OK;
1023 }
1024
1025 if (security_required & BTM_SEC_OUT_MITM) auth_req |= BTM_LE_AUTH_REQ_MITM;
1026 } else {
1027 if ((security_required & BTM_SEC_IN_FLAGS) == 0 &&
1028 (security_required & BTM_SEC_IN_MITM) == 0) {
1029 BTM_TRACE_DEBUG("%s No security required for incoming connection",
1030 __func__);
1031 return BTM_SEC_OK;
1032 }
1033
1034 if (security_required & BTM_SEC_IN_MITM) auth_req |= BTM_LE_AUTH_REQ_MITM;
1035 }
1036
1037 tBTM_BLE_SEC_REQ_ACT ble_sec_act;
1038 btm_ble_link_sec_check(bdaddr, auth_req, &ble_sec_act);
1039
1040 BTM_TRACE_DEBUG("%s ble_sec_act %d", __func__, ble_sec_act);
1041
1042 if (ble_sec_act == BTM_BLE_SEC_REQ_ACT_DISCARD) return BTM_SEC_ENC_PENDING;
1043
1044 if (ble_sec_act == BTM_BLE_SEC_REQ_ACT_NONE) return BTM_SEC_OK;
1045
1046 uint8_t sec_flag = 0;
1047 BTM_GetSecurityFlagsByTransport(bdaddr, &sec_flag, BT_TRANSPORT_LE);
1048
1049 bool is_link_encrypted = false;
1050 bool is_key_mitm = false;
1051 if (sec_flag & (BTM_SEC_FLAG_ENCRYPTED | BTM_SEC_FLAG_LKEY_KNOWN)) {
1052 if (sec_flag & BTM_SEC_FLAG_ENCRYPTED) is_link_encrypted = true;
1053
1054 if (sec_flag & BTM_SEC_FLAG_LKEY_AUTHED) is_key_mitm = true;
1055 }
1056
1057 if (auth_req & BTM_LE_AUTH_REQ_MITM) {
1058 if (!is_key_mitm) {
1059 return BTM_SEC_ENCRYPT_MITM;
1060 } else {
1061 if (is_link_encrypted)
1062 return BTM_SEC_OK;
1063 else
1064 return BTM_SEC_ENCRYPT;
1065 }
1066 } else {
1067 if (is_link_encrypted)
1068 return BTM_SEC_OK;
1069 else
1070 return BTM_SEC_ENCRYPT_NO_MITM;
1071 }
1072
1073 return BTM_SEC_OK;
1074 }
1075
1076 /*******************************************************************************
1077 *
1078 * Function btm_ble_start_sec_check
1079 *
1080 * Description This function is to check and set the security required for
1081 * LE link for LE COC.
1082 *
1083 * Parameter bdaddr: remote device address.
1084 * psm : PSM of the LE COC sevice.
1085 * is_originator: true if outgoing connection.
1086 * p_callback : Pointer to the callback function.
1087 * p_ref_data : Pointer to be returned along with the callback.
1088 *
1089 * Returns true if link already meets the required security; otherwise
1090 * false.
1091 *
1092 ******************************************************************************/
btm_ble_start_sec_check(const RawAddress & bd_addr,uint16_t psm,bool is_originator,tBTM_SEC_CALLBACK * p_callback,void * p_ref_data)1093 bool btm_ble_start_sec_check(const RawAddress& bd_addr, uint16_t psm,
1094 bool is_originator, tBTM_SEC_CALLBACK* p_callback,
1095 void* p_ref_data) {
1096 /* Find the service record for the PSM */
1097 tBTM_SEC_SERV_REC* p_serv_rec = btm_sec_find_first_serv(is_originator, psm);
1098
1099 /* If there is no application registered with this PSM do not allow connection
1100 */
1101 if (!p_serv_rec) {
1102 BTM_TRACE_WARNING("%s PSM: %d no application registerd", __func__, psm);
1103 (*p_callback)(&bd_addr, BT_TRANSPORT_LE, p_ref_data, BTM_MODE_UNSUPPORTED);
1104 return false;
1105 }
1106
1107 tBTM_SEC_ACTION sec_act = btm_ble_determine_security_act(
1108 is_originator, bd_addr, p_serv_rec->security_flags);
1109
1110 tBTM_BLE_SEC_ACT ble_sec_act = BTM_BLE_SEC_NONE;
1111 bool status = false;
1112
1113 switch (sec_act) {
1114 case BTM_SEC_OK:
1115 BTM_TRACE_DEBUG("%s Security met", __func__);
1116 p_callback(&bd_addr, BT_TRANSPORT_LE, p_ref_data, BTM_SUCCESS);
1117 status = true;
1118 break;
1119
1120 case BTM_SEC_ENCRYPT:
1121 BTM_TRACE_DEBUG("%s Encryption needs to be done", __func__);
1122 ble_sec_act = BTM_BLE_SEC_ENCRYPT;
1123 break;
1124
1125 case BTM_SEC_ENCRYPT_MITM:
1126 BTM_TRACE_DEBUG("%s Pairing with MITM needs to be done", __func__);
1127 ble_sec_act = BTM_BLE_SEC_ENCRYPT_MITM;
1128 break;
1129
1130 case BTM_SEC_ENCRYPT_NO_MITM:
1131 BTM_TRACE_DEBUG("%s Pairing with No MITM needs to be done", __func__);
1132 ble_sec_act = BTM_BLE_SEC_ENCRYPT_NO_MITM;
1133 break;
1134
1135 case BTM_SEC_ENC_PENDING:
1136 BTM_TRACE_DEBUG("%s Ecryption pending", __func__);
1137 break;
1138 }
1139
1140 if (ble_sec_act == BTM_BLE_SEC_NONE) return status;
1141
1142 tL2C_LCB* p_lcb = l2cu_find_lcb_by_bd_addr(bd_addr, BT_TRANSPORT_LE);
1143 p_lcb->sec_act = sec_act;
1144 BTM_SetEncryption(bd_addr, BT_TRANSPORT_LE, p_callback, p_ref_data,
1145 ble_sec_act);
1146
1147 return false;
1148 }
1149
1150 /*******************************************************************************
1151 *
1152 * Function btm_ble_rand_enc_complete
1153 *
1154 * Description This function is the callback functions for HCI_Rand command
1155 * and HCI_Encrypt command is completed.
1156 * This message is received from the HCI.
1157 *
1158 * Returns void
1159 *
1160 ******************************************************************************/
btm_ble_rand_enc_complete(uint8_t * p,uint16_t op_code,tBTM_RAND_ENC_CB * p_enc_cplt_cback)1161 void btm_ble_rand_enc_complete(uint8_t* p, uint16_t op_code,
1162 tBTM_RAND_ENC_CB* p_enc_cplt_cback) {
1163 tBTM_RAND_ENC params;
1164 uint8_t* p_dest = params.param_buf;
1165
1166 BTM_TRACE_DEBUG("btm_ble_rand_enc_complete");
1167
1168 memset(¶ms, 0, sizeof(tBTM_RAND_ENC));
1169
1170 /* If there was a callback address for vcs complete, call it */
1171 if (p_enc_cplt_cback && p) {
1172 /* Pass paramters to the callback function */
1173 STREAM_TO_UINT8(params.status, p); /* command status */
1174
1175 if (params.status == HCI_SUCCESS) {
1176 params.opcode = op_code;
1177
1178 if (op_code == HCI_BLE_RAND)
1179 params.param_len = BT_OCTET8_LEN;
1180 else
1181 params.param_len = BT_OCTET16_LEN;
1182
1183 /* Fetch return info from HCI event message */
1184 memcpy(p_dest, p, params.param_len);
1185 }
1186 if (p_enc_cplt_cback) /* Call the Encryption complete callback function */
1187 (*p_enc_cplt_cback)(¶ms);
1188 }
1189 }
1190
1191 /*******************************************************************************
1192 *
1193 * Function btm_ble_get_enc_key_type
1194 *
1195 * Description This function is to increment local sign counter
1196 * Returns None
1197 *
1198 ******************************************************************************/
btm_ble_increment_sign_ctr(const RawAddress & bd_addr,bool is_local)1199 void btm_ble_increment_sign_ctr(const RawAddress& bd_addr, bool is_local) {
1200 tBTM_SEC_DEV_REC* p_dev_rec;
1201
1202 BTM_TRACE_DEBUG("btm_ble_increment_sign_ctr is_local=%d", is_local);
1203
1204 p_dev_rec = btm_find_dev(bd_addr);
1205 if (p_dev_rec != NULL) {
1206 if (is_local)
1207 p_dev_rec->ble.keys.local_counter++;
1208 else
1209 p_dev_rec->ble.keys.counter++;
1210 BTM_TRACE_DEBUG("is_local=%d local sign counter=%d peer sign counter=%d",
1211 is_local, p_dev_rec->ble.keys.local_counter,
1212 p_dev_rec->ble.keys.counter);
1213 }
1214 }
1215
1216 /*******************************************************************************
1217 *
1218 * Function btm_ble_get_enc_key_type
1219 *
1220 * Description This function is to get the BLE key type that has been
1221 * exchanged betweem the local device and the peer device.
1222 *
1223 * Returns p_key_type: output parameter to carry the key type value.
1224 *
1225 ******************************************************************************/
btm_ble_get_enc_key_type(const RawAddress & bd_addr,uint8_t * p_key_types)1226 bool btm_ble_get_enc_key_type(const RawAddress& bd_addr, uint8_t* p_key_types) {
1227 tBTM_SEC_DEV_REC* p_dev_rec;
1228
1229 BTM_TRACE_DEBUG("btm_ble_get_enc_key_type");
1230
1231 p_dev_rec = btm_find_dev(bd_addr);
1232 if (p_dev_rec != NULL) {
1233 *p_key_types = p_dev_rec->ble.key_type;
1234 return true;
1235 }
1236 return false;
1237 }
1238
1239 /*******************************************************************************
1240 *
1241 * Function btm_get_local_div
1242 *
1243 * Description This function is called to read the local DIV
1244 *
1245 * Returns TURE - if a valid DIV is availavle
1246 ******************************************************************************/
btm_get_local_div(const RawAddress & bd_addr,uint16_t * p_div)1247 bool btm_get_local_div(const RawAddress& bd_addr, uint16_t* p_div) {
1248 tBTM_SEC_DEV_REC* p_dev_rec;
1249 bool status = false;
1250 VLOG(1) << __func__ << " bd_addr: " << bd_addr;
1251
1252 *p_div = 0;
1253 p_dev_rec = btm_find_dev(bd_addr);
1254
1255 if (p_dev_rec && p_dev_rec->ble.keys.div) {
1256 status = true;
1257 *p_div = p_dev_rec->ble.keys.div;
1258 }
1259 BTM_TRACE_DEBUG("btm_get_local_div status=%d (1-OK) DIV=0x%x", status,
1260 *p_div);
1261 return status;
1262 }
1263
1264 /*******************************************************************************
1265 *
1266 * Function btm_sec_save_le_key
1267 *
1268 * Description This function is called by the SMP to update
1269 * an BLE key. SMP is internal, whereas all the keys shall
1270 * be sent to the application. The function is also called
1271 * when application passes ble key stored in NVRAM to the
1272 * btm_sec.
1273 * pass_to_application parameter is false in this case.
1274 *
1275 * Returns void
1276 *
1277 ******************************************************************************/
btm_sec_save_le_key(const RawAddress & bd_addr,tBTM_LE_KEY_TYPE key_type,tBTM_LE_KEY_VALUE * p_keys,bool pass_to_application)1278 void btm_sec_save_le_key(const RawAddress& bd_addr, tBTM_LE_KEY_TYPE key_type,
1279 tBTM_LE_KEY_VALUE* p_keys, bool pass_to_application) {
1280 tBTM_SEC_DEV_REC* p_rec;
1281 tBTM_LE_EVT_DATA cb_data;
1282 uint8_t i;
1283
1284 BTM_TRACE_DEBUG("btm_sec_save_le_key key_type=0x%x pass_to_application=%d",
1285 key_type, pass_to_application);
1286 /* Store the updated key in the device database */
1287
1288 VLOG(1) << "bd_addr:" << bd_addr;
1289
1290 if ((p_rec = btm_find_dev(bd_addr)) != NULL &&
1291 (p_keys || key_type == BTM_LE_KEY_LID)) {
1292 btm_ble_init_pseudo_addr(p_rec, bd_addr);
1293
1294 switch (key_type) {
1295 case BTM_LE_KEY_PENC:
1296 memcpy(p_rec->ble.keys.pltk, p_keys->penc_key.ltk, BT_OCTET16_LEN);
1297 memcpy(p_rec->ble.keys.rand, p_keys->penc_key.rand, BT_OCTET8_LEN);
1298 p_rec->ble.keys.sec_level = p_keys->penc_key.sec_level;
1299 p_rec->ble.keys.ediv = p_keys->penc_key.ediv;
1300 p_rec->ble.keys.key_size = p_keys->penc_key.key_size;
1301 p_rec->ble.key_type |= BTM_LE_KEY_PENC;
1302 p_rec->sec_flags |= BTM_SEC_LE_LINK_KEY_KNOWN;
1303 if (p_keys->penc_key.sec_level == SMP_SEC_AUTHENTICATED)
1304 p_rec->sec_flags |= BTM_SEC_LE_LINK_KEY_AUTHED;
1305 else
1306 p_rec->sec_flags &= ~BTM_SEC_LE_LINK_KEY_AUTHED;
1307 BTM_TRACE_DEBUG(
1308 "BTM_LE_KEY_PENC key_type=0x%x sec_flags=0x%x sec_leve=0x%x",
1309 p_rec->ble.key_type, p_rec->sec_flags, p_rec->ble.keys.sec_level);
1310 break;
1311
1312 case BTM_LE_KEY_PID:
1313 for (i = 0; i < BT_OCTET16_LEN; i++) {
1314 p_rec->ble.keys.irk[i] = p_keys->pid_key.irk[i];
1315 }
1316
1317 // memcpy( p_rec->ble.keys.irk, p_keys->pid_key, BT_OCTET16_LEN); todo
1318 // will crash the system
1319 p_rec->ble.static_addr = p_keys->pid_key.static_addr;
1320 p_rec->ble.static_addr_type = p_keys->pid_key.addr_type;
1321 p_rec->ble.key_type |= BTM_LE_KEY_PID;
1322 BTM_TRACE_DEBUG(
1323 "%s: BTM_LE_KEY_PID key_type=0x%x save peer IRK, change bd_addr=%s "
1324 "to static_addr=%s",
1325 __func__, p_rec->ble.key_type, p_rec->bd_addr.ToString().c_str(),
1326 p_keys->pid_key.static_addr.ToString().c_str());
1327 /* update device record address as static address */
1328 p_rec->bd_addr = p_keys->pid_key.static_addr;
1329 /* combine DUMO device security record if needed */
1330 btm_consolidate_dev(p_rec);
1331 break;
1332
1333 case BTM_LE_KEY_PCSRK:
1334 memcpy(p_rec->ble.keys.pcsrk, p_keys->pcsrk_key.csrk, BT_OCTET16_LEN);
1335 p_rec->ble.keys.srk_sec_level = p_keys->pcsrk_key.sec_level;
1336 p_rec->ble.keys.counter = p_keys->pcsrk_key.counter;
1337 p_rec->ble.key_type |= BTM_LE_KEY_PCSRK;
1338 p_rec->sec_flags |= BTM_SEC_LE_LINK_KEY_KNOWN;
1339 if (p_keys->pcsrk_key.sec_level == SMP_SEC_AUTHENTICATED)
1340 p_rec->sec_flags |= BTM_SEC_LE_LINK_KEY_AUTHED;
1341 else
1342 p_rec->sec_flags &= ~BTM_SEC_LE_LINK_KEY_AUTHED;
1343
1344 BTM_TRACE_DEBUG(
1345 "BTM_LE_KEY_PCSRK key_type=0x%x sec_flags=0x%x sec_level=0x%x "
1346 "peer_counter=%d",
1347 p_rec->ble.key_type, p_rec->sec_flags,
1348 p_rec->ble.keys.srk_sec_level, p_rec->ble.keys.counter);
1349 break;
1350
1351 case BTM_LE_KEY_LENC:
1352 memcpy(p_rec->ble.keys.lltk, p_keys->lenc_key.ltk, BT_OCTET16_LEN);
1353 p_rec->ble.keys.div = p_keys->lenc_key.div; /* update DIV */
1354 p_rec->ble.keys.sec_level = p_keys->lenc_key.sec_level;
1355 p_rec->ble.keys.key_size = p_keys->lenc_key.key_size;
1356 p_rec->ble.key_type |= BTM_LE_KEY_LENC;
1357
1358 BTM_TRACE_DEBUG(
1359 "BTM_LE_KEY_LENC key_type=0x%x DIV=0x%x key_size=0x%x "
1360 "sec_level=0x%x",
1361 p_rec->ble.key_type, p_rec->ble.keys.div, p_rec->ble.keys.key_size,
1362 p_rec->ble.keys.sec_level);
1363 break;
1364
1365 case BTM_LE_KEY_LCSRK: /* local CSRK has been delivered */
1366 memcpy(p_rec->ble.keys.lcsrk, p_keys->lcsrk_key.csrk, BT_OCTET16_LEN);
1367 p_rec->ble.keys.div = p_keys->lcsrk_key.div; /* update DIV */
1368 p_rec->ble.keys.local_csrk_sec_level = p_keys->lcsrk_key.sec_level;
1369 p_rec->ble.keys.local_counter = p_keys->lcsrk_key.counter;
1370 p_rec->ble.key_type |= BTM_LE_KEY_LCSRK;
1371 BTM_TRACE_DEBUG(
1372 "BTM_LE_KEY_LCSRK key_type=0x%x DIV=0x%x scrk_sec_level=0x%x "
1373 "local_counter=%d",
1374 p_rec->ble.key_type, p_rec->ble.keys.div,
1375 p_rec->ble.keys.local_csrk_sec_level,
1376 p_rec->ble.keys.local_counter);
1377 break;
1378
1379 case BTM_LE_KEY_LID:
1380 p_rec->ble.key_type |= BTM_LE_KEY_LID;
1381 break;
1382 default:
1383 BTM_TRACE_WARNING("btm_sec_save_le_key (Bad key_type 0x%02x)",
1384 key_type);
1385 return;
1386 }
1387
1388 VLOG(1) << "BLE key type 0x" << loghex(key_type)
1389 << " updated for BDA: " << bd_addr << " (btm_sec_save_le_key)";
1390
1391 /* Notify the application that one of the BLE keys has been updated
1392 If link key is in progress, it will get sent later.*/
1393 if (pass_to_application && btm_cb.api.p_le_callback) {
1394 cb_data.key.p_key_value = p_keys;
1395 cb_data.key.key_type = key_type;
1396
1397 (*btm_cb.api.p_le_callback)(BTM_LE_KEY_EVT, bd_addr, &cb_data);
1398 }
1399 return;
1400 }
1401
1402 LOG(WARNING) << "BLE key type 0x" << loghex(key_type)
1403 << " called for Unknown BDA or type: " << bd_addr
1404 << "(btm_sec_save_le_key)";
1405
1406 if (p_rec) {
1407 BTM_TRACE_DEBUG("sec_flags=0x%x", p_rec->sec_flags);
1408 }
1409 }
1410
1411 /*******************************************************************************
1412 *
1413 * Function btm_ble_update_sec_key_size
1414 *
1415 * Description update the current lin kencryption key size
1416 *
1417 * Returns void
1418 *
1419 ******************************************************************************/
btm_ble_update_sec_key_size(const RawAddress & bd_addr,uint8_t enc_key_size)1420 void btm_ble_update_sec_key_size(const RawAddress& bd_addr,
1421 uint8_t enc_key_size) {
1422 tBTM_SEC_DEV_REC* p_rec;
1423
1424 BTM_TRACE_DEBUG("btm_ble_update_sec_key_size enc_key_size = %d",
1425 enc_key_size);
1426
1427 p_rec = btm_find_dev(bd_addr);
1428 if (p_rec != NULL) {
1429 p_rec->enc_key_size = enc_key_size;
1430 }
1431 }
1432
1433 /*******************************************************************************
1434 *
1435 * Function btm_ble_read_sec_key_size
1436 *
1437 * Description update the current lin kencryption key size
1438 *
1439 * Returns void
1440 *
1441 ******************************************************************************/
btm_ble_read_sec_key_size(const RawAddress & bd_addr)1442 uint8_t btm_ble_read_sec_key_size(const RawAddress& bd_addr) {
1443 tBTM_SEC_DEV_REC* p_rec;
1444
1445 p_rec = btm_find_dev(bd_addr);
1446 if (p_rec != NULL) {
1447 return p_rec->enc_key_size;
1448 } else
1449 return 0;
1450 }
1451
1452 /*******************************************************************************
1453 *
1454 * Function btm_ble_link_sec_check
1455 *
1456 * Description Check BLE link security level match.
1457 *
1458 * Returns true: check is OK and the *p_sec_req_act contain the action
1459 *
1460 ******************************************************************************/
btm_ble_link_sec_check(const RawAddress & bd_addr,tBTM_LE_AUTH_REQ auth_req,tBTM_BLE_SEC_REQ_ACT * p_sec_req_act)1461 void btm_ble_link_sec_check(const RawAddress& bd_addr,
1462 tBTM_LE_AUTH_REQ auth_req,
1463 tBTM_BLE_SEC_REQ_ACT* p_sec_req_act) {
1464 tBTM_SEC_DEV_REC* p_dev_rec = btm_find_dev(bd_addr);
1465 uint8_t req_sec_level = BTM_LE_SEC_NONE, cur_sec_level = BTM_LE_SEC_NONE;
1466
1467 BTM_TRACE_DEBUG("btm_ble_link_sec_check auth_req =0x%x", auth_req);
1468
1469 if (p_dev_rec == NULL) {
1470 BTM_TRACE_ERROR("btm_ble_link_sec_check received for unknown device");
1471 return;
1472 }
1473
1474 if (p_dev_rec->sec_state == BTM_SEC_STATE_ENCRYPTING ||
1475 p_dev_rec->sec_state == BTM_SEC_STATE_AUTHENTICATING) {
1476 /* race condition: discard the security request while master is encrypting
1477 * the link */
1478 *p_sec_req_act = BTM_BLE_SEC_REQ_ACT_DISCARD;
1479 } else {
1480 req_sec_level = BTM_LE_SEC_UNAUTHENTICATE;
1481 if (auth_req & BTM_LE_AUTH_REQ_MITM) {
1482 req_sec_level = BTM_LE_SEC_AUTHENTICATED;
1483 }
1484
1485 BTM_TRACE_DEBUG("dev_rec sec_flags=0x%x", p_dev_rec->sec_flags);
1486
1487 /* currently encrpted */
1488 if (p_dev_rec->sec_flags & BTM_SEC_LE_ENCRYPTED) {
1489 if (p_dev_rec->sec_flags & BTM_SEC_LE_AUTHENTICATED)
1490 cur_sec_level = BTM_LE_SEC_AUTHENTICATED;
1491 else
1492 cur_sec_level = BTM_LE_SEC_UNAUTHENTICATE;
1493 } else /* unencrypted link */
1494 {
1495 /* if bonded, get the key security level */
1496 if (p_dev_rec->ble.key_type & BTM_LE_KEY_PENC)
1497 cur_sec_level = p_dev_rec->ble.keys.sec_level;
1498 else
1499 cur_sec_level = BTM_LE_SEC_NONE;
1500 }
1501
1502 if (cur_sec_level >= req_sec_level) {
1503 /* To avoid re-encryption on an encrypted link for an equal condition
1504 * encryption */
1505 *p_sec_req_act = BTM_BLE_SEC_REQ_ACT_ENCRYPT;
1506 } else {
1507 /* start the pariring process to upgrade the keys*/
1508 *p_sec_req_act = BTM_BLE_SEC_REQ_ACT_PAIR;
1509 }
1510 }
1511
1512 BTM_TRACE_DEBUG("cur_sec_level=%d req_sec_level=%d sec_req_act=%d",
1513 cur_sec_level, req_sec_level, *p_sec_req_act);
1514 }
1515
1516 /*******************************************************************************
1517 *
1518 * Function btm_ble_set_encryption
1519 *
1520 * Description This function is called to ensure that LE connection is
1521 * encrypted. Should be called only on an open connection.
1522 * Typically only needed for connections that first want to
1523 * bring up unencrypted links, then later encrypt them.
1524 *
1525 * Returns void
1526 * the local device ER is copied into er
1527 *
1528 ******************************************************************************/
btm_ble_set_encryption(const RawAddress & bd_addr,tBTM_BLE_SEC_ACT sec_act,uint8_t link_role)1529 tBTM_STATUS btm_ble_set_encryption(const RawAddress& bd_addr,
1530 tBTM_BLE_SEC_ACT sec_act,
1531 uint8_t link_role) {
1532 tBTM_STATUS cmd = BTM_NO_RESOURCES;
1533 tBTM_SEC_DEV_REC* p_rec = btm_find_dev(bd_addr);
1534 tBTM_BLE_SEC_REQ_ACT sec_req_act;
1535 tBTM_LE_AUTH_REQ auth_req;
1536
1537 if (p_rec == NULL) {
1538 BTM_TRACE_WARNING(
1539 "btm_ble_set_encryption (NULL device record!! sec_act=0x%x", sec_act);
1540 return (BTM_WRONG_MODE);
1541 }
1542
1543 BTM_TRACE_DEBUG("btm_ble_set_encryption sec_act=0x%x role_master=%d", sec_act,
1544 p_rec->role_master);
1545
1546 if (sec_act == BTM_BLE_SEC_ENCRYPT_MITM) {
1547 p_rec->security_required |= BTM_SEC_IN_MITM;
1548 }
1549
1550 switch (sec_act) {
1551 case BTM_BLE_SEC_ENCRYPT:
1552 if (link_role == BTM_ROLE_MASTER) {
1553 /* start link layer encryption using the security info stored */
1554 cmd = btm_ble_start_encrypt(bd_addr, false, NULL);
1555 break;
1556 }
1557 /* if salve role then fall through to call SMP_Pair below which will send a
1558 sec_request to request the master to encrypt the link */
1559 case BTM_BLE_SEC_ENCRYPT_NO_MITM:
1560 case BTM_BLE_SEC_ENCRYPT_MITM:
1561 auth_req = (sec_act == BTM_BLE_SEC_ENCRYPT_NO_MITM)
1562 ? SMP_AUTH_BOND
1563 : (SMP_AUTH_BOND | SMP_AUTH_YN_BIT);
1564 btm_ble_link_sec_check(bd_addr, auth_req, &sec_req_act);
1565 if (sec_req_act == BTM_BLE_SEC_REQ_ACT_NONE ||
1566 sec_req_act == BTM_BLE_SEC_REQ_ACT_DISCARD) {
1567 BTM_TRACE_DEBUG("%s, no action needed. Ignore", __func__);
1568 cmd = BTM_SUCCESS;
1569 break;
1570 }
1571 if (link_role == BTM_ROLE_MASTER) {
1572 if (sec_req_act == BTM_BLE_SEC_REQ_ACT_ENCRYPT) {
1573 cmd = btm_ble_start_encrypt(bd_addr, false, NULL);
1574 break;
1575 }
1576 }
1577
1578 if (SMP_Pair(bd_addr) == SMP_STARTED) {
1579 cmd = BTM_CMD_STARTED;
1580 p_rec->sec_state = BTM_SEC_STATE_AUTHENTICATING;
1581 }
1582 break;
1583
1584 default:
1585 cmd = BTM_WRONG_MODE;
1586 break;
1587 }
1588 return cmd;
1589 }
1590
1591 /*******************************************************************************
1592 *
1593 * Function btm_ble_ltk_request
1594 *
1595 * Description This function is called when encryption request is received
1596 * on a slave device.
1597 *
1598 *
1599 * Returns void
1600 *
1601 ******************************************************************************/
btm_ble_ltk_request(uint16_t handle,uint8_t rand[8],uint16_t ediv)1602 void btm_ble_ltk_request(uint16_t handle, uint8_t rand[8], uint16_t ediv) {
1603 tBTM_CB* p_cb = &btm_cb;
1604 tBTM_SEC_DEV_REC* p_dev_rec = btm_find_dev_by_handle(handle);
1605 BT_OCTET8 dummy_stk = {0};
1606
1607 BTM_TRACE_DEBUG("btm_ble_ltk_request");
1608
1609 p_cb->ediv = ediv;
1610
1611 memcpy(p_cb->enc_rand, rand, BT_OCTET8_LEN);
1612
1613 if (p_dev_rec != NULL) {
1614 if (!smp_proc_ltk_request(p_dev_rec->bd_addr))
1615 btm_ble_ltk_request_reply(p_dev_rec->bd_addr, false, dummy_stk);
1616 }
1617 }
1618
1619 /*******************************************************************************
1620 *
1621 * Function btm_ble_start_encrypt
1622 *
1623 * Description This function is called to start LE encryption.
1624 *
1625 *
1626 * Returns BTM_SUCCESS if encryption was started successfully
1627 *
1628 ******************************************************************************/
btm_ble_start_encrypt(const RawAddress & bda,bool use_stk,BT_OCTET16 stk)1629 tBTM_STATUS btm_ble_start_encrypt(const RawAddress& bda, bool use_stk,
1630 BT_OCTET16 stk) {
1631 tBTM_CB* p_cb = &btm_cb;
1632 tBTM_SEC_DEV_REC* p_rec = btm_find_dev(bda);
1633 BT_OCTET8 dummy_rand = {0};
1634
1635 BTM_TRACE_DEBUG("btm_ble_start_encrypt");
1636
1637 if (!p_rec) {
1638 BTM_TRACE_ERROR("Link is not active, can not encrypt!");
1639 return BTM_WRONG_MODE;
1640 }
1641
1642 if (p_rec->sec_state == BTM_SEC_STATE_ENCRYPTING) {
1643 BTM_TRACE_WARNING("Link Encryption is active, Busy!");
1644 return BTM_BUSY;
1645 }
1646
1647 p_cb->enc_handle = p_rec->ble_hci_handle;
1648
1649 if (use_stk) {
1650 btsnd_hcic_ble_start_enc(p_rec->ble_hci_handle, dummy_rand, 0, stk);
1651 } else if (p_rec->ble.key_type & BTM_LE_KEY_PENC) {
1652 btsnd_hcic_ble_start_enc(p_rec->ble_hci_handle, p_rec->ble.keys.rand,
1653 p_rec->ble.keys.ediv, p_rec->ble.keys.pltk);
1654 } else {
1655 BTM_TRACE_ERROR("No key available to encrypt the link");
1656 return BTM_NO_RESOURCES;
1657 }
1658
1659 if (p_rec->sec_state == BTM_SEC_STATE_IDLE)
1660 p_rec->sec_state = BTM_SEC_STATE_ENCRYPTING;
1661
1662 return BTM_CMD_STARTED;
1663 }
1664
1665 /*******************************************************************************
1666 *
1667 * Function btm_ble_link_encrypted
1668 *
1669 * Description This function is called when LE link encrption status is
1670 * changed.
1671 *
1672 * Returns void
1673 *
1674 ******************************************************************************/
btm_ble_link_encrypted(const RawAddress & bd_addr,uint8_t encr_enable)1675 void btm_ble_link_encrypted(const RawAddress& bd_addr, uint8_t encr_enable) {
1676 tBTM_SEC_DEV_REC* p_dev_rec = btm_find_dev(bd_addr);
1677 bool enc_cback;
1678
1679 if (!p_dev_rec) {
1680 BTM_TRACE_WARNING(
1681 "btm_ble_link_encrypted (No Device Found!) encr_enable=%d",
1682 encr_enable);
1683 return;
1684 }
1685
1686 BTM_TRACE_DEBUG("btm_ble_link_encrypted encr_enable=%d", encr_enable);
1687
1688 enc_cback = (p_dev_rec->sec_state == BTM_SEC_STATE_ENCRYPTING);
1689
1690 smp_link_encrypted(bd_addr, encr_enable);
1691
1692 BTM_TRACE_DEBUG(" p_dev_rec->sec_flags=0x%x", p_dev_rec->sec_flags);
1693
1694 if (encr_enable && p_dev_rec->enc_key_size == 0)
1695 p_dev_rec->enc_key_size = p_dev_rec->ble.keys.key_size;
1696
1697 p_dev_rec->sec_state = BTM_SEC_STATE_IDLE;
1698 if (p_dev_rec->p_callback && enc_cback) {
1699 if (encr_enable)
1700 btm_sec_dev_rec_cback_event(p_dev_rec, BTM_SUCCESS, true);
1701 else if (p_dev_rec->role_master)
1702 btm_sec_dev_rec_cback_event(p_dev_rec, BTM_ERR_PROCESSING, true);
1703 }
1704 /* to notify GATT to send data if any request is pending */
1705 gatt_notify_enc_cmpl(p_dev_rec->ble.pseudo_addr);
1706 }
1707
1708 /*******************************************************************************
1709 *
1710 * Function btm_ble_ltk_request_reply
1711 *
1712 * Description This function is called to send a LTK request reply on a
1713 * slave
1714 * device.
1715 *
1716 * Returns void
1717 *
1718 ******************************************************************************/
btm_ble_ltk_request_reply(const RawAddress & bda,bool use_stk,BT_OCTET16 stk)1719 void btm_ble_ltk_request_reply(const RawAddress& bda, bool use_stk,
1720 BT_OCTET16 stk) {
1721 tBTM_SEC_DEV_REC* p_rec = btm_find_dev(bda);
1722 tBTM_CB* p_cb = &btm_cb;
1723
1724 if (p_rec == NULL) {
1725 BTM_TRACE_ERROR("btm_ble_ltk_request_reply received for unknown device");
1726 return;
1727 }
1728
1729 BTM_TRACE_DEBUG("btm_ble_ltk_request_reply");
1730 p_cb->enc_handle = p_rec->ble_hci_handle;
1731 p_cb->key_size = p_rec->ble.keys.key_size;
1732
1733 BTM_TRACE_ERROR("key size = %d", p_rec->ble.keys.key_size);
1734 if (use_stk) {
1735 btsnd_hcic_ble_ltk_req_reply(btm_cb.enc_handle, stk);
1736 } else /* calculate LTK using peer device */
1737 {
1738 if (p_rec->ble.key_type & BTM_LE_KEY_LENC)
1739 btsnd_hcic_ble_ltk_req_reply(btm_cb.enc_handle, p_rec->ble.keys.lltk);
1740 else
1741 btsnd_hcic_ble_ltk_req_neg_reply(btm_cb.enc_handle);
1742 }
1743 }
1744
1745 /*******************************************************************************
1746 *
1747 * Function btm_ble_io_capabilities_req
1748 *
1749 * Description This function is called to handle SMP get IO capability
1750 * request.
1751 *
1752 * Returns void
1753 *
1754 ******************************************************************************/
btm_ble_io_capabilities_req(tBTM_SEC_DEV_REC * p_dev_rec,tBTM_LE_IO_REQ * p_data)1755 uint8_t btm_ble_io_capabilities_req(tBTM_SEC_DEV_REC* p_dev_rec,
1756 tBTM_LE_IO_REQ* p_data) {
1757 uint8_t callback_rc = BTM_SUCCESS;
1758 BTM_TRACE_DEBUG("btm_ble_io_capabilities_req");
1759 if (btm_cb.api.p_le_callback) {
1760 /* the callback function implementation may change the IO capability... */
1761 callback_rc = (*btm_cb.api.p_le_callback)(
1762 BTM_LE_IO_REQ_EVT, p_dev_rec->bd_addr, (tBTM_LE_EVT_DATA*)p_data);
1763 }
1764 if ((callback_rc == BTM_SUCCESS) || (BTM_OOB_UNKNOWN != p_data->oob_data)) {
1765 #if (BTM_BLE_CONFORMANCE_TESTING == TRUE)
1766 if (btm_cb.devcb.keep_rfu_in_auth_req) {
1767 BTM_TRACE_DEBUG("btm_ble_io_capabilities_req keep_rfu_in_auth_req = %u",
1768 btm_cb.devcb.keep_rfu_in_auth_req);
1769 p_data->auth_req &= BTM_LE_AUTH_REQ_MASK_KEEP_RFU;
1770 btm_cb.devcb.keep_rfu_in_auth_req = false;
1771 } else { /* default */
1772 p_data->auth_req &= BTM_LE_AUTH_REQ_MASK;
1773 }
1774 #else
1775 p_data->auth_req &= BTM_LE_AUTH_REQ_MASK;
1776 #endif
1777
1778 BTM_TRACE_DEBUG(
1779 "btm_ble_io_capabilities_req 1: p_dev_rec->security_required = %d "
1780 "auth_req:%d",
1781 p_dev_rec->security_required, p_data->auth_req);
1782 BTM_TRACE_DEBUG(
1783 "btm_ble_io_capabilities_req 2: i_keys=0x%x r_keys=0x%x (bit 0-LTK "
1784 "1-IRK 2-CSRK)",
1785 p_data->init_keys, p_data->resp_keys);
1786
1787 /* if authentication requires MITM protection, put on the mask */
1788 if (p_dev_rec->security_required & BTM_SEC_IN_MITM)
1789 p_data->auth_req |= BTM_LE_AUTH_REQ_MITM;
1790
1791 if (!(p_data->auth_req & SMP_AUTH_BOND)) {
1792 BTM_TRACE_DEBUG("Non bonding: No keys should be exchanged");
1793 p_data->init_keys = 0;
1794 p_data->resp_keys = 0;
1795 }
1796
1797 BTM_TRACE_DEBUG("btm_ble_io_capabilities_req 3: auth_req:%d",
1798 p_data->auth_req);
1799 BTM_TRACE_DEBUG("btm_ble_io_capabilities_req 4: i_keys=0x%x r_keys=0x%x",
1800 p_data->init_keys, p_data->resp_keys);
1801
1802 BTM_TRACE_DEBUG(
1803 "btm_ble_io_capabilities_req 5: p_data->io_cap = %d auth_req:%d",
1804 p_data->io_cap, p_data->auth_req);
1805
1806 /* remove MITM protection requirement if IO cap does not allow it */
1807 if ((p_data->io_cap == BTM_IO_CAP_NONE) && p_data->oob_data == SMP_OOB_NONE)
1808 p_data->auth_req &= ~BTM_LE_AUTH_REQ_MITM;
1809
1810 if (!(p_data->auth_req & SMP_SC_SUPPORT_BIT)) {
1811 /* if Secure Connections are not supported then remove LK derivation,
1812 ** and keypress notifications.
1813 */
1814 BTM_TRACE_DEBUG(
1815 "%s-SC not supported -> No LK derivation, no keypress notifications",
1816 __func__);
1817 p_data->auth_req &= ~SMP_KP_SUPPORT_BIT;
1818 p_data->init_keys &= ~SMP_SEC_KEY_TYPE_LK;
1819 p_data->resp_keys &= ~SMP_SEC_KEY_TYPE_LK;
1820 }
1821
1822 BTM_TRACE_DEBUG(
1823 "btm_ble_io_capabilities_req 6: IO_CAP:%d oob_data:%d auth_req:0x%02x",
1824 p_data->io_cap, p_data->oob_data, p_data->auth_req);
1825 }
1826 return callback_rc;
1827 }
1828
1829 /*******************************************************************************
1830 *
1831 * Function btm_ble_br_keys_req
1832 *
1833 * Description This function is called to handle SMP request for keys sent
1834 * over BR/EDR.
1835 *
1836 * Returns void
1837 *
1838 ******************************************************************************/
btm_ble_br_keys_req(tBTM_SEC_DEV_REC * p_dev_rec,tBTM_LE_IO_REQ * p_data)1839 uint8_t btm_ble_br_keys_req(tBTM_SEC_DEV_REC* p_dev_rec,
1840 tBTM_LE_IO_REQ* p_data) {
1841 uint8_t callback_rc = BTM_SUCCESS;
1842 BTM_TRACE_DEBUG("%s", __func__);
1843 if (btm_cb.api.p_le_callback) {
1844 /* the callback function implementation may change the IO capability... */
1845 callback_rc = (*btm_cb.api.p_le_callback)(
1846 BTM_LE_IO_REQ_EVT, p_dev_rec->bd_addr, (tBTM_LE_EVT_DATA*)p_data);
1847 }
1848
1849 return callback_rc;
1850 }
1851
1852 /*******************************************************************************
1853 *
1854 * Function btm_ble_connected
1855 *
1856 * Description This function is when a LE connection to the peer device is
1857 * establsihed
1858 *
1859 * Returns void
1860 *
1861 ******************************************************************************/
btm_ble_connected(const RawAddress & bda,uint16_t handle,uint8_t enc_mode,uint8_t role,tBLE_ADDR_TYPE addr_type,UNUSED_ATTR bool addr_matched)1862 void btm_ble_connected(const RawAddress& bda, uint16_t handle, uint8_t enc_mode,
1863 uint8_t role, tBLE_ADDR_TYPE addr_type,
1864 UNUSED_ATTR bool addr_matched) {
1865 tBTM_SEC_DEV_REC* p_dev_rec = btm_find_dev(bda);
1866 tBTM_BLE_CB* p_cb = &btm_cb.ble_ctr_cb;
1867
1868 BTM_TRACE_EVENT("btm_ble_connected");
1869
1870 /* Commenting out trace due to obf/compilation problems.
1871 */
1872 if (p_dev_rec) {
1873 VLOG(1) << __func__ << " Security Manager: handle:" << handle
1874 << " enc_mode:" << loghex(enc_mode) << " bda: " << bda
1875 << " RName: " << p_dev_rec->sec_bd_name
1876 << " p_dev_rec:" << p_dev_rec;
1877
1878 BTM_TRACE_DEBUG("btm_ble_connected sec_flags=0x%x", p_dev_rec->sec_flags);
1879 } else {
1880 VLOG(1) << __func__ << " Security Manager: handle:" << handle
1881 << " enc_mode:" << loghex(enc_mode) << " bda: " << bda
1882 << " p_dev_rec:" << p_dev_rec;
1883 }
1884
1885 if (!p_dev_rec) {
1886 /* There is no device record for new connection. Allocate one */
1887 p_dev_rec = btm_sec_alloc_dev(bda);
1888 if (p_dev_rec == NULL) return;
1889 } else /* Update the timestamp for this device */
1890 {
1891 p_dev_rec->timestamp = btm_cb.dev_rec_count++;
1892 }
1893
1894 /* update device information */
1895 p_dev_rec->device_type |= BT_DEVICE_TYPE_BLE;
1896 p_dev_rec->ble_hci_handle = handle;
1897 p_dev_rec->ble.ble_addr_type = addr_type;
1898 /* update pseudo address */
1899 p_dev_rec->ble.pseudo_addr = bda;
1900
1901 p_dev_rec->role_master = false;
1902 if (role == HCI_ROLE_MASTER) p_dev_rec->role_master = true;
1903
1904 #if (BLE_PRIVACY_SPT == TRUE)
1905 if (!addr_matched) p_dev_rec->ble.active_addr_type = BTM_BLE_ADDR_PSEUDO;
1906
1907 if (p_dev_rec->ble.ble_addr_type == BLE_ADDR_RANDOM && !addr_matched)
1908 p_dev_rec->ble.cur_rand_addr = bda;
1909 #endif
1910
1911 p_cb->inq_var.directed_conn = BTM_BLE_CONNECT_EVT;
1912
1913 return;
1914 }
1915
1916 /*****************************************************************************
1917 * Function btm_ble_conn_complete
1918 *
1919 * Description LE connection complete.
1920 *
1921 *****************************************************************************/
btm_ble_conn_complete(uint8_t * p,UNUSED_ATTR uint16_t evt_len,bool enhanced)1922 void btm_ble_conn_complete(uint8_t* p, UNUSED_ATTR uint16_t evt_len,
1923 bool enhanced) {
1924 #if (BLE_PRIVACY_SPT == TRUE)
1925 uint8_t peer_addr_type;
1926 #endif
1927 RawAddress local_rpa, peer_rpa;
1928 uint8_t role, status, bda_type;
1929 uint16_t handle;
1930 RawAddress bda;
1931 uint16_t conn_interval, conn_latency, conn_timeout;
1932 bool match = false;
1933
1934 STREAM_TO_UINT8(status, p);
1935 STREAM_TO_UINT16(handle, p);
1936 STREAM_TO_UINT8(role, p);
1937 STREAM_TO_UINT8(bda_type, p);
1938 STREAM_TO_BDADDR(bda, p);
1939
1940 if (status == 0) {
1941 if (enhanced) {
1942 STREAM_TO_BDADDR(local_rpa, p);
1943 STREAM_TO_BDADDR(peer_rpa, p);
1944 }
1945
1946 STREAM_TO_UINT16(conn_interval, p);
1947 STREAM_TO_UINT16(conn_latency, p);
1948 STREAM_TO_UINT16(conn_timeout, p);
1949 handle = HCID_GET_HANDLE(handle);
1950
1951 #if (BLE_PRIVACY_SPT == TRUE)
1952 peer_addr_type = bda_type;
1953 match = btm_identity_addr_to_random_pseudo(&bda, &bda_type, true);
1954
1955 /* possiblly receive connection complete with resolvable random while
1956 the device has been paired */
1957 if (!match && BTM_BLE_IS_RESOLVE_BDA(bda)) {
1958 tBTM_SEC_DEV_REC* match_rec = btm_ble_resolve_random_addr(bda);
1959 if (match_rec) {
1960 LOG_INFO(LOG_TAG, "%s matched and resolved random address", __func__);
1961 match = true;
1962 match_rec->ble.active_addr_type = BTM_BLE_ADDR_RRA;
1963 match_rec->ble.cur_rand_addr = bda;
1964 if (!btm_ble_init_pseudo_addr(match_rec, bda)) {
1965 /* assign the original address to be the current report address */
1966 bda = match_rec->ble.pseudo_addr;
1967 } else {
1968 bda = match_rec->bd_addr;
1969 }
1970 } else {
1971 LOG_INFO(LOG_TAG, "%s unable to match and resolve random address",
1972 __func__);
1973 }
1974 }
1975 #endif
1976
1977 btm_ble_connected(bda, handle, HCI_ENCRYPT_MODE_DISABLED, role, bda_type,
1978 match);
1979
1980 l2cble_conn_comp(handle, role, bda, bda_type, conn_interval, conn_latency,
1981 conn_timeout);
1982
1983 #if (BLE_PRIVACY_SPT == TRUE)
1984 if (enhanced) {
1985 btm_ble_refresh_local_resolvable_private_addr(bda, local_rpa);
1986
1987 if (peer_addr_type & BLE_ADDR_TYPE_ID_BIT)
1988 btm_ble_refresh_peer_resolvable_private_addr(bda, peer_rpa,
1989 BLE_ADDR_RANDOM);
1990 }
1991 #endif
1992 } else {
1993 role = HCI_ROLE_UNKNOWN;
1994 if (status != HCI_ERR_ADVERTISING_TIMEOUT) {
1995 btm_ble_set_conn_st(BLE_CONN_IDLE);
1996 #if (BLE_PRIVACY_SPT == TRUE)
1997 btm_ble_disable_resolving_list(BTM_BLE_RL_INIT, true);
1998 #endif
1999 } else {
2000 #if (BLE_PRIVACY_SPT == TRUE)
2001 btm_cb.ble_ctr_cb.inq_var.adv_mode = BTM_BLE_ADV_DISABLE;
2002 btm_ble_disable_resolving_list(BTM_BLE_RL_ADV, true);
2003 #endif
2004 }
2005 }
2006
2007 btm_ble_update_mode_operation(role, &bda, status);
2008
2009 if (role == HCI_ROLE_SLAVE)
2010 btm_ble_advertiser_notify_terminated_legacy(status, handle);
2011 }
2012
2013 /*****************************************************************************
2014 * Function btm_ble_create_ll_conn_complete
2015 *
2016 * Description LE connection complete.
2017 *
2018 *****************************************************************************/
btm_ble_create_ll_conn_complete(uint8_t status)2019 void btm_ble_create_ll_conn_complete(uint8_t status) {
2020 if (status == HCI_SUCCESS) return;
2021
2022 btm_ble_set_conn_st(BLE_CONN_IDLE);
2023 btm_ble_update_mode_operation(HCI_ROLE_UNKNOWN, NULL, status);
2024
2025 LOG(WARNING) << "LE Create Connection attempt failed, status="
2026 << loghex(status);
2027
2028 if (status == HCI_ERR_COMMAND_DISALLOWED) {
2029 /* There is already either direct connect, or whitelist connection
2030 * pending, but we don't know which one, or to which state should we
2031 * transition now. This can be triggered only in case of rare race
2032 * condition. Crash to recover. */
2033 LOG(FATAL) << "LE Create Connection - command disallowed";
2034 }
2035 }
2036 /*****************************************************************************
2037 * Function btm_proc_smp_cback
2038 *
2039 * Description This function is the SMP callback handler.
2040 *
2041 *****************************************************************************/
btm_proc_smp_cback(tSMP_EVT event,const RawAddress & bd_addr,tSMP_EVT_DATA * p_data)2042 uint8_t btm_proc_smp_cback(tSMP_EVT event, const RawAddress& bd_addr,
2043 tSMP_EVT_DATA* p_data) {
2044 tBTM_SEC_DEV_REC* p_dev_rec = btm_find_dev(bd_addr);
2045 uint8_t res = 0;
2046
2047 BTM_TRACE_DEBUG("btm_proc_smp_cback event = %d", event);
2048
2049 if (p_dev_rec != NULL) {
2050 switch (event) {
2051 case SMP_IO_CAP_REQ_EVT:
2052 btm_ble_io_capabilities_req(p_dev_rec,
2053 (tBTM_LE_IO_REQ*)&p_data->io_req);
2054 break;
2055
2056 case SMP_BR_KEYS_REQ_EVT:
2057 btm_ble_br_keys_req(p_dev_rec, (tBTM_LE_IO_REQ*)&p_data->io_req);
2058 break;
2059
2060 case SMP_PASSKEY_REQ_EVT:
2061 case SMP_PASSKEY_NOTIF_EVT:
2062 case SMP_OOB_REQ_EVT:
2063 case SMP_NC_REQ_EVT:
2064 case SMP_SC_OOB_REQ_EVT:
2065 /* fall through */
2066 p_dev_rec->sec_flags |= BTM_SEC_LE_AUTHENTICATED;
2067
2068 case SMP_SEC_REQUEST_EVT:
2069 if (event == SMP_SEC_REQUEST_EVT &&
2070 btm_cb.pairing_state != BTM_PAIR_STATE_IDLE) {
2071 BTM_TRACE_DEBUG("%s: Ignoring SMP Security request", __func__);
2072 break;
2073 }
2074 btm_cb.pairing_bda = bd_addr;
2075 p_dev_rec->sec_state = BTM_SEC_STATE_AUTHENTICATING;
2076 btm_cb.pairing_flags |= BTM_PAIR_FLAGS_LE_ACTIVE;
2077 /* fall through */
2078
2079 case SMP_COMPLT_EVT:
2080 if (btm_cb.api.p_le_callback) {
2081 /* the callback function implementation may change the IO
2082 * capability... */
2083 BTM_TRACE_DEBUG("btm_cb.api.p_le_callback=0x%x",
2084 btm_cb.api.p_le_callback);
2085 (*btm_cb.api.p_le_callback)(event, bd_addr,
2086 (tBTM_LE_EVT_DATA*)p_data);
2087 }
2088
2089 if (event == SMP_COMPLT_EVT) {
2090 p_dev_rec = btm_find_dev(bd_addr);
2091 if (p_dev_rec == NULL) {
2092 BTM_TRACE_ERROR("%s: p_dev_rec is NULL", __func__);
2093 android_errorWriteLog(0x534e4554, "120612744");
2094 return 0;
2095 }
2096 BTM_TRACE_DEBUG(
2097 "evt=SMP_COMPLT_EVT before update sec_level=0x%x sec_flags=0x%x",
2098 p_data->cmplt.sec_level, p_dev_rec->sec_flags);
2099
2100 res = (p_data->cmplt.reason == SMP_SUCCESS) ? BTM_SUCCESS
2101 : BTM_ERR_PROCESSING;
2102
2103 BTM_TRACE_DEBUG(
2104 "after update result=%d sec_level=0x%x sec_flags=0x%x", res,
2105 p_data->cmplt.sec_level, p_dev_rec->sec_flags);
2106
2107 if (p_data->cmplt.is_pair_cancel &&
2108 btm_cb.api.p_bond_cancel_cmpl_callback) {
2109 BTM_TRACE_DEBUG("Pairing Cancel completed");
2110 (*btm_cb.api.p_bond_cancel_cmpl_callback)(BTM_SUCCESS);
2111 }
2112 #if (BTM_BLE_CONFORMANCE_TESTING == TRUE)
2113 if (res != BTM_SUCCESS) {
2114 if (!btm_cb.devcb.no_disc_if_pair_fail &&
2115 p_data->cmplt.reason != SMP_CONN_TOUT) {
2116 BTM_TRACE_DEBUG("Pairing failed - prepare to remove ACL");
2117 l2cu_start_post_bond_timer(p_dev_rec->ble_hci_handle);
2118 } else {
2119 BTM_TRACE_DEBUG("Pairing failed - Not Removing ACL");
2120 p_dev_rec->sec_state = BTM_SEC_STATE_IDLE;
2121 }
2122 }
2123 #else
2124 if (res != BTM_SUCCESS && p_data->cmplt.reason != SMP_CONN_TOUT) {
2125 BTM_TRACE_DEBUG("Pairing failed - prepare to remove ACL");
2126 l2cu_start_post_bond_timer(p_dev_rec->ble_hci_handle);
2127 }
2128 #endif
2129
2130 BTM_TRACE_DEBUG(
2131 "btm_cb pairing_state=%x pairing_flags=%x pin_code_len=%x",
2132 btm_cb.pairing_state, btm_cb.pairing_flags, btm_cb.pin_code_len);
2133 VLOG(1) << "btm_cb.pairing_bda: " << btm_cb.pairing_bda;
2134
2135 /* Reset btm state only if the callback address matches pairing
2136 * address*/
2137 if (bd_addr == btm_cb.pairing_bda) {
2138 btm_cb.pairing_bda = RawAddress::kAny;
2139 btm_cb.pairing_state = BTM_PAIR_STATE_IDLE;
2140 btm_cb.pairing_flags = 0;
2141 }
2142
2143 if (res == BTM_SUCCESS) {
2144 p_dev_rec->sec_state = BTM_SEC_STATE_IDLE;
2145 #if (BLE_PRIVACY_SPT == TRUE)
2146 /* add all bonded device into resolving list if IRK is available*/
2147 btm_ble_resolving_list_load_dev(p_dev_rec);
2148 #endif
2149 }
2150
2151 btm_sec_dev_rec_cback_event(p_dev_rec, res, true);
2152 }
2153 break;
2154
2155 default:
2156 BTM_TRACE_DEBUG("unknown event = %d", event);
2157 break;
2158 }
2159 } else {
2160 BTM_TRACE_ERROR("btm_proc_smp_cback received for unknown device");
2161 }
2162
2163 return 0;
2164 }
2165
2166 /*******************************************************************************
2167 *
2168 * Function BTM_BleDataSignature
2169 *
2170 * Description This function is called to sign the data using AES128 CMAC
2171 * algorith.
2172 *
2173 * Parameter bd_addr: target device the data to be signed for.
2174 * p_text: singing data
2175 * len: length of the data to be signed.
2176 * signature: output parameter where data signature is going to
2177 * be stored.
2178 *
2179 * Returns true if signing sucessul, otherwise false.
2180 *
2181 ******************************************************************************/
BTM_BleDataSignature(const RawAddress & bd_addr,uint8_t * p_text,uint16_t len,BLE_SIGNATURE signature)2182 bool BTM_BleDataSignature(const RawAddress& bd_addr, uint8_t* p_text,
2183 uint16_t len, BLE_SIGNATURE signature) {
2184 tBTM_SEC_DEV_REC* p_rec = btm_find_dev(bd_addr);
2185
2186 BTM_TRACE_DEBUG("%s", __func__);
2187 bool ret = false;
2188 if (p_rec == NULL) {
2189 BTM_TRACE_ERROR("%s-data signing can not be done from unknown device",
2190 __func__);
2191 } else {
2192 uint8_t* p_mac = (uint8_t*)signature;
2193 uint8_t* pp;
2194 uint8_t* p_buf = (uint8_t*)osi_malloc(len + 4);
2195
2196 BTM_TRACE_DEBUG("%s-Start to generate Local CSRK", __func__);
2197 pp = p_buf;
2198 /* prepare plain text */
2199 if (p_text) {
2200 memcpy(p_buf, p_text, len);
2201 pp = (p_buf + len);
2202 }
2203
2204 UINT32_TO_STREAM(pp, p_rec->ble.keys.local_counter);
2205 UINT32_TO_STREAM(p_mac, p_rec->ble.keys.local_counter);
2206
2207 ret = aes_cipher_msg_auth_code(p_rec->ble.keys.lcsrk, p_buf,
2208 (uint16_t)(len + 4), BTM_CMAC_TLEN_SIZE,
2209 p_mac);
2210 if (ret) {
2211 btm_ble_increment_sign_ctr(bd_addr, true);
2212 }
2213
2214 BTM_TRACE_DEBUG("%s p_mac = %d", __func__, p_mac);
2215 BTM_TRACE_DEBUG(
2216 "p_mac[0] = 0x%02x p_mac[1] = 0x%02x p_mac[2] = 0x%02x p_mac[3] = "
2217 "0x%02x",
2218 *p_mac, *(p_mac + 1), *(p_mac + 2), *(p_mac + 3));
2219 BTM_TRACE_DEBUG(
2220 "p_mac[4] = 0x%02x p_mac[5] = 0x%02x p_mac[6] = 0x%02x p_mac[7] = "
2221 "0x%02x",
2222 *(p_mac + 4), *(p_mac + 5), *(p_mac + 6), *(p_mac + 7));
2223 osi_free(p_buf);
2224 }
2225 return ret;
2226 }
2227
2228 /*******************************************************************************
2229 *
2230 * Function BTM_BleVerifySignature
2231 *
2232 * Description This function is called to verify the data signature
2233 *
2234 * Parameter bd_addr: target device the data to be signed for.
2235 * p_orig: original data before signature.
2236 * len: length of the signing data
2237 * counter: counter used when doing data signing
2238 * p_comp: signature to be compared against.
2239
2240 * Returns true if signature verified correctly; otherwise false.
2241 *
2242 ******************************************************************************/
BTM_BleVerifySignature(const RawAddress & bd_addr,uint8_t * p_orig,uint16_t len,uint32_t counter,uint8_t * p_comp)2243 bool BTM_BleVerifySignature(const RawAddress& bd_addr, uint8_t* p_orig,
2244 uint16_t len, uint32_t counter, uint8_t* p_comp) {
2245 bool verified = false;
2246 tBTM_SEC_DEV_REC* p_rec = btm_find_dev(bd_addr);
2247 uint8_t p_mac[BTM_CMAC_TLEN_SIZE];
2248
2249 if (p_rec == NULL || (p_rec && !(p_rec->ble.key_type & BTM_LE_KEY_PCSRK))) {
2250 BTM_TRACE_ERROR("can not verify signature for unknown device");
2251 } else if (counter < p_rec->ble.keys.counter) {
2252 BTM_TRACE_ERROR("signature received with out dated sign counter");
2253 } else if (p_orig == NULL) {
2254 BTM_TRACE_ERROR("No signature to verify");
2255 } else {
2256 BTM_TRACE_DEBUG("%s rcv_cnt=%d >= expected_cnt=%d", __func__, counter,
2257 p_rec->ble.keys.counter);
2258
2259 if (aes_cipher_msg_auth_code(p_rec->ble.keys.pcsrk, p_orig, len,
2260 BTM_CMAC_TLEN_SIZE, p_mac)) {
2261 if (memcmp(p_mac, p_comp, BTM_CMAC_TLEN_SIZE) == 0) {
2262 btm_ble_increment_sign_ctr(bd_addr, false);
2263 verified = true;
2264 }
2265 }
2266 }
2267 return verified;
2268 }
2269
2270 /*******************************************************************************
2271 *
2272 * Function BTM_GetLeSecurityState
2273 *
2274 * Description This function is called to get security mode 1 flags and
2275 * encryption key size for LE peer.
2276 *
2277 * Returns bool true if LE device is found, false otherwise.
2278 *
2279 ******************************************************************************/
BTM_GetLeSecurityState(const RawAddress & bd_addr,uint8_t * p_le_dev_sec_flags,uint8_t * p_le_key_size)2280 bool BTM_GetLeSecurityState(const RawAddress& bd_addr,
2281 uint8_t* p_le_dev_sec_flags,
2282 uint8_t* p_le_key_size) {
2283 tBTM_SEC_DEV_REC* p_dev_rec;
2284 uint16_t dev_rec_sec_flags;
2285
2286 *p_le_dev_sec_flags = 0;
2287 *p_le_key_size = 0;
2288
2289 p_dev_rec = btm_find_dev(bd_addr);
2290 if (p_dev_rec == NULL) {
2291 BTM_TRACE_ERROR("%s fails", __func__);
2292 return (false);
2293 }
2294
2295 if (p_dev_rec->ble_hci_handle == BTM_SEC_INVALID_HANDLE) {
2296 BTM_TRACE_ERROR("%s-this is not LE device", __func__);
2297 return (false);
2298 }
2299
2300 dev_rec_sec_flags = p_dev_rec->sec_flags;
2301
2302 if (dev_rec_sec_flags & BTM_SEC_LE_ENCRYPTED) {
2303 /* link is encrypted with LTK or STK */
2304 *p_le_key_size = p_dev_rec->enc_key_size;
2305 *p_le_dev_sec_flags |= BTM_SEC_LE_LINK_ENCRYPTED;
2306
2307 *p_le_dev_sec_flags |=
2308 (dev_rec_sec_flags & BTM_SEC_LE_AUTHENTICATED)
2309 ? BTM_SEC_LE_LINK_PAIRED_WITH_MITM /* set auth LTK flag */
2310 : BTM_SEC_LE_LINK_PAIRED_WITHOUT_MITM; /* set unauth LTK flag */
2311 } else if (p_dev_rec->ble.key_type & BTM_LE_KEY_PENC) {
2312 /* link is unencrypted, still LTK is available */
2313 *p_le_key_size = p_dev_rec->ble.keys.key_size;
2314
2315 *p_le_dev_sec_flags |=
2316 (dev_rec_sec_flags & BTM_SEC_LE_LINK_KEY_AUTHED)
2317 ? BTM_SEC_LE_LINK_PAIRED_WITH_MITM /* set auth LTK flag */
2318 : BTM_SEC_LE_LINK_PAIRED_WITHOUT_MITM; /* set unauth LTK flag */
2319 }
2320
2321 BTM_TRACE_DEBUG("%s - le_dev_sec_flags: 0x%02x, le_key_size: %d", __func__,
2322 *p_le_dev_sec_flags, *p_le_key_size);
2323
2324 return true;
2325 }
2326
2327 /*******************************************************************************
2328 *
2329 * Function BTM_BleSecurityProcedureIsRunning
2330 *
2331 * Description This function indicates if LE security procedure is
2332 * currently running with the peer.
2333 *
2334 * Returns bool true if security procedure is running, false
2335 * otherwise.
2336 *
2337 ******************************************************************************/
BTM_BleSecurityProcedureIsRunning(const RawAddress & bd_addr)2338 bool BTM_BleSecurityProcedureIsRunning(const RawAddress& bd_addr) {
2339 tBTM_SEC_DEV_REC* p_dev_rec = btm_find_dev(bd_addr);
2340
2341 if (p_dev_rec == NULL) {
2342 LOG(ERROR) << __func__ << " device with BDA: " << bd_addr
2343 << " is not found";
2344 return false;
2345 }
2346
2347 return (p_dev_rec->sec_state == BTM_SEC_STATE_ENCRYPTING ||
2348 p_dev_rec->sec_state == BTM_SEC_STATE_AUTHENTICATING);
2349 }
2350
2351 /*******************************************************************************
2352 *
2353 * Function BTM_BleGetSupportedKeySize
2354 *
2355 * Description This function gets the maximum encryption key size in bytes
2356 * the local device can suport.
2357 * record.
2358 *
2359 * Returns the key size or 0 if the size can't be retrieved.
2360 *
2361 ******************************************************************************/
BTM_BleGetSupportedKeySize(const RawAddress & bd_addr)2362 extern uint8_t BTM_BleGetSupportedKeySize(const RawAddress& bd_addr) {
2363 #if (L2CAP_LE_COC_INCLUDED == TRUE)
2364 tBTM_SEC_DEV_REC* p_dev_rec = btm_find_dev(bd_addr);
2365 tBTM_LE_EVT_DATA btm_le_evt_data;
2366 uint8_t callback_rc;
2367
2368 if (!p_dev_rec) {
2369 LOG(ERROR) << __func__ << " device with BDA: " << bd_addr
2370 << " is not found";
2371 return 0;
2372 }
2373
2374 if (btm_cb.api.p_le_callback == NULL) {
2375 BTM_TRACE_ERROR("%s can't access supported key size", __func__);
2376 return 0;
2377 }
2378
2379 callback_rc = (*btm_cb.api.p_le_callback)(
2380 BTM_LE_IO_REQ_EVT, p_dev_rec->bd_addr, &btm_le_evt_data);
2381
2382 if (callback_rc != BTM_SUCCESS) {
2383 BTM_TRACE_ERROR("%s can't access supported key size", __func__);
2384 return 0;
2385 }
2386
2387 BTM_TRACE_DEBUG("%s device supports key size = %d", __func__,
2388 btm_le_evt_data.io_req.max_key_size);
2389 return (btm_le_evt_data.io_req.max_key_size);
2390 #else
2391 return 0;
2392 #endif
2393 }
2394
2395 /*******************************************************************************
2396 * Utility functions for LE device IR/ER generation
2397 ******************************************************************************/
2398 /*******************************************************************************
2399 *
2400 * Function btm_notify_new_key
2401 *
2402 * Description This function is to notify application new keys have been
2403 * generated.
2404 *
2405 * Returns void
2406 *
2407 ******************************************************************************/
btm_notify_new_key(uint8_t key_type)2408 static void btm_notify_new_key(uint8_t key_type) {
2409 tBTM_BLE_LOCAL_KEYS* p_local_keys = NULL;
2410
2411 BTM_TRACE_DEBUG("btm_notify_new_key key_type=%d", key_type);
2412
2413 if (btm_cb.api.p_le_key_callback) {
2414 switch (key_type) {
2415 case BTM_BLE_KEY_TYPE_ID:
2416 BTM_TRACE_DEBUG("BTM_BLE_KEY_TYPE_ID");
2417 p_local_keys = (tBTM_BLE_LOCAL_KEYS*)&btm_cb.devcb.id_keys;
2418 break;
2419
2420 case BTM_BLE_KEY_TYPE_ER:
2421 BTM_TRACE_DEBUG("BTM_BLE_KEY_TYPE_ER");
2422 p_local_keys =
2423 (tBTM_BLE_LOCAL_KEYS*)&btm_cb.devcb.ble_encryption_key_value;
2424 break;
2425
2426 default:
2427 BTM_TRACE_ERROR("unknown key type: %d", key_type);
2428 break;
2429 }
2430 if (p_local_keys != NULL)
2431 (*btm_cb.api.p_le_key_callback)(key_type, p_local_keys);
2432 }
2433 }
2434
2435 /*******************************************************************************
2436 *
2437 * Function btm_ble_process_irk
2438 *
2439 * Description This function is called when IRK is generated, store it in
2440 * local control block.
2441 *
2442 * Returns void
2443 *
2444 ******************************************************************************/
btm_ble_process_irk(tSMP_ENC * p)2445 static void btm_ble_process_irk(tSMP_ENC* p) {
2446 BTM_TRACE_DEBUG("btm_ble_process_irk");
2447 if (p && p->opcode == HCI_BLE_ENCRYPT) {
2448 memcpy(btm_cb.devcb.id_keys.irk, p->param_buf, BT_OCTET16_LEN);
2449 btm_notify_new_key(BTM_BLE_KEY_TYPE_ID);
2450
2451 #if (BLE_PRIVACY_SPT == TRUE)
2452 /* if privacy is enabled, new RPA should be calculated */
2453 if (btm_cb.ble_ctr_cb.privacy_mode != BTM_PRIVACY_NONE) {
2454 btm_gen_resolvable_private_addr(base::Bind(&btm_gen_resolve_paddr_low));
2455 }
2456 #endif
2457 } else {
2458 BTM_TRACE_ERROR("Generating IRK exception.");
2459 }
2460
2461 /* proceed generate ER */
2462 btsnd_hcic_ble_rand(base::Bind([](BT_OCTET8 rand1) {
2463 memcpy(&btm_cb.devcb.ble_encryption_key_value[0], rand1, BT_OCTET8_LEN);
2464
2465 btsnd_hcic_ble_rand(base::Bind([](BT_OCTET8 rand2) {
2466 memcpy(&btm_cb.devcb.ble_encryption_key_value[8], rand2, BT_OCTET8_LEN);
2467 btm_notify_new_key(BTM_BLE_KEY_TYPE_ER);
2468 }));
2469
2470 }));
2471 }
2472
2473 /*******************************************************************************
2474 *
2475 * Function btm_ble_process_dhk
2476 *
2477 * Description This function is called when DHK is calculated, store it in
2478 * local control block, and proceed to generate ER, a 128-bits
2479 * random number.
2480 *
2481 * Returns void
2482 *
2483 ******************************************************************************/
btm_ble_process_dhk(tSMP_ENC * p)2484 static void btm_ble_process_dhk(tSMP_ENC* p) {
2485 uint8_t btm_ble_irk_pt = 0x01;
2486 tSMP_ENC output;
2487
2488 BTM_TRACE_DEBUG("btm_ble_process_dhk");
2489
2490 if (p && p->opcode == HCI_BLE_ENCRYPT) {
2491 memcpy(btm_cb.devcb.id_keys.dhk, p->param_buf, BT_OCTET16_LEN);
2492 BTM_TRACE_DEBUG("BLE DHK generated.");
2493
2494 /* IRK = D1(IR, 1) */
2495 if (!SMP_Encrypt(btm_cb.devcb.id_keys.ir, BT_OCTET16_LEN, &btm_ble_irk_pt,
2496 1, &output)) {
2497 /* reset all identity root related key */
2498 memset(&btm_cb.devcb.id_keys, 0, sizeof(tBTM_BLE_LOCAL_ID_KEYS));
2499 } else {
2500 btm_ble_process_irk(&output);
2501 }
2502 } else {
2503 /* reset all identity root related key */
2504 memset(&btm_cb.devcb.id_keys, 0, sizeof(tBTM_BLE_LOCAL_ID_KEYS));
2505 }
2506 }
2507
2508 /*******************************************************************************
2509 *
2510 * Function btm_ble_reset_id
2511 *
2512 * Description This function is called to reset LE device identity.
2513 *
2514 * Returns void
2515 *
2516 ******************************************************************************/
btm_ble_reset_id(void)2517 void btm_ble_reset_id(void) {
2518 BTM_TRACE_DEBUG("btm_ble_reset_id");
2519
2520 /* Regenerate Identity Root*/
2521 btsnd_hcic_ble_rand(base::Bind([](BT_OCTET8 rand) {
2522 BTM_TRACE_DEBUG("btm_ble_process_ir1");
2523 memcpy(btm_cb.devcb.id_keys.ir, rand, BT_OCTET8_LEN);
2524
2525 btsnd_hcic_ble_rand(base::Bind([](BT_OCTET8 rand) {
2526 uint8_t btm_ble_dhk_pt = 0x03;
2527 tSMP_ENC output;
2528
2529 BTM_TRACE_DEBUG("btm_ble_process_ir2");
2530
2531 /* remembering in control block */
2532 memcpy(&btm_cb.devcb.id_keys.ir[8], rand, BT_OCTET8_LEN);
2533 /* generate DHK= Eir({0x03, 0x00, 0x00 ...}) */
2534
2535 SMP_Encrypt(btm_cb.devcb.id_keys.ir, BT_OCTET16_LEN, &btm_ble_dhk_pt, 1,
2536 &output);
2537 btm_ble_process_dhk(&output);
2538
2539 BTM_TRACE_DEBUG("BLE IR generated.");
2540 }));
2541 }));
2542 }
2543
2544 /* This function set a random address to local controller. It also temporarily
2545 * disable scans and adv before sending the command to the controller. */
btm_ble_set_random_address(const RawAddress & random_bda)2546 void btm_ble_set_random_address(const RawAddress& random_bda) {
2547 tBTM_LE_RANDOM_CB* p_cb = &btm_cb.ble_ctr_cb.addr_mgnt_cb;
2548 tBTM_BLE_CB* p_ble_cb = &btm_cb.ble_ctr_cb;
2549 bool adv_mode = btm_cb.ble_ctr_cb.inq_var.adv_mode;
2550
2551 BTM_TRACE_DEBUG("%s", __func__);
2552 if (btm_ble_get_conn_st() == BLE_DIR_CONN) {
2553 BTM_TRACE_ERROR("%s: Cannot set random address. Direct conn ongoing",
2554 __func__);
2555 return;
2556 }
2557
2558 if (adv_mode == BTM_BLE_ADV_ENABLE)
2559 btsnd_hcic_ble_set_adv_enable(BTM_BLE_ADV_DISABLE);
2560 if (BTM_BLE_IS_SCAN_ACTIVE(p_ble_cb->scan_activity)) btm_ble_stop_scan();
2561 btm_ble_suspend_bg_conn();
2562
2563 p_cb->private_addr = random_bda;
2564 btsnd_hcic_ble_set_random_addr(p_cb->private_addr);
2565
2566 if (adv_mode == BTM_BLE_ADV_ENABLE)
2567 btsnd_hcic_ble_set_adv_enable(BTM_BLE_ADV_ENABLE);
2568 if (BTM_BLE_IS_SCAN_ACTIVE(p_ble_cb->scan_activity)) btm_ble_start_scan();
2569 btm_ble_resume_bg_conn();
2570 }
2571
2572 #if BTM_BLE_CONFORMANCE_TESTING == TRUE
2573 /*******************************************************************************
2574 *
2575 * Function btm_ble_set_no_disc_if_pair_fail
2576 *
2577 * Description This function indicates whether no disconnect of the ACL
2578 * should be used if pairing failed
2579 *
2580 * Returns void
2581 *
2582 ******************************************************************************/
btm_ble_set_no_disc_if_pair_fail(bool disable_disc)2583 void btm_ble_set_no_disc_if_pair_fail(bool disable_disc) {
2584 BTM_TRACE_DEBUG("btm_ble_set_disc_enable_if_pair_fail disable_disc=%d",
2585 disable_disc);
2586 btm_cb.devcb.no_disc_if_pair_fail = disable_disc;
2587 }
2588
2589 /*******************************************************************************
2590 *
2591 * Function btm_ble_set_test_mac_value
2592 *
2593 * Description This function set test MAC value
2594 *
2595 * Returns void
2596 *
2597 ******************************************************************************/
btm_ble_set_test_mac_value(bool enable,uint8_t * p_test_mac_val)2598 void btm_ble_set_test_mac_value(bool enable, uint8_t* p_test_mac_val) {
2599 BTM_TRACE_DEBUG("btm_ble_set_test_mac_value enable=%d", enable);
2600 btm_cb.devcb.enable_test_mac_val = enable;
2601 memcpy(btm_cb.devcb.test_mac, p_test_mac_val, BT_OCTET8_LEN);
2602 }
2603
2604 /*******************************************************************************
2605 *
2606 * Function btm_ble_set_test_local_sign_cntr_value
2607 *
2608 * Description This function set test local sign counter value
2609 *
2610 * Returns void
2611 *
2612 ******************************************************************************/
btm_ble_set_test_local_sign_cntr_value(bool enable,uint32_t test_local_sign_cntr)2613 void btm_ble_set_test_local_sign_cntr_value(bool enable,
2614 uint32_t test_local_sign_cntr) {
2615 BTM_TRACE_DEBUG(
2616 "btm_ble_set_test_local_sign_cntr_value enable=%d local_sign_cntr=%d",
2617 enable, test_local_sign_cntr);
2618 btm_cb.devcb.enable_test_local_sign_cntr = enable;
2619 btm_cb.devcb.test_local_sign_cntr = test_local_sign_cntr;
2620 }
2621
2622 /*******************************************************************************
2623 *
2624 * Function btm_ble_set_keep_rfu_in_auth_req
2625 *
2626 * Description This function indicates if RFU bits have to be kept as is
2627 * (by default they have to be set to 0 by the sender).
2628 *
2629 * Returns void
2630 *
2631 ******************************************************************************/
btm_ble_set_keep_rfu_in_auth_req(bool keep_rfu)2632 void btm_ble_set_keep_rfu_in_auth_req(bool keep_rfu) {
2633 BTM_TRACE_DEBUG("btm_ble_set_keep_rfu_in_auth_req keep_rfus=%d", keep_rfu);
2634 btm_cb.devcb.keep_rfu_in_auth_req = keep_rfu;
2635 }
2636
2637 #endif /* BTM_BLE_CONFORMANCE_TESTING */
2638