1 /******************************************************************************
2 *
3 * Copyright (C) 1999-2012 Broadcom Corporation
4 *
5 * Licensed under the Apache License, Version 2.0 (the "License");
6 * you may not use this file except in compliance with the License.
7 * You may obtain a copy of the License at:
8 *
9 * http://www.apache.org/licenses/LICENSE-2.0
10 *
11 * Unless required by applicable law or agreed to in writing, software
12 * distributed under the License is distributed on an "AS IS" BASIS,
13 * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
14 * See the License for the specific language governing permissions and
15 * limitations under the License.
16 *
17 ******************************************************************************/
18
19 /******************************************************************************
20 *
21 * This file contains functions for the Bluetooth Security Manager
22 *
23 ******************************************************************************/
24
25 //#define LOG_TAG "bt_btm_sec"
26
27 #include <stdarg.h>
28 #include <string.h>
29
30 #include "stack/bt_types.h"
31 #include "device/controller.h"
32 #include "stack/hcimsgs.h"
33 #include "stack/btu.h"
34 #include "btm_int.h"
35 #include "l2c_int.h"
36 #include "osi/fixed_queue.h"
37 #include "osi/alarm.h"
38 #include "stack/btm_ble_api.h"
39
40 #if (BT_USE_TRACES == TRUE && BT_TRACE_VERBOSE == FALSE)
41 /* needed for sprintf() */
42 #include <stdio.h>
43 #endif
44
45 #if BLE_INCLUDED == TRUE
46 #include "gatt_int.h"
47 #endif
48
49 #define BTM_SEC_MAX_COLLISION_DELAY (5000)
50
51 #ifdef APPL_AUTH_WRITE_EXCEPTION
52 BOOLEAN (APPL_AUTH_WRITE_EXCEPTION)(BD_ADDR bd_addr);
53 #endif
54
55
56 /********************************************************************************
57 ** L O C A L F U N C T I O N P R O T O T Y P E S *
58 *********************************************************************************/
59 #if (SMP_INCLUDED == TRUE)
60 static tBTM_SEC_SERV_REC *btm_sec_find_next_serv (tBTM_SEC_SERV_REC *p_cur);
61 static tBTM_SEC_SERV_REC *btm_sec_find_mx_serv (UINT8 is_originator, UINT16 psm,
62 UINT32 mx_proto_id,
63 UINT32 mx_chan_id);
64 static tBTM_STATUS btm_sec_execute_procedure (tBTM_SEC_DEV_REC *p_dev_rec);
65 static BOOLEAN btm_sec_start_get_name (tBTM_SEC_DEV_REC *p_dev_rec);
66 static BOOLEAN btm_sec_start_authentication (tBTM_SEC_DEV_REC *p_dev_rec);
67 static BOOLEAN btm_sec_start_encryption (tBTM_SEC_DEV_REC *p_dev_rec);
68 static void btm_sec_collision_timeout (TIMER_LIST_ENT *p_tle);
69 static void btm_restore_mode(void);
70 static void btm_sec_pairing_timeout (TIMER_LIST_ENT *p_tle);
71 static tBTM_STATUS btm_sec_dd_create_conn (tBTM_SEC_DEV_REC *p_dev_rec);
72 static void btm_sec_change_pairing_state (tBTM_PAIRING_STATE new_state);
73 #endif ///SMP_INCLUDED == TRUE
74 #if (BT_USE_TRACES == TRUE && SMP_INCLUDED == TRUE)
75 static char *btm_pair_state_descr (tBTM_PAIRING_STATE state);
76 #endif
77 #if (SMP_INCLUDED == TRUE)
78 static void btm_sec_check_pending_reqs(void);
79 static BOOLEAN btm_sec_queue_mx_request (BD_ADDR bd_addr, UINT16 psm, BOOLEAN is_orig,
80 UINT32 mx_proto_id, UINT32 mx_chan_id,
81 tBTM_SEC_CALLBACK *p_callback, void *p_ref_data);
82 static void btm_sec_bond_cancel_complete (void);
83 static void btm_send_link_key_notif (tBTM_SEC_DEV_REC *p_dev_rec);
84 static BOOLEAN btm_sec_check_prefetch_pin (tBTM_SEC_DEV_REC *p_dev_rec);
85 static UINT8 btm_sec_start_authorization (tBTM_SEC_DEV_REC *p_dev_rec);
86 #endif ///SMP_INCLUDED == TRUE
87 BOOLEAN btm_sec_are_all_trusted(UINT32 p_mask[]);
88 #if (SMP_INCLUDED == TRUE)
89 static tBTM_STATUS btm_sec_send_hci_disconnect (tBTM_SEC_DEV_REC *p_dev_rec, UINT8 reason, UINT16 conn_handle);
90 #endif ///SMP_INCLUDED == TRUE
91 UINT8 btm_sec_start_role_switch (tBTM_SEC_DEV_REC *p_dev_rec);
92 tBTM_SEC_DEV_REC *btm_sec_find_dev_by_sec_state (UINT8 state);
93
94 static BOOLEAN btm_sec_set_security_level ( CONNECTION_TYPE conn_type, const char *p_name, UINT8 service_id,
95 UINT16 sec_level, UINT16 psm, UINT32 mx_proto_id,
96 UINT32 mx_chan_id);
97 #if (SMP_INCLUDED == TRUE)
98 static BOOLEAN btm_dev_authenticated(tBTM_SEC_DEV_REC *p_dev_rec);
99 static BOOLEAN btm_dev_encrypted(tBTM_SEC_DEV_REC *p_dev_rec);
100 static BOOLEAN btm_dev_authorized(tBTM_SEC_DEV_REC *p_dev_rec);
101 static BOOLEAN btm_serv_trusted(tBTM_SEC_DEV_REC *p_dev_rec, tBTM_SEC_SERV_REC *p_serv_rec);
102 static BOOLEAN btm_sec_is_serv_level0 (UINT16 psm);
103 static UINT16 btm_sec_set_serv_level4_flags (UINT16 cur_security, BOOLEAN is_originator);
104
105 static BOOLEAN btm_sec_queue_encrypt_request (BD_ADDR bd_addr, tBT_TRANSPORT transport,
106 tBTM_SEC_CALLBACK *p_callback, void *p_ref_data);
107 static void btm_sec_check_pending_enc_req (tBTM_SEC_DEV_REC *p_dev_rec, tBT_TRANSPORT transport,
108 UINT8 encr_enable);
109 static BOOLEAN btm_sec_use_smp_br_chnl(tBTM_SEC_DEV_REC *p_dev_rec);
110 static BOOLEAN btm_sec_is_master(tBTM_SEC_DEV_REC *p_dev_rec);
111 #endif ///SMP_INCLUDED == TRUE
112
113 /* TRUE - authenticated link key is possible */
114 static const BOOLEAN btm_sec_io_map [BTM_IO_CAP_MAX][BTM_IO_CAP_MAX] = {
115 /* OUT, IO, IN, NONE */
116 /* OUT */ {FALSE, FALSE, TRUE, FALSE},
117 /* IO */ {FALSE, TRUE, TRUE, FALSE},
118 /* IN */ {TRUE, TRUE, TRUE, FALSE},
119 /* NONE */ {FALSE, FALSE, FALSE, FALSE}
120 };
121 /* BTM_IO_CAP_OUT 0 DisplayOnly */
122 /* BTM_IO_CAP_IO 1 DisplayYesNo */
123 /* BTM_IO_CAP_IN 2 KeyboardOnly */
124 /* BTM_IO_CAP_NONE 3 NoInputNoOutput */
125
126 /*******************************************************************************
127 **
128 ** Function btm_dev_authenticated
129 **
130 ** Description check device is authenticated
131 **
132 ** Returns BOOLEAN TRUE or FALSE
133 **
134 *******************************************************************************/
135 #if (SMP_INCLUDED == TRUE)
btm_dev_authenticated(tBTM_SEC_DEV_REC * p_dev_rec)136 static BOOLEAN btm_dev_authenticated (tBTM_SEC_DEV_REC *p_dev_rec)
137 {
138 if (p_dev_rec->sec_flags & BTM_SEC_AUTHENTICATED) {
139 return (TRUE);
140 }
141 return (FALSE);
142 }
143
144 /*******************************************************************************
145 **
146 ** Function btm_dev_encrypted
147 **
148 ** Description check device is encrypted
149 **
150 ** Returns BOOLEAN TRUE or FALSE
151 **
152 *******************************************************************************/
btm_dev_encrypted(tBTM_SEC_DEV_REC * p_dev_rec)153 static BOOLEAN btm_dev_encrypted (tBTM_SEC_DEV_REC *p_dev_rec)
154 {
155 if (p_dev_rec->sec_flags & BTM_SEC_ENCRYPTED) {
156 return (TRUE);
157 }
158 return (FALSE);
159 }
160
161 /*******************************************************************************
162 **
163 ** Function btm_dev_authorized
164 **
165 ** Description check device is authorized
166 **
167 ** Returns BOOLEAN TRUE or FALSE
168 **
169 *******************************************************************************/
btm_dev_authorized(tBTM_SEC_DEV_REC * p_dev_rec)170 static BOOLEAN btm_dev_authorized (tBTM_SEC_DEV_REC *p_dev_rec)
171 {
172 if (p_dev_rec->sec_flags & BTM_SEC_AUTHORIZED) {
173 return (TRUE);
174 }
175 return (FALSE);
176 }
177
178 /*******************************************************************************
179 **
180 ** Function btm_dev_16_digit_authenticated
181 **
182 ** Description check device is authenticated by using 16 digit pin or MITM
183 **
184 ** Returns BOOLEAN TRUE or FALSE
185 **
186 *******************************************************************************/
btm_dev_16_digit_authenticated(tBTM_SEC_DEV_REC * p_dev_rec)187 static BOOLEAN btm_dev_16_digit_authenticated(tBTM_SEC_DEV_REC *p_dev_rec)
188 {
189 // BTM_SEC_16_DIGIT_PIN_AUTHED is set if MITM or 16 digit pin is used
190 if (p_dev_rec->sec_flags & BTM_SEC_16_DIGIT_PIN_AUTHED) {
191 return (TRUE);
192 }
193 return (FALSE);
194 }
195 #endif ///SMP_INCLUDED == TRUE
196
197 /*******************************************************************************
198 **
199 ** Function btm_serv_trusted
200 **
201 ** Description check service is trusted
202 **
203 ** Returns BOOLEAN TRUE or FALSE
204 **
205 *******************************************************************************/
206 #if (SMP_INCLUDED == TRUE)
btm_serv_trusted(tBTM_SEC_DEV_REC * p_dev_rec,tBTM_SEC_SERV_REC * p_serv_rec)207 static BOOLEAN btm_serv_trusted(tBTM_SEC_DEV_REC *p_dev_rec, tBTM_SEC_SERV_REC *p_serv_rec)
208 {
209 if (BTM_SEC_IS_SERVICE_TRUSTED(p_dev_rec->trusted_mask, p_serv_rec->service_id)) {
210 return (TRUE);
211 }
212 return (FALSE);
213 }
214 #endif ///SMP_INCLUDED == TRUE
215 /*******************************************************************************
216 **
217 ** Function BTM_SecRegister
218 **
219 ** Description Application manager calls this function to register for
220 ** security services. There can be one and only one application
221 ** saving link keys. BTM allows only first registration.
222 **
223 ** Returns TRUE if registered OK, else FALSE
224 **
225 *******************************************************************************/
BTM_SecRegister(tBTM_APPL_INFO * p_cb_info)226 BOOLEAN BTM_SecRegister(tBTM_APPL_INFO *p_cb_info)
227 {
228 #if BLE_INCLUDED == TRUE && SMP_INCLUDED == TRUE
229 BT_OCTET16 temp_value = {0};
230 #endif
231
232 BTM_TRACE_EVENT("%s application registered\n", __func__);
233
234 #if BLE_INCLUDED == TRUE && SMP_INCLUDED == TRUE
235 BTM_TRACE_DEBUG("%s p_cb_info->p_le_callback == 0x%p\n", __func__, p_cb_info->p_le_callback);
236 if (p_cb_info->p_le_callback) {
237 BTM_TRACE_EVENT("%s SMP_Register( btm_proc_smp_cback )\n", __func__);
238 SMP_Register(btm_proc_smp_cback);
239 /* if no IR is loaded, need to regenerate all the keys */
240 if (memcmp(btm_cb.devcb.id_keys.ir, &temp_value, sizeof(BT_OCTET16)) == 0) {
241 btm_ble_reset_id();
242 }
243 #if (!BLE_UPDATE_BLE_ADDR_TYPE_RPA)
244 BD_ADDR peer_addr = {0x0, 0x0, 0x0, 0x0, 0x0, 0x0};
245 BT_OCTET16 peer_irk = {0x0};
246 /* add local irk to controller */
247 btsnd_hcic_ble_add_device_resolving_list (0, peer_addr, peer_irk, btm_cb.devcb.id_keys.irk);
248 #endif
249 } else {
250 BTM_TRACE_WARNING("%s p_cb_info->p_le_callback == NULL\n", __func__);
251 }
252 #endif
253
254 btm_cb.api = *p_cb_info;
255 #if BLE_INCLUDED == TRUE && SMP_INCLUDED == TRUE
256 BTM_TRACE_DEBUG("%s btm_cb.api.p_le_callback = 0x%p\n", __func__, btm_cb.api.p_le_callback);
257 #endif
258 BTM_TRACE_EVENT("%s application registered\n", __func__);
259 return (TRUE);
260 }
261
262 /*******************************************************************************
263 **
264 ** Function BTM_SecRegisterLinkKeyNotificationCallback
265 **
266 ** Description Application manager calls this function to register for
267 ** link key notification. When there is nobody registered
268 ** we should avoid changing link key
269 **
270 ** Returns TRUE if registered OK, else FALSE
271 **
272 *******************************************************************************/
BTM_SecRegisterLinkKeyNotificationCallback(tBTM_LINK_KEY_CALLBACK * p_callback)273 BOOLEAN BTM_SecRegisterLinkKeyNotificationCallback (tBTM_LINK_KEY_CALLBACK *p_callback)
274 {
275 btm_cb.api.p_link_key_callback = p_callback;
276 return TRUE;
277 }
278
279 /*******************************************************************************
280 **
281 ** Function BTM_SecAddRmtNameNotifyCallback
282 **
283 ** Description Any profile can register to be notified when name of the
284 ** remote device is resolved.
285 **
286 ** Returns TRUE if registered OK, else FALSE
287 **
288 *******************************************************************************/
289 #if (SMP_INCLUDED == TRUE) || (CLASSIC_BT_INCLUDED == TRUE)
BTM_SecAddRmtNameNotifyCallback(tBTM_RMT_NAME_CALLBACK * p_callback)290 BOOLEAN BTM_SecAddRmtNameNotifyCallback (tBTM_RMT_NAME_CALLBACK *p_callback)
291 {
292 int i;
293
294 for (i = 0; i < BTM_SEC_MAX_RMT_NAME_CALLBACKS; i++) {
295 if (btm_cb.p_rmt_name_callback[i] == NULL) {
296 btm_cb.p_rmt_name_callback[i] = p_callback;
297 return (TRUE);
298 }
299 }
300 return (FALSE);
301 }
302 #endif ///SMP_INCLUDED == TRUE
303
304 /*******************************************************************************
305 **
306 ** Function BTM_SecDeleteRmtNameNotifyCallback
307 **
308 ** Description Any profile can deregister notification when a new Link Key
309 ** is generated per connection.
310 **
311 ** Returns TRUE if OK, else FALSE
312 **
313 *******************************************************************************/
314 #if (SMP_INCLUDED == TRUE) || (CLASSIC_BT_INCLUDED == TRUE)
BTM_SecDeleteRmtNameNotifyCallback(tBTM_RMT_NAME_CALLBACK * p_callback)315 BOOLEAN BTM_SecDeleteRmtNameNotifyCallback (tBTM_RMT_NAME_CALLBACK *p_callback)
316 {
317 int i;
318
319 for (i = 0; i < BTM_SEC_MAX_RMT_NAME_CALLBACKS; i++) {
320 if (btm_cb.p_rmt_name_callback[i] == p_callback) {
321 btm_cb.p_rmt_name_callback[i] = NULL;
322 return (TRUE);
323 }
324 }
325 return (FALSE);
326 }
327 #endif ///SMP_INCLUDED == TRUE
328
329 /*******************************************************************************
330 **
331 ** Function BTM_GetSecurityFlags
332 **
333 ** Description Get security flags for the device
334 **
335 ** Returns BOOLEAN TRUE or FALSE is device found
336 **
337 *******************************************************************************/
BTM_GetSecurityFlags(BD_ADDR bd_addr,UINT8 * p_sec_flags)338 BOOLEAN BTM_GetSecurityFlags (BD_ADDR bd_addr, UINT8 *p_sec_flags)
339 {
340 tBTM_SEC_DEV_REC *p_dev_rec;
341
342 if ((p_dev_rec = btm_find_dev (bd_addr)) != NULL) {
343 *p_sec_flags = (UINT8) p_dev_rec->sec_flags;
344 return (TRUE);
345 }
346 BTM_TRACE_ERROR ("BTM_GetSecurityFlags false");
347 return (FALSE);
348 }
349
350 /*******************************************************************************
351 **
352 ** Function BTM_GetSecurityFlagsByTransport
353 **
354 ** Description Get security flags for the device on a particular transport
355 **
356 ** Returns BOOLEAN TRUE or FALSE is device found
357 **
358 *******************************************************************************/
BTM_GetSecurityFlagsByTransport(BD_ADDR bd_addr,UINT8 * p_sec_flags,tBT_TRANSPORT transport)359 BOOLEAN BTM_GetSecurityFlagsByTransport (BD_ADDR bd_addr, UINT8 *p_sec_flags,
360 tBT_TRANSPORT transport)
361 {
362 tBTM_SEC_DEV_REC *p_dev_rec;
363
364 if ((p_dev_rec = btm_find_dev (bd_addr)) != NULL) {
365 if (transport == BT_TRANSPORT_BR_EDR) {
366 *p_sec_flags = (UINT8) p_dev_rec->sec_flags;
367 } else {
368 *p_sec_flags = (UINT8) (p_dev_rec->sec_flags >> 8);
369 }
370
371 return (TRUE);
372 }
373 BTM_TRACE_ERROR ("BTM_GetSecurityFlags false\n");
374 return (FALSE);
375 }
376
377 #if (CLASSIC_BT_INCLUDED == TRUE)
378 /*******************************************************************************
379 **
380 ** Function BTM_SetPinType
381 **
382 ** Description Set PIN type for the device.
383 **
384 ** Returns void
385 **
386 *******************************************************************************/
BTM_SetPinType(UINT8 pin_type,PIN_CODE pin_code,UINT8 pin_code_len)387 void BTM_SetPinType (UINT8 pin_type, PIN_CODE pin_code, UINT8 pin_code_len)
388 {
389 BTM_TRACE_API ("BTM_SetPinType: pin type %d [variable-0, fixed-1], code %s, length %d\n",
390 pin_type, (char *) pin_code, pin_code_len);
391
392 /* If device is not up security mode will be set as a part of startup */
393 if ( (btm_cb.cfg.pin_type != pin_type)
394 && controller_get_interface()->get_is_ready() ) {
395 btsnd_hcic_write_pin_type (pin_type);
396 }
397
398 btm_cb.cfg.pin_type = pin_type;
399 btm_cb.cfg.pin_code_len = pin_code_len;
400 memcpy (btm_cb.cfg.pin_code, pin_code, pin_code_len);
401 }
402 #endif ///CLASSIC_BT_INCLUDED == TRUE
403
404 /*******************************************************************************
405 **
406 ** Function BTM_SetPairableMode
407 **
408 ** Description Enable or disable pairing
409 **
410 ** Parameters allow_pairing - (TRUE or FALSE) whether or not the device
411 ** allows pairing.
412 ** connect_only_paired - (TRUE or FALSE) whether or not to
413 ** only allow paired devices to connect.
414 **
415 ** Returns void
416 **
417 *******************************************************************************/
BTM_SetPairableMode(BOOLEAN allow_pairing,BOOLEAN connect_only_paired)418 void BTM_SetPairableMode (BOOLEAN allow_pairing, BOOLEAN connect_only_paired)
419 {
420 BTM_TRACE_API ("BTM_SetPairableMode() allow_pairing: %u connect_only_paired: %u\n", allow_pairing, connect_only_paired);
421
422 btm_cb.pairing_disabled = !allow_pairing;
423 btm_cb.connect_only_paired = connect_only_paired;
424 }
425
426 /*******************************************************************************
427 **
428 ** Function BTM_SetSecureConnectionsOnly
429 **
430 ** Description Enable or disable default treatment for Mode 4 Level 0 services
431 **
432 ** Parameter secure_connections_only_mode - (TRUE or FALSE) whether or not the device
433 ** TRUE means that the device should treat Mode 4 Level 0 services as
434 ** services of other levels. (Secure_connections_only_mode)
435 ** FALSE means that the device should provide default treatment for
436 ** Mode 4 Level 0 services.
437 **
438 ** Returns void
439 **
440 *******************************************************************************/
BTM_SetSecureConnectionsOnly(BOOLEAN secure_connections_only_mode)441 void BTM_SetSecureConnectionsOnly (BOOLEAN secure_connections_only_mode)
442 {
443 BTM_TRACE_API("%s: Mode : %u\n", __FUNCTION__,
444 secure_connections_only_mode);
445
446 btm_cb.devcb.secure_connections_only = secure_connections_only_mode;
447 btm_cb.security_mode = BTM_SEC_MODE_SC;
448 }
449 #define BTM_NO_AVAIL_SEC_SERVICES ((UINT16) 0xffff)
450
451 /*******************************************************************************
452 **
453 ** Function BTM_SetSecurityLevel
454 **
455 ** Description Register service security level with Security Manager
456 **
457 ** Parameters: is_originator - TRUE if originating the connection, FALSE if not
458 ** p_name - Name of the service relevant only if
459 ** authorization will show this name to user. ignored
460 ** if BTM_SEC_SERVICE_NAME_LEN is 0.
461 ** service_id - service ID for the service passed to authorization callback
462 ** sec_level - bit mask of the security features
463 ** psm - L2CAP PSM
464 ** mx_proto_id - protocol ID of multiplexing proto below
465 ** mx_chan_id - channel ID of multiplexing proto below
466 **
467 ** Returns TRUE if registered OK, else FALSE
468 **
469 *******************************************************************************/
BTM_SetSecurityLevel(BOOLEAN is_originator,const char * p_name,UINT8 service_id,UINT16 sec_level,UINT16 psm,UINT32 mx_proto_id,UINT32 mx_chan_id)470 BOOLEAN BTM_SetSecurityLevel (BOOLEAN is_originator, const char *p_name, UINT8 service_id,
471 UINT16 sec_level, UINT16 psm, UINT32 mx_proto_id,
472 UINT32 mx_chan_id)
473 {
474 #if (L2CAP_UCD_INCLUDED == TRUE)
475 CONNECTION_TYPE conn_type;
476
477 if (is_originator) {
478 conn_type = CONN_ORIENT_ORIG;
479 } else {
480 conn_type = CONN_ORIENT_TERM;
481 }
482
483 return (btm_sec_set_security_level (conn_type, p_name, service_id,
484 sec_level, psm, mx_proto_id, mx_chan_id));
485 #else
486 return (btm_sec_set_security_level (is_originator, p_name, service_id,
487 sec_level, psm, mx_proto_id, mx_chan_id));
488 #endif
489 }
490
491 /*******************************************************************************
492 **
493 ** Function btm_sec_set_security_level
494 **
495 ** Description Register service security level with Security Manager
496 **
497 ** Parameters: conn_type - TRUE if originating the connection, FALSE if not
498 ** p_name - Name of the service relevant only if
499 ** authorization will show this name to user. ignored
500 ** if BTM_SEC_SERVICE_NAME_LEN is 0.
501 ** service_id - service ID for the service passed to authorization callback
502 ** sec_level - bit mask of the security features
503 ** psm - L2CAP PSM
504 ** mx_proto_id - protocol ID of multiplexing proto below
505 ** mx_chan_id - channel ID of multiplexing proto below
506 **
507 ** Returns TRUE if registered OK, else FALSE
508 **
509 *******************************************************************************/
btm_sec_set_security_level(CONNECTION_TYPE conn_type,const char * p_name,UINT8 service_id,UINT16 sec_level,UINT16 psm,UINT32 mx_proto_id,UINT32 mx_chan_id)510 static BOOLEAN btm_sec_set_security_level (CONNECTION_TYPE conn_type, const char *p_name, UINT8 service_id,
511 UINT16 sec_level, UINT16 psm, UINT32 mx_proto_id,
512 UINT32 mx_chan_id)
513 {
514 #if (SMP_INCLUDED == TRUE)
515 tBTM_SEC_SERV_REC *p_srec;
516 UINT16 index;
517 UINT16 first_unused_record = BTM_NO_AVAIL_SEC_SERVICES;
518 BOOLEAN record_allocated = FALSE;
519 BOOLEAN is_originator;
520 #if (L2CAP_UCD_INCLUDED == TRUE)
521 BOOLEAN is_ucd;
522
523 if (conn_type & CONNECTION_TYPE_ORIG_MASK) {
524 is_originator = TRUE;
525 } else {
526 is_originator = FALSE;
527 }
528
529 if (conn_type & CONNECTION_TYPE_CONNLESS_MASK ) {
530 is_ucd = TRUE;
531 } else {
532 is_ucd = FALSE;
533 }
534 #else
535 is_originator = conn_type;
536 #endif
537
538 BTM_TRACE_API("%s : sec: 0x%x\n", __func__, sec_level);
539
540 /* See if the record can be reused (same service name, psm, mx_proto_id,
541 service_id, and mx_chan_id), or obtain the next unused record */
542
543 p_srec = &btm_cb.sec_serv_rec[0];
544
545
546 for (index = 0; index < BTM_SEC_MAX_SERVICE_RECORDS; index++, p_srec++) {
547 /* Check if there is already a record for this service */
548 if (p_srec->security_flags & BTM_SEC_IN_USE) {
549 #if BTM_SEC_SERVICE_NAME_LEN > 0
550 if (p_srec->psm == psm &&
551 p_srec->mx_proto_id == mx_proto_id &&
552 service_id == p_srec->service_id &&
553 (!strncmp (p_name, (char *) p_srec->orig_service_name,
554 BTM_SEC_SERVICE_NAME_LEN) ||
555 !strncmp (p_name, (char *) p_srec->term_service_name,
556 BTM_SEC_SERVICE_NAME_LEN)))
557 #else
558 if (p_srec->psm == psm &&
559 p_srec->mx_proto_id == mx_proto_id &&
560 service_id == p_srec->service_id)
561 #endif
562 {
563 record_allocated = TRUE;
564 break;
565 }
566 }
567 /* Mark the first available service record */
568 else if (!record_allocated) {
569 memset (p_srec, 0, sizeof(tBTM_SEC_SERV_REC));
570 record_allocated = TRUE;
571 first_unused_record = index;
572 }
573 }
574
575 if (!record_allocated) {
576 BTM_TRACE_WARNING("BTM_SEC_REG: Out of Service Records (%d)\n", BTM_SEC_MAX_SERVICE_RECORDS);
577 return (record_allocated);
578 }
579
580 /* Process the request if service record is valid */
581 /* If a duplicate service wasn't found, use the first available */
582 if (index >= BTM_SEC_MAX_SERVICE_RECORDS) {
583 index = first_unused_record;
584 p_srec = &btm_cb.sec_serv_rec[index];
585 }
586
587 p_srec->psm = psm;
588 p_srec->service_id = service_id;
589 p_srec->mx_proto_id = mx_proto_id;
590
591 if (is_originator) {
592 p_srec->orig_mx_chan_id = mx_chan_id;
593 #if BTM_SEC_SERVICE_NAME_LEN > 0
594 BCM_STRNCPY_S ((char *)p_srec->orig_service_name, p_name, BTM_SEC_SERVICE_NAME_LEN);
595 #endif
596 /* clear out the old setting, just in case it exists */
597 #if (L2CAP_UCD_INCLUDED == TRUE)
598 if ( is_ucd ) {
599 p_srec->ucd_security_flags &=
600 ~(BTM_SEC_OUT_AUTHORIZE | BTM_SEC_OUT_ENCRYPT | BTM_SEC_OUT_AUTHENTICATE | BTM_SEC_OUT_MITM |
601 BTM_SEC_FORCE_MASTER | BTM_SEC_ATTEMPT_MASTER | BTM_SEC_FORCE_SLAVE | BTM_SEC_ATTEMPT_SLAVE);
602 } else
603 #endif
604 {
605 p_srec->security_flags &=
606 ~(BTM_SEC_OUT_AUTHORIZE | BTM_SEC_OUT_ENCRYPT | BTM_SEC_OUT_AUTHENTICATE | BTM_SEC_OUT_MITM |
607 BTM_SEC_FORCE_MASTER | BTM_SEC_ATTEMPT_MASTER | BTM_SEC_FORCE_SLAVE | BTM_SEC_ATTEMPT_SLAVE);
608 }
609
610 /* Parameter validation. Originator should not set requirements for incoming connections */
611 sec_level &= ~(BTM_SEC_IN_AUTHORIZE | BTM_SEC_IN_ENCRYPT | BTM_SEC_IN_AUTHENTICATE
612 | BTM_SEC_IN_MITM | BTM_SEC_IN_MIN_16_DIGIT_PIN );
613
614 if (btm_cb.security_mode == BTM_SEC_MODE_SP ||
615 btm_cb.security_mode == BTM_SEC_MODE_SP_DEBUG ||
616 btm_cb.security_mode == BTM_SEC_MODE_SC) {
617 if (sec_level & BTM_SEC_OUT_AUTHENTICATE) {
618 sec_level |= BTM_SEC_OUT_MITM;
619 }
620 }
621
622 /* Make sure the authenticate bit is set, when encrypt bit is set */
623 if (sec_level & BTM_SEC_OUT_ENCRYPT) {
624 sec_level |= BTM_SEC_OUT_AUTHENTICATE;
625 }
626
627 /* outgoing connections usually set the security level right before
628 * the connection is initiated.
629 * set it to be the outgoing service */
630 #if (L2CAP_UCD_INCLUDED == TRUE)
631 if ( is_ucd == FALSE )
632 #endif
633 {
634 btm_cb.p_out_serv = p_srec;
635 }
636 } else {
637 p_srec->term_mx_chan_id = mx_chan_id;
638 #if BTM_SEC_SERVICE_NAME_LEN > 0
639 BCM_STRNCPY_S ((char *)p_srec->term_service_name, p_name, BTM_SEC_SERVICE_NAME_LEN);
640 #endif
641 /* clear out the old setting, just in case it exists */
642 #if (L2CAP_UCD_INCLUDED == TRUE)
643 if ( is_ucd ) {
644 p_srec->ucd_security_flags &=
645 ~(BTM_SEC_IN_AUTHORIZE | BTM_SEC_IN_ENCRYPT | BTM_SEC_IN_AUTHENTICATE | BTM_SEC_IN_MITM |
646 BTM_SEC_FORCE_MASTER | BTM_SEC_ATTEMPT_MASTER | BTM_SEC_FORCE_SLAVE | BTM_SEC_ATTEMPT_SLAVE
647 | BTM_SEC_IN_MIN_16_DIGIT_PIN);
648 } else
649 #endif
650 {
651 p_srec->security_flags &=
652 ~(BTM_SEC_IN_AUTHORIZE | BTM_SEC_IN_ENCRYPT | BTM_SEC_IN_AUTHENTICATE | BTM_SEC_IN_MITM |
653 BTM_SEC_FORCE_MASTER | BTM_SEC_ATTEMPT_MASTER | BTM_SEC_FORCE_SLAVE | BTM_SEC_ATTEMPT_SLAVE
654 | BTM_SEC_IN_MIN_16_DIGIT_PIN);
655 }
656
657 /* Parameter validation. Acceptor should not set requirements for outgoing connections */
658 sec_level &= ~(BTM_SEC_OUT_AUTHORIZE | BTM_SEC_OUT_ENCRYPT | BTM_SEC_OUT_AUTHENTICATE | BTM_SEC_OUT_MITM);
659
660 if (btm_cb.security_mode == BTM_SEC_MODE_SP ||
661 btm_cb.security_mode == BTM_SEC_MODE_SP_DEBUG ||
662 btm_cb.security_mode == BTM_SEC_MODE_SC) {
663 if (sec_level & BTM_SEC_IN_AUTHENTICATE) {
664 sec_level |= BTM_SEC_IN_MITM;
665 }
666 }
667
668 /* Make sure the authenticate bit is set, when encrypt bit is set */
669 if (sec_level & BTM_SEC_IN_ENCRYPT) {
670 sec_level |= BTM_SEC_IN_AUTHENTICATE;
671 }
672 }
673
674 #if (L2CAP_UCD_INCLUDED == TRUE)
675 if ( is_ucd ) {
676 p_srec->security_flags |= (UINT16)(BTM_SEC_IN_USE);
677 p_srec->ucd_security_flags |= (UINT16)(sec_level | BTM_SEC_IN_USE);
678 } else {
679 p_srec->security_flags |= (UINT16)(sec_level | BTM_SEC_IN_USE);
680 }
681
682 BTM_TRACE_API("BTM_SEC_REG[%d]: id %d, conn_type 0x%x, psm 0x%04x, proto_id %d, chan_id %d\n",
683 index, service_id, conn_type, psm, mx_proto_id, mx_chan_id);
684
685 BTM_TRACE_API(" : security_flags: 0x%04x, ucd_security_flags: 0x%04x\n",
686 p_srec->security_flags, p_srec->ucd_security_flags);
687
688 #if BTM_SEC_SERVICE_NAME_LEN > 0
689 BTM_TRACE_API(" : service name [%s] (up to %d chars saved)\n",
690 p_name, BTM_SEC_SERVICE_NAME_LEN);
691 #endif
692 #else
693 p_srec->security_flags |= (UINT16)(sec_level | BTM_SEC_IN_USE);
694
695 BTM_TRACE_API("BTM_SEC_REG[%d]: id %d, is_orig %d, psm 0x%04x, proto_id %d, chan_id %d\n",
696 index, service_id, is_originator, psm, mx_proto_id, mx_chan_id);
697
698 #if BTM_SEC_SERVICE_NAME_LEN > 0
699 BTM_TRACE_API(" : sec: 0x%x, service name [%s] (up to %d chars saved)\n",
700 p_srec->security_flags, p_name, BTM_SEC_SERVICE_NAME_LEN);
701 #endif
702 #endif
703
704
705 return (record_allocated);
706 #else
707 return FALSE;
708 #endif ///SMP_INCLUDED == TRUE
709 }
710
711 /*******************************************************************************
712 **
713 ** Function BTM_SecClrService
714 **
715 ** Description Removes specified service record(s) from the security database.
716 ** All service records with the specified name are removed.
717 ** Typically used only by devices with limited RAM so that it can
718 ** reuse an old security service record.
719 **
720 ** Note: Unpredictable results may occur if a service is cleared
721 ** that is still in use by an application/profile.
722 **
723 ** Parameters Service ID - Id of the service to remove. ('0' removes all service
724 ** records (except SDP).
725 **
726 ** Returns Number of records that were freed.
727 **
728 *******************************************************************************/
729 #if (SDP_INCLUDED == TRUE)
BTM_SecClrService(UINT8 service_id)730 UINT8 BTM_SecClrService (UINT8 service_id)
731 {
732 tBTM_SEC_SERV_REC *p_srec = &btm_cb.sec_serv_rec[0];
733 UINT8 num_freed = 0;
734 int i;
735
736 for (i = 0; i < BTM_SEC_MAX_SERVICE_RECORDS; i++, p_srec++) {
737 /* Delete services with specified name (if in use and not SDP) */
738 if ((p_srec->security_flags & BTM_SEC_IN_USE) && (p_srec->psm != BT_PSM_SDP) &&
739 (!service_id || (service_id == p_srec->service_id))) {
740 BTM_TRACE_API("BTM_SEC_CLR[%d]: id %d\n", i, service_id);
741 p_srec->security_flags = 0;
742 #if (L2CAP_UCD_INCLUDED == TRUE)
743 p_srec->ucd_security_flags = 0;
744 #endif
745 num_freed++;
746 }
747 }
748
749 return (num_freed);
750 }
751 #endif ///SDP_INCLUDED == TRUE
752
753 /*******************************************************************************
754 **
755 ** Function btm_sec_clr_service_by_psm
756 **
757 ** Description Removes specified service record from the security database.
758 ** All service records with the specified psm are removed.
759 ** Typically used by L2CAP to free up the service record used
760 ** by dynamic PSM clients when the channel is closed.
761 ** The given psm must be a virtual psm.
762 **
763 ** Parameters Service ID - Id of the service to remove. ('0' removes all service
764 ** records (except SDP).
765 **
766 ** Returns Number of records that were freed.
767 **
768 *******************************************************************************/
769 #if (SDP_INCLUDED== TRUE)
btm_sec_clr_service_by_psm(UINT16 psm)770 UINT8 btm_sec_clr_service_by_psm (UINT16 psm)
771 {
772 tBTM_SEC_SERV_REC *p_srec = &btm_cb.sec_serv_rec[0];
773 UINT8 num_freed = 0;
774 int i;
775
776 for (i = 0; i < BTM_SEC_MAX_SERVICE_RECORDS; i++, p_srec++) {
777 /* Delete services with specified name (if in use and not SDP) */
778 if ((p_srec->security_flags & BTM_SEC_IN_USE) && (p_srec->psm == psm) ) {
779 BTM_TRACE_API("BTM_SEC_CLR[%d]: id %d\n", i, p_srec->service_id);
780 p_srec->security_flags = 0;
781 num_freed++;
782 }
783 }
784 BTM_TRACE_API("btm_sec_clr_service_by_psm psm:0x%x num_freed:%d\n", psm, num_freed);
785
786 return (num_freed);
787 }
788 #endif ///SDP_INCLUDED== TRUE
789
790 /*******************************************************************************
791 **
792 ** Function btm_sec_clr_temp_auth_service
793 **
794 ** Description Removes specified device record's temporary authorization
795 ** flag from the security database.
796 **
797 ** Parameters Device address to be cleared
798 **
799 ** Returns void.
800 **
801 *******************************************************************************/
btm_sec_clr_temp_auth_service(BD_ADDR bda)802 void btm_sec_clr_temp_auth_service (BD_ADDR bda)
803 {
804 tBTM_SEC_DEV_REC *p_dev_rec;
805
806 if ((p_dev_rec = btm_find_dev (bda)) == NULL) {
807 BTM_TRACE_WARNING ("btm_sec_clr_temp_auth_service() - no dev CB\n");
808 return;
809 }
810
811 /* Reset the temporary authorized flag so that next time (untrusted) service is accessed autorization will take place */
812 if (p_dev_rec->last_author_service_id != BTM_SEC_NO_LAST_SERVICE_ID && p_dev_rec->p_cur_service) {
813 BTM_TRACE_DEBUG ("btm_sec_clr_auth_service_by_psm [clearing device: %02x:%02x:%02x:%02x:%02x:%02x]\n",
814 bda[0], bda[1], bda[2], bda[3], bda[4], bda[5]);
815
816 p_dev_rec->last_author_service_id = BTM_SEC_NO_LAST_SERVICE_ID;
817 }
818 }
819
820 /*******************************************************************************
821 **
822 ** Function BTM_PINCodeReply
823 **
824 ** Description This function is called after Security Manager submitted
825 ** PIN code request to the UI.
826 **
827 ** Parameters: bd_addr - Address of the device for which PIN was requested
828 ** res - result of the operation BTM_SUCCESS if success
829 ** pin_len - length in bytes of the PIN Code
830 ** p_pin - pointer to array with the PIN Code
831 ** trusted_mask - bitwise OR of trusted services (array of UINT32)
832 **
833 *******************************************************************************/
834 #if (SMP_INCLUDED == TRUE)
835 #if (CLASSIC_BT_INCLUDED == TRUE)
BTM_PINCodeReply(BD_ADDR bd_addr,UINT8 res,UINT8 pin_len,UINT8 * p_pin,UINT32 trusted_mask[])836 void BTM_PINCodeReply (BD_ADDR bd_addr, UINT8 res, UINT8 pin_len, UINT8 *p_pin, UINT32 trusted_mask[])
837 {
838 tBTM_SEC_DEV_REC *p_dev_rec;
839 #if (BT_USE_TRACES == TRUE && SMP_INCLUDED == TRUE)
840 BTM_TRACE_API ("BTM_PINCodeReply(): PairState: %s PairFlags: 0x%02x PinLen:%d Result:%d\n",
841 btm_pair_state_descr(btm_cb.pairing_state), btm_cb.pairing_flags, pin_len, res);
842 #endif ///BT_USE_TRACES == TRUE && SMP_INCLUDED == TRUE
843 /* If timeout already expired or has been canceled, ignore the reply */
844 if (btm_cb.pairing_state != BTM_PAIR_STATE_WAIT_LOCAL_PIN) {
845 BTM_TRACE_WARNING ("BTM_PINCodeReply() - Wrong State: %d\n", btm_cb.pairing_state);
846 return;
847 }
848
849 if (memcmp (bd_addr, btm_cb.pairing_bda, BD_ADDR_LEN) != 0) {
850 BTM_TRACE_ERROR ("BTM_PINCodeReply() - Wrong BD Addr\n");
851 return;
852 }
853
854 if ((p_dev_rec = btm_find_dev (bd_addr)) == NULL) {
855 BTM_TRACE_ERROR ("BTM_PINCodeReply() - no dev CB\n");
856 return;
857 }
858
859 if ( (pin_len > PIN_CODE_LEN) || (pin_len == 0) || (p_pin == NULL) ) {
860 res = BTM_ILLEGAL_VALUE;
861 }
862
863 if (res != BTM_SUCCESS) {
864 /* if peer started dd OR we started dd and pre-fetch pin was not used send negative reply */
865 if ((btm_cb.pairing_flags & BTM_PAIR_FLAGS_PEER_STARTED_DD) ||
866 ((btm_cb.pairing_flags & BTM_PAIR_FLAGS_WE_STARTED_DD) &&
867 (btm_cb.pairing_flags & BTM_PAIR_FLAGS_DISC_WHEN_DONE)) ) {
868 /* use BTM_PAIR_STATE_WAIT_AUTH_COMPLETE to report authentication failed event */
869 btm_sec_change_pairing_state (BTM_PAIR_STATE_WAIT_AUTH_COMPLETE);
870 btm_cb.acl_disc_reason = HCI_ERR_HOST_REJECT_SECURITY;
871
872 btsnd_hcic_pin_code_neg_reply (bd_addr);
873 } else {
874 p_dev_rec->security_required = BTM_SEC_NONE;
875 btm_sec_change_pairing_state (BTM_PAIR_STATE_IDLE);
876 }
877 return;
878 }
879 if (trusted_mask) {
880 BTM_SEC_COPY_TRUSTED_DEVICE(trusted_mask, p_dev_rec->trusted_mask);
881 }
882 p_dev_rec->sec_flags |= BTM_SEC_LINK_KEY_AUTHED;
883 if (pin_len >= 16) {
884 p_dev_rec->sec_flags |= BTM_SEC_16_DIGIT_PIN_AUTHED;
885 }
886
887 if ( (btm_cb.pairing_flags & BTM_PAIR_FLAGS_WE_STARTED_DD)
888 && (p_dev_rec->hci_handle == BTM_SEC_INVALID_HANDLE)
889 && (btm_cb.security_mode_changed == FALSE) ) {
890 /* This is start of the dedicated bonding if local device is 2.0 */
891 btm_cb.pin_code_len = pin_len;
892 p_dev_rec->pin_code_length = pin_len;
893 memcpy (btm_cb.pin_code, p_pin, pin_len);
894
895 btm_cb.security_mode_changed = TRUE;
896 #ifdef APPL_AUTH_WRITE_EXCEPTION
897 if (!(APPL_AUTH_WRITE_EXCEPTION)(p_dev_rec->bd_addr))
898 #endif
899 {
900 btsnd_hcic_write_auth_enable (TRUE);
901 }
902
903 btm_cb.acl_disc_reason = 0xff ;
904
905 /* if we rejected incoming connection request, we have to wait HCI_Connection_Complete event */
906 /* before originating */
907 if (btm_cb.pairing_flags & BTM_PAIR_FLAGS_REJECTED_CONNECT) {
908 BTM_TRACE_WARNING ("BTM_PINCodeReply(): waiting HCI_Connection_Complete after rejected incoming connection\n");
909 /* we change state little bit early so btm_sec_connected() will originate connection */
910 /* when existing ACL link is down completely */
911 btm_sec_change_pairing_state (BTM_PAIR_STATE_WAIT_PIN_REQ);
912 }
913 /* if we already accepted incoming connection from pairing device */
914 else if (p_dev_rec->sm4 & BTM_SM4_CONN_PEND) {
915 BTM_TRACE_WARNING ("BTM_PINCodeReply(): link is connecting so wait pin code request from peer\n");
916 btm_sec_change_pairing_state (BTM_PAIR_STATE_WAIT_PIN_REQ);
917 } else if (btm_sec_dd_create_conn(p_dev_rec) != BTM_CMD_STARTED) {
918 btm_sec_change_pairing_state (BTM_PAIR_STATE_IDLE);
919 p_dev_rec->sec_flags &= ~BTM_SEC_LINK_KEY_AUTHED;
920
921 if (btm_cb.api.p_auth_complete_callback) {
922 (*btm_cb.api.p_auth_complete_callback) (p_dev_rec->bd_addr, p_dev_rec->dev_class,
923 p_dev_rec->sec_bd_name, HCI_ERR_AUTH_FAILURE);
924 }
925 }
926 return;
927 }
928
929 btm_sec_change_pairing_state (BTM_PAIR_STATE_WAIT_AUTH_COMPLETE);
930 btm_cb.acl_disc_reason = HCI_SUCCESS;
931
932 #ifdef PORCHE_PAIRING_CONFLICT
933 BTM_TRACE_EVENT("BTM_PINCodeReply(): Saving pin_len: %d btm_cb.pin_code_len: %d\n", pin_len, btm_cb.pin_code_len);
934 /* if this was not pre-fetched, save the PIN */
935 if (btm_cb.pin_code_len == 0) {
936 memcpy (btm_cb.pin_code, p_pin, pin_len);
937 }
938 btm_cb.pin_code_len_saved = pin_len;
939 #endif
940 btsnd_hcic_pin_code_req_reply (bd_addr, pin_len, p_pin);
941 }
942 #endif ///CLASSIC_BT_INCLUDED == TRUE
943 #endif ///SMP_INCLUDED == TRUE
944
945
946 /*******************************************************************************
947 **
948 ** Function btm_sec_bond_by_transport
949 **
950 ** Description this is the bond function that will start either SSP or SMP.
951 **
952 ** Parameters: bd_addr - Address of the device to bond
953 ** pin_len - length in bytes of the PIN Code
954 ** p_pin - pointer to array with the PIN Code
955 ** trusted_mask - bitwise OR of trusted services (array of UINT32)
956 **
957 ** Note: After 2.1 parameters are not used and preserved here not to change API
958 *******************************************************************************/
959 #if (SMP_INCLUDED == TRUE)
btm_sec_bond_by_transport(BD_ADDR bd_addr,tBT_TRANSPORT transport,UINT8 pin_len,UINT8 * p_pin,UINT32 trusted_mask[])960 tBTM_STATUS btm_sec_bond_by_transport (BD_ADDR bd_addr, tBT_TRANSPORT transport,
961 UINT8 pin_len, UINT8 *p_pin, UINT32 trusted_mask[])
962 {
963 tBTM_SEC_DEV_REC *p_dev_rec;
964 tBTM_STATUS status;
965 #if (!CONFIG_BT_STACK_NO_LOG)
966 UINT8 *p_features;
967 #endif
968 UINT8 ii;
969 tACL_CONN *p = btm_bda_to_acl(bd_addr, transport);
970 BTM_TRACE_API ("btm_sec_bond_by_transport BDA: %02x:%02x:%02x:%02x:%02x:%02x\n",
971 bd_addr[0], bd_addr[1], bd_addr[2], bd_addr[3], bd_addr[4], bd_addr[5]);
972
973 BTM_TRACE_DEBUG("btm_sec_bond_by_transport: Transport used %d\n" , transport);
974
975
976 /* Other security process is in progress */
977 if (btm_cb.pairing_state != BTM_PAIR_STATE_IDLE) {
978 #if (BT_USE_TRACES == TRUE && SMP_INCLUDED == TRUE)
979 BTM_TRACE_ERROR ("BTM_SecBond: already busy in state: %s\n", btm_pair_state_descr(btm_cb.pairing_state));
980 #endif ///BT_USE_TRACES == TRUE && SMP_INCLUDED == TRUE
981 return (BTM_WRONG_MODE);
982 }
983
984 if ((p_dev_rec = btm_find_or_alloc_dev (bd_addr)) == NULL) {
985 return (BTM_NO_RESOURCES);
986 }
987
988 BTM_TRACE_DEBUG ("before update sec_flags=0x%x\n", p_dev_rec->sec_flags);
989
990 /* Finished if connection is active and already paired */
991 if ( ((p_dev_rec->hci_handle != BTM_SEC_INVALID_HANDLE) && transport == BT_TRANSPORT_BR_EDR
992 && (p_dev_rec->sec_flags & BTM_SEC_AUTHENTICATED))
993 #if (BLE_INCLUDED == TRUE)
994 || ((p_dev_rec->ble_hci_handle != BTM_SEC_INVALID_HANDLE) && transport == BT_TRANSPORT_LE
995 && (p_dev_rec->sec_flags & BTM_SEC_LE_AUTHENTICATED))
996 #endif
997
998 ) {
999 BTM_TRACE_WARNING("BTM_SecBond -> Already Paired\n");
1000 return (BTM_SUCCESS);
1001 }
1002
1003 /* Tell controller to get rid of the link key if it has one stored */
1004 if ((BTM_DeleteStoredLinkKey (bd_addr, NULL)) != BTM_SUCCESS) {
1005 return (BTM_NO_RESOURCES);
1006 }
1007
1008 #if (CLASSIC_BT_INCLUDED == TRUE)
1009 /* Save the PIN code if we got a valid one */
1010 if (p_pin && (pin_len <= PIN_CODE_LEN) && (pin_len != 0)) {
1011 btm_cb.pin_code_len = pin_len;
1012 p_dev_rec->pin_code_length = pin_len;
1013 memcpy (btm_cb.pin_code, p_pin, PIN_CODE_LEN);
1014 }
1015 #endif ///CLASSIC_BT_INCLUDED == TRUE
1016
1017 memcpy (btm_cb.pairing_bda, bd_addr, BD_ADDR_LEN);
1018
1019 btm_cb.pairing_flags = BTM_PAIR_FLAGS_WE_STARTED_DD;
1020
1021 p_dev_rec->security_required = BTM_SEC_OUT_AUTHENTICATE;
1022 p_dev_rec->is_originator = TRUE;
1023 if (trusted_mask) {
1024 BTM_SEC_COPY_TRUSTED_DEVICE(trusted_mask, p_dev_rec->trusted_mask);
1025 }
1026
1027 #if BLE_INCLUDED == TRUE && SMP_INCLUDED == TRUE
1028 if (transport == BT_TRANSPORT_LE) {
1029 btm_ble_init_pseudo_addr (p_dev_rec, bd_addr);
1030 p_dev_rec->sec_flags &= ~ BTM_SEC_LE_MASK;
1031
1032 if (SMP_Pair(bd_addr) == SMP_STARTED) {
1033 btm_cb.pairing_flags |= BTM_PAIR_FLAGS_LE_ACTIVE;
1034 p_dev_rec->sec_state = BTM_SEC_STATE_AUTHENTICATING;
1035 btm_sec_change_pairing_state (BTM_PAIR_STATE_WAIT_AUTH_COMPLETE);
1036 return BTM_CMD_STARTED;
1037 }
1038
1039 btm_cb.pairing_flags = 0;
1040 return (BTM_NO_RESOURCES);
1041 }
1042 #endif
1043
1044 p_dev_rec->sec_flags &= ~(BTM_SEC_LINK_KEY_KNOWN | BTM_SEC_AUTHENTICATED | BTM_SEC_ENCRYPTED
1045 | BTM_SEC_ROLE_SWITCHED | BTM_SEC_LINK_KEY_AUTHED);
1046
1047
1048 BTM_TRACE_DEBUG ("after update sec_flags=0x%x\n", p_dev_rec->sec_flags);
1049
1050 #if (CLASSIC_BT_INCLUDED == TRUE)
1051 if (!controller_get_interface()->supports_simple_pairing()) {
1052 /* The special case when we authenticate keyboard. Set pin type to fixed */
1053 /* It would be probably better to do it from the application, but it is */
1054 /* complicated */
1055 if (((p_dev_rec->dev_class[1] & BTM_COD_MAJOR_CLASS_MASK) == BTM_COD_MAJOR_PERIPHERAL)
1056 && (p_dev_rec->dev_class[2] & BTM_COD_MINOR_KEYBOARD)
1057 && (btm_cb.cfg.pin_type != HCI_PIN_TYPE_FIXED)) {
1058 btm_cb.pin_type_changed = TRUE;
1059 btsnd_hcic_write_pin_type (HCI_PIN_TYPE_FIXED);
1060 }
1061 }
1062 #endif ///CLASSIC_BT_INCLUDED == TRUE
1063
1064 for (ii = 0; ii <= HCI_EXT_FEATURES_PAGE_MAX; ii++) {
1065 #if (!CONFIG_BT_STACK_NO_LOG)
1066 p_features = p_dev_rec->features[ii];
1067 #endif
1068 BTM_TRACE_EVENT(" remote_features page[%1d] = %02x-%02x-%02x-%02x\n",
1069 ii, p_features[0], p_features[1], p_features[2], p_features[3]);
1070 BTM_TRACE_EVENT(" %02x-%02x-%02x-%02x\n",
1071 p_features[4], p_features[5], p_features[6], p_features[7]);
1072 }
1073
1074 BTM_TRACE_EVENT ("BTM_SecBond: Remote sm4: 0x%x HCI Handle: 0x%04x\n", p_dev_rec->sm4, p_dev_rec->hci_handle);
1075
1076 #if BTM_SEC_FORCE_RNR_FOR_DBOND == TRUE
1077 p_dev_rec->sec_flags &= ~BTM_SEC_NAME_KNOWN;
1078 #endif
1079
1080 /* If connection already exists... */
1081 if (p && p->hci_handle != BTM_SEC_INVALID_HANDLE) {
1082 if (!btm_sec_start_authentication (p_dev_rec)) {
1083 return (BTM_NO_RESOURCES);
1084 }
1085
1086 btm_sec_change_pairing_state (BTM_PAIR_STATE_WAIT_PIN_REQ);
1087
1088 /* Mark lcb as bonding */
1089 l2cu_update_lcb_4_bonding (bd_addr, TRUE);
1090 return (BTM_CMD_STARTED);
1091 }
1092
1093 BTM_TRACE_DEBUG ("sec mode: %d sm4:x%x\n", btm_cb.security_mode, p_dev_rec->sm4);
1094 if (!controller_get_interface()->supports_simple_pairing()
1095 || (p_dev_rec->sm4 == BTM_SM4_KNOWN)) {
1096 if ( btm_sec_check_prefetch_pin (p_dev_rec) ) {
1097 return (BTM_CMD_STARTED);
1098 }
1099 }
1100 if ((btm_cb.security_mode == BTM_SEC_MODE_SP ||
1101 btm_cb.security_mode == BTM_SEC_MODE_SP_DEBUG ||
1102 btm_cb.security_mode == BTM_SEC_MODE_SC) &&
1103 BTM_SEC_IS_SM4_UNKNOWN(p_dev_rec->sm4)) {
1104 /* local is 2.1 and peer is unknown */
1105 if ((p_dev_rec->sm4 & BTM_SM4_CONN_PEND) == 0) {
1106 /* we are not accepting connection request from peer
1107 * -> RNR (to learn if peer is 2.1)
1108 * RNR when no ACL causes HCI_RMT_HOST_SUP_FEAT_NOTIFY_EVT */
1109 btm_sec_change_pairing_state (BTM_PAIR_STATE_GET_REM_NAME);
1110 BTM_ReadRemoteDeviceName(bd_addr, NULL, BT_TRANSPORT_BR_EDR);
1111 } else {
1112 /* We are accepting connection request from peer */
1113 btm_sec_change_pairing_state (BTM_PAIR_STATE_WAIT_PIN_REQ);
1114 }
1115 #if (BT_USE_TRACES == TRUE && SMP_INCLUDED == TRUE)
1116 BTM_TRACE_DEBUG ("State:%s sm4: 0x%x sec_state:%d\n",
1117 btm_pair_state_descr (btm_cb.pairing_state), p_dev_rec->sm4, p_dev_rec->sec_state);
1118 #endif ///BT_USE_TRACES == TRUE && SMP_INCLUDED == TRUE
1119 return BTM_CMD_STARTED;
1120 }
1121
1122 /* both local and peer are 2.1 */
1123 status = btm_sec_dd_create_conn(p_dev_rec);
1124
1125 if (status != BTM_CMD_STARTED) {
1126 btm_sec_change_pairing_state (BTM_PAIR_STATE_IDLE);
1127 }
1128
1129 return status;
1130 }
1131
1132 /*******************************************************************************
1133 **
1134 ** Function BTM_SecBondByTransport
1135 **
1136 ** Description This function is called to perform bonding with peer device.
1137 ** If the connection is already up, but not secure, pairing
1138 ** is attempted. If already paired BTM_SUCCESS is returned.
1139 **
1140 ** Parameters: bd_addr - Address of the device to bond
1141 ** transport - doing SSP over BR/EDR or SMP over LE
1142 ** pin_len - length in bytes of the PIN Code
1143 ** p_pin - pointer to array with the PIN Code
1144 ** trusted_mask - bitwise OR of trusted services (array of UINT32)
1145 **
1146 ** Note: After 2.1 parameters are not used and preserved here not to change API
1147 *******************************************************************************/
BTM_SecBondByTransport(BD_ADDR bd_addr,tBT_TRANSPORT transport,UINT8 pin_len,UINT8 * p_pin,UINT32 trusted_mask[])1148 tBTM_STATUS BTM_SecBondByTransport (BD_ADDR bd_addr, tBT_TRANSPORT transport,
1149 UINT8 pin_len, UINT8 *p_pin, UINT32 trusted_mask[])
1150 {
1151 #if (BLE_INCLUDED == TRUE)
1152 tBT_DEVICE_TYPE dev_type;
1153 tBLE_ADDR_TYPE addr_type = 0;
1154
1155 BTM_ReadDevInfo(bd_addr, &dev_type, &addr_type);
1156 /* LE device, do SMP pairing */
1157 if ((transport == BT_TRANSPORT_LE && (dev_type & BT_DEVICE_TYPE_BLE) == 0) ||
1158 (transport == BT_TRANSPORT_BR_EDR && (dev_type & BT_DEVICE_TYPE_BREDR) == 0)) {
1159 return BTM_ILLEGAL_ACTION;
1160 }
1161 #endif ///BLE_INCLUDED == TRUE
1162
1163 return btm_sec_bond_by_transport(bd_addr, transport, pin_len, p_pin, trusted_mask);
1164 }
1165 #endif ///SMP_INCLUDED == TRUE
1166
1167 /*******************************************************************************
1168 **
1169 ** Function BTM_SecBond
1170 **
1171 ** Description This function is called to perform bonding with peer device.
1172 ** If the connection is already up, but not secure, pairing
1173 ** is attempted. If already paired BTM_SUCCESS is returned.
1174 **
1175 ** Parameters: bd_addr - Address of the device to bond
1176 ** pin_len - length in bytes of the PIN Code
1177 ** p_pin - pointer to array with the PIN Code
1178 ** trusted_mask - bitwise OR of trusted services (array of UINT32)
1179 **
1180 ** Note: After 2.1 parameters are not used and preserved here not to change API
1181 *******************************************************************************/
1182 #if (SMP_INCLUDED == TRUE)
BTM_SecBond(BD_ADDR bd_addr,UINT8 pin_len,UINT8 * p_pin,UINT32 trusted_mask[])1183 tBTM_STATUS BTM_SecBond (BD_ADDR bd_addr, UINT8 pin_len, UINT8 *p_pin, UINT32 trusted_mask[])
1184 {
1185 tBT_TRANSPORT transport = BT_TRANSPORT_BR_EDR;
1186 #if (BLE_INCLUDED == TRUE)
1187 if (BTM_UseLeLink(bd_addr)) {
1188 transport = BT_TRANSPORT_LE;
1189 }
1190 #endif ///BLE_INCLUDED == TRUE
1191 return btm_sec_bond_by_transport(bd_addr, transport, pin_len, p_pin, trusted_mask);
1192 }
1193 /*******************************************************************************
1194 **
1195 ** Function BTM_SecBondCancel
1196 **
1197 ** Description This function is called to cancel ongoing bonding process
1198 ** with peer device.
1199 **
1200 ** Parameters: bd_addr - Address of the peer device
1201 ** transport - FALSE for BR/EDR link; TRUE for LE link
1202 **
1203 *******************************************************************************/
BTM_SecBondCancel(BD_ADDR bd_addr)1204 tBTM_STATUS BTM_SecBondCancel (BD_ADDR bd_addr)
1205 {
1206 tBTM_SEC_DEV_REC *p_dev_rec;
1207 #if (BT_USE_TRACES == TRUE && SMP_INCLUDED == TRUE)
1208 BTM_TRACE_API ("BTM_SecBondCancel() State: %s flags:0x%x\n",
1209 btm_pair_state_descr (btm_cb.pairing_state), btm_cb.pairing_flags);
1210 #endif ///BT_USE_TRACES == TRUE && SMP_INCLUDED == TRUE
1211 if (((p_dev_rec = btm_find_dev (bd_addr)) == NULL)
1212 || (memcmp (btm_cb.pairing_bda, bd_addr, BD_ADDR_LEN) != 0) ) {
1213 return BTM_UNKNOWN_ADDR;
1214 }
1215
1216 #if SMP_INCLUDED == TRUE
1217 if (btm_cb.pairing_flags & BTM_PAIR_FLAGS_LE_ACTIVE) {
1218 if (p_dev_rec->sec_state == BTM_SEC_STATE_AUTHENTICATING) {
1219 BTM_TRACE_DEBUG ("Cancel LE pairing\n");
1220 if (SMP_PairCancel(bd_addr)) {
1221 return BTM_CMD_STARTED;
1222 }
1223 }
1224 return BTM_WRONG_MODE;
1225 }
1226
1227 #endif
1228 BTM_TRACE_DEBUG ("hci_handle:0x%x sec_state:%d\n", p_dev_rec->hci_handle, p_dev_rec->sec_state );
1229 if (BTM_PAIR_STATE_WAIT_LOCAL_PIN == btm_cb.pairing_state &&
1230 BTM_PAIR_FLAGS_WE_STARTED_DD & btm_cb.pairing_flags) {
1231 /* pre-fetching pin for dedicated bonding */
1232 btm_sec_bond_cancel_complete();
1233 return BTM_SUCCESS;
1234 }
1235
1236 /* If this BDA is in a bonding procedure */
1237 if ( (btm_cb.pairing_state != BTM_PAIR_STATE_IDLE)
1238 && (btm_cb.pairing_flags & BTM_PAIR_FLAGS_WE_STARTED_DD)) {
1239 /* If the HCI link is up */
1240 if (p_dev_rec->hci_handle != BTM_SEC_INVALID_HANDLE) {
1241 /* If some other thread disconnecting, we do not send second command */
1242 if ((p_dev_rec->sec_state == BTM_SEC_STATE_DISCONNECTING) ||
1243 (p_dev_rec->sec_state == BTM_SEC_STATE_DISCONNECTING_BOTH)) {
1244 return (BTM_CMD_STARTED);
1245 }
1246
1247 /* If the HCI link was set up by Bonding process */
1248 if (btm_cb.pairing_flags & BTM_PAIR_FLAGS_DISC_WHEN_DONE) {
1249 return btm_sec_send_hci_disconnect(p_dev_rec, HCI_ERR_PEER_USER, p_dev_rec->hci_handle);
1250 } else {
1251 l2cu_update_lcb_4_bonding(bd_addr, FALSE);
1252 }
1253
1254 return BTM_NOT_AUTHORIZED;
1255 } else { /*HCI link is not up */
1256 /* If the HCI link creation was started by Bonding process */
1257 if (btm_cb.pairing_flags & BTM_PAIR_FLAGS_DISC_WHEN_DONE) {
1258 if (btsnd_hcic_create_conn_cancel(bd_addr)) {
1259 return BTM_CMD_STARTED;
1260 }
1261
1262 return BTM_NO_RESOURCES;
1263 }
1264 if (btm_cb.pairing_state == BTM_PAIR_STATE_GET_REM_NAME) {
1265 BTM_CancelRemoteDeviceName();
1266 btm_cb.pairing_flags |= BTM_PAIR_FLAGS_WE_CANCEL_DD;
1267 return BTM_CMD_STARTED;
1268 }
1269 return BTM_NOT_AUTHORIZED;
1270 }
1271 }
1272 return BTM_WRONG_MODE;
1273 }
1274
1275
1276 /*******************************************************************************
1277 **
1278 ** Function BTM_SecGetDeviceLinkKey
1279 **
1280 ** Description This function is called to obtain link key for the device
1281 ** it returns BTM_SUCCESS if link key is available, or
1282 ** BTM_UNKNOWN_ADDR if Security Manager does not know about
1283 ** the device or device record does not contain link key info
1284 **
1285 ** Parameters: bd_addr - Address of the device
1286 ** link_key - Link Key is copied into this array
1287 **
1288 *******************************************************************************/
BTM_SecGetDeviceLinkKey(BD_ADDR bd_addr,LINK_KEY link_key)1289 tBTM_STATUS BTM_SecGetDeviceLinkKey (BD_ADDR bd_addr, LINK_KEY link_key)
1290 {
1291 tBTM_SEC_DEV_REC *p_dev_rec;
1292
1293 if (((p_dev_rec = btm_find_dev (bd_addr)) != NULL)
1294 && (p_dev_rec->sec_flags & BTM_SEC_LINK_KEY_KNOWN)) {
1295 memcpy (link_key, p_dev_rec->link_key, LINK_KEY_LEN);
1296 return (BTM_SUCCESS);
1297 }
1298 return (BTM_UNKNOWN_ADDR);
1299 }
1300 #endif ///SMP_INCLUDED == TRUE
1301
1302 /*******************************************************************************
1303 **
1304 ** Function BTM_SecGetDeviceLinkKeyType
1305 **
1306 ** Description This function is called to obtain link key type for the
1307 ** device.
1308 ** it returns BTM_SUCCESS if link key is available, or
1309 ** BTM_UNKNOWN_ADDR if Security Manager does not know about
1310 ** the device or device record does not contain link key info
1311 **
1312 ** Returns BTM_LKEY_TYPE_IGNORE if link key is unknown, link type
1313 ** otherwise.
1314 **
1315 *******************************************************************************/
BTM_SecGetDeviceLinkKeyType(BD_ADDR bd_addr)1316 tBTM_LINK_KEY_TYPE BTM_SecGetDeviceLinkKeyType (BD_ADDR bd_addr)
1317 {
1318 tBTM_SEC_DEV_REC *p_dev_rec = btm_find_dev (bd_addr);
1319
1320 if ((p_dev_rec != NULL) && (p_dev_rec->sec_flags & BTM_SEC_LINK_KEY_KNOWN)) {
1321 return p_dev_rec->link_key_type;
1322 }
1323 return BTM_LKEY_TYPE_IGNORE;
1324 }
1325
1326 /*******************************************************************************
1327 **
1328 ** Function BTM_SetEncryption
1329 **
1330 ** Description This function is called to ensure that connection is
1331 ** encrypted. Should be called only on an open connection.
1332 ** Typically only needed for connections that first want to
1333 ** bring up unencrypted links, then later encrypt them.
1334 **
1335 ** Parameters: bd_addr - Address of the peer device
1336 ** p_callback - Pointer to callback function called if
1337 ** this function returns PENDING after required
1338 ** procedures are completed. Can be set to NULL
1339 ** if status is not desired.
1340 ** p_ref_data - pointer to any data the caller wishes to receive
1341 ** in the callback function upon completion.
1342 * can be set to NULL if not used.
1343 ** transport - TRUE to encryption the link over LE transport
1344 ** or FALSE for BR/EDR transport
1345 **
1346 ** Returns BTM_SUCCESS - already encrypted
1347 ** BTM_PENDING - command will be returned in the callback
1348 ** BTM_WRONG_MODE- connection not up.
1349 ** BTM_BUSY - security procedures are currently active
1350 ** BTM_MODE_UNSUPPORTED - if security manager not linked in.
1351 **
1352 *******************************************************************************/
1353 #if (SMP_INCLUDED == TRUE)
BTM_SetEncryption(BD_ADDR bd_addr,tBT_TRANSPORT transport,tBTM_SEC_CBACK * p_callback,void * p_ref_data)1354 tBTM_STATUS BTM_SetEncryption (BD_ADDR bd_addr, tBT_TRANSPORT transport, tBTM_SEC_CBACK *p_callback,
1355 void *p_ref_data)
1356 {
1357 tBTM_STATUS rc = 0;
1358
1359 tBTM_SEC_DEV_REC *p_dev_rec = btm_find_dev (bd_addr);
1360 if (!p_dev_rec ||
1361 (transport == BT_TRANSPORT_BR_EDR && p_dev_rec->hci_handle == BTM_SEC_INVALID_HANDLE)
1362 #if BLE_INCLUDED == TRUE
1363 || (transport == BT_TRANSPORT_LE && p_dev_rec->ble_hci_handle == BTM_SEC_INVALID_HANDLE)
1364 #endif
1365 ) {
1366 /* Connection should be up and runnning */
1367 BTM_TRACE_WARNING ("Security Manager: BTM_SetEncryption not connected\n");
1368
1369 if (p_callback) {
1370 (*p_callback) (bd_addr, transport, p_ref_data, BTM_WRONG_MODE);
1371 }
1372
1373 return (BTM_WRONG_MODE);
1374 }
1375
1376 if ((transport == BT_TRANSPORT_BR_EDR &&
1377 (p_dev_rec->sec_flags & BTM_SEC_ENCRYPTED))
1378 #if BLE_INCLUDED == TRUE && SMP_INCLUDED == TRUE
1379 || (transport == BT_TRANSPORT_LE &&
1380 (p_dev_rec->sec_flags & BTM_SEC_LE_ENCRYPTED))
1381 #endif
1382 ) {
1383 BTM_TRACE_EVENT ("Security Manager: BTM_SetEncryption already encrypted\n");
1384
1385 if (p_callback) {
1386 (*p_callback) (bd_addr, transport, p_ref_data, BTM_SUCCESS);
1387 }
1388
1389 return (BTM_SUCCESS);
1390 }
1391 p_dev_rec->enc_init_by_we = TRUE;
1392 /* enqueue security request if security is active */
1393 if (p_dev_rec->p_callback || (p_dev_rec->sec_state != BTM_SEC_STATE_IDLE)) {
1394 BTM_TRACE_WARNING ("Security Manager: BTM_SetEncryption busy, enqueue request\n");
1395
1396 if (btm_sec_queue_encrypt_request(bd_addr, transport, p_callback, p_ref_data)) {
1397 return BTM_CMD_STARTED;
1398 } else {
1399 if (p_callback) {
1400 (*p_callback) (bd_addr, transport, p_ref_data, BTM_NO_RESOURCES);
1401 }
1402 return BTM_NO_RESOURCES;
1403 }
1404 }
1405
1406 p_dev_rec->p_callback = p_callback;
1407 p_dev_rec->p_ref_data = p_ref_data;
1408 p_dev_rec->security_required |= (BTM_SEC_IN_AUTHENTICATE | BTM_SEC_IN_ENCRYPT);
1409 p_dev_rec->is_originator = FALSE;
1410
1411 BTM_TRACE_API ("Security Manager: BTM_SetEncryption Handle:%d State:%d Flags:0x%x Required:0x%x\n",
1412 p_dev_rec->hci_handle, p_dev_rec->sec_state, p_dev_rec->sec_flags,
1413 p_dev_rec->security_required);
1414
1415 #if BLE_INCLUDED == TRUE && SMP_INCLUDED == TRUE
1416 if (transport == BT_TRANSPORT_LE) {
1417 tACL_CONN *p = btm_bda_to_acl(bd_addr, transport);
1418 if (p) {
1419 rc = btm_ble_set_encryption(bd_addr, p_ref_data, p->link_role);
1420 } else {
1421 rc = BTM_WRONG_MODE;
1422 BTM_TRACE_WARNING("%s: cannot call btm_ble_set_encryption, p is NULL\n", __FUNCTION__);
1423 }
1424 } else
1425 #endif
1426 {
1427 rc = btm_sec_execute_procedure (p_dev_rec);
1428 }
1429
1430 if (rc != BTM_CMD_STARTED && rc != BTM_BUSY) {
1431 if (p_callback) {
1432 p_dev_rec->p_callback = NULL;
1433 (*p_callback) (bd_addr, transport, p_dev_rec->p_ref_data, rc);
1434 }
1435 }
1436
1437 return (rc);
1438 }
1439
1440 /*******************************************************************************
1441 * disconnect the ACL link, if it's not done yet.
1442 *******************************************************************************/
btm_sec_send_hci_disconnect(tBTM_SEC_DEV_REC * p_dev_rec,UINT8 reason,UINT16 conn_handle)1443 static tBTM_STATUS btm_sec_send_hci_disconnect (tBTM_SEC_DEV_REC *p_dev_rec, UINT8 reason, UINT16 conn_handle)
1444 {
1445 UINT8 old_state = p_dev_rec->sec_state;
1446 tBTM_STATUS status = BTM_CMD_STARTED;
1447
1448 BTM_TRACE_EVENT ("btm_sec_send_hci_disconnect: handle:0x%x, reason=0x%x\n",
1449 conn_handle, reason);
1450
1451 /* send HCI_Disconnect on a transport only once */
1452 switch (old_state) {
1453 case BTM_SEC_STATE_DISCONNECTING:
1454 if (conn_handle == p_dev_rec->hci_handle) {
1455 return status;
1456 }
1457
1458 p_dev_rec->sec_state = BTM_SEC_STATE_DISCONNECTING_BOTH;
1459 break;
1460
1461 #if BLE_INCLUDED == TRUE && SMP_INCLUDED == TRUE
1462 case BTM_SEC_STATE_DISCONNECTING_BLE:
1463 if (conn_handle == p_dev_rec->ble_hci_handle) {
1464 return status;
1465 }
1466
1467 p_dev_rec->sec_state = BTM_SEC_STATE_DISCONNECTING_BOTH;
1468 break;
1469
1470 case BTM_SEC_STATE_DISCONNECTING_BOTH:
1471 return status;
1472 #endif
1473
1474 default:
1475 p_dev_rec->sec_state = (conn_handle == p_dev_rec->hci_handle) ?
1476 BTM_SEC_STATE_DISCONNECTING : BTM_SEC_STATE_DISCONNECTING_BLE;
1477
1478 break;
1479 }
1480
1481 /* If a role switch is in progress, delay the HCI Disconnect to avoid controller problem */
1482 if (p_dev_rec->rs_disc_pending == BTM_SEC_RS_PENDING && p_dev_rec->hci_handle == conn_handle) {
1483 BTM_TRACE_DEBUG("RS in progress - Set DISC Pending flag in btm_sec_send_hci_disconnect to delay disconnect\n");
1484 p_dev_rec->rs_disc_pending = BTM_SEC_DISC_PENDING;
1485 status = BTM_SUCCESS;
1486 }
1487 /* Tear down the HCI link */
1488 else if (!btsnd_hcic_disconnect (conn_handle, reason)) {
1489 /* could not send disconnect. restore old state */
1490 p_dev_rec->sec_state = old_state;
1491 status = BTM_NO_RESOURCES;
1492 }
1493
1494 return status;
1495 }
1496 #endif ///SMP_INCLUDED == TRUE
1497 /*******************************************************************************
1498 **
1499 ** Function BTM_ConfirmReqReply
1500 **
1501 ** Description This function is called to confirm the numeric value for
1502 ** Simple Pairing in response to BTM_SP_CFM_REQ_EVT
1503 **
1504 ** Parameters: res - result of the operation BTM_SUCCESS if success
1505 ** bd_addr - Address of the peer device
1506 **
1507 *******************************************************************************/
1508 #if (SMP_INCLUDED == TRUE)
BTM_ConfirmReqReply(tBTM_STATUS res,BD_ADDR bd_addr)1509 void BTM_ConfirmReqReply(tBTM_STATUS res, BD_ADDR bd_addr)
1510 {
1511 tBTM_SEC_DEV_REC *p_dev_rec;
1512 #if (BT_USE_TRACES == TRUE && SMP_INCLUDED == TRUE)
1513 BTM_TRACE_EVENT ("BTM_ConfirmReqReply() State: %s Res: %u",
1514 btm_pair_state_descr(btm_cb.pairing_state), res);
1515 #endif ///BT_USE_TRACES == TRUE && SMP_INCLUDED == TRUE
1516 /* If timeout already expired or has been canceled, ignore the reply */
1517 if ( (btm_cb.pairing_state != BTM_PAIR_STATE_WAIT_NUMERIC_CONFIRM)
1518 || (memcmp (btm_cb.pairing_bda, bd_addr, BD_ADDR_LEN) != 0) ) {
1519 return;
1520 }
1521
1522 btm_sec_change_pairing_state (BTM_PAIR_STATE_WAIT_AUTH_COMPLETE);
1523
1524 if ( (res == BTM_SUCCESS) || (res == BTM_SUCCESS_NO_SECURITY) ) {
1525 btm_cb.acl_disc_reason = HCI_SUCCESS;
1526
1527 if (res == BTM_SUCCESS) {
1528 if ((p_dev_rec = btm_find_dev (bd_addr)) != NULL) {
1529 p_dev_rec->sec_flags |= BTM_SEC_LINK_KEY_AUTHED;
1530 p_dev_rec->sec_flags |= BTM_SEC_16_DIGIT_PIN_AUTHED;
1531 }
1532 }
1533
1534 btsnd_hcic_user_conf_reply (bd_addr, TRUE);
1535 } else {
1536 /* Report authentication failed event from state BTM_PAIR_STATE_WAIT_AUTH_COMPLETE */
1537 btm_cb.acl_disc_reason = HCI_ERR_HOST_REJECT_SECURITY;
1538 btsnd_hcic_user_conf_reply (bd_addr, FALSE);
1539 }
1540 }
1541 #endif ///SMP_INCLUDED == TRUE
1542
1543 /*******************************************************************************
1544 **
1545 ** Function BTM_PasskeyReqReply
1546 **
1547 ** Description This function is called to provide the passkey for
1548 ** Simple Pairing in response to BTM_SP_KEY_REQ_EVT
1549 **
1550 ** Parameters: res - result of the operation BTM_SUCCESS if success
1551 ** bd_addr - Address of the peer device
1552 ** passkey - numeric value in the range of
1553 ** BTM_MIN_PASSKEY_VAL(0) - BTM_MAX_PASSKEY_VAL(999999(0xF423F)).
1554 **
1555 *******************************************************************************/
1556 #if (BT_SSP_INCLUDED == TRUE && SMP_INCLUDED == TRUE)
BTM_PasskeyReqReply(tBTM_STATUS res,BD_ADDR bd_addr,UINT32 passkey)1557 void BTM_PasskeyReqReply(tBTM_STATUS res, BD_ADDR bd_addr, UINT32 passkey)
1558 {
1559 #if (BT_USE_TRACES == TRUE && SMP_INCLUDED == TRUE)
1560 BTM_TRACE_API ("BTM_PasskeyReqReply: State: %s res:%d\n",
1561 btm_pair_state_descr(btm_cb.pairing_state), res);
1562 #endif ///BT_USE_TRACES == TRUE && SMP_INCLUDED == TRUE
1563 if ( (btm_cb.pairing_state == BTM_PAIR_STATE_IDLE)
1564 || (memcmp (btm_cb.pairing_bda, bd_addr, BD_ADDR_LEN) != 0) ) {
1565 return;
1566 }
1567
1568 /* If timeout already expired or has been canceled, ignore the reply */
1569 if ( (btm_cb.pairing_state == BTM_PAIR_STATE_WAIT_AUTH_COMPLETE) && (res != BTM_SUCCESS) ) {
1570 tBTM_SEC_DEV_REC *p_dev_rec = btm_find_dev (bd_addr);
1571 if (p_dev_rec != NULL) {
1572 btm_cb.acl_disc_reason = HCI_ERR_HOST_REJECT_SECURITY;
1573
1574 if (p_dev_rec->hci_handle != BTM_SEC_INVALID_HANDLE) {
1575 btm_sec_send_hci_disconnect (p_dev_rec, HCI_ERR_AUTH_FAILURE, p_dev_rec->hci_handle);
1576 } else {
1577 BTM_SecBondCancel(bd_addr);
1578 }
1579
1580 p_dev_rec->sec_flags &= ~(BTM_SEC_LINK_KEY_AUTHED | BTM_SEC_LINK_KEY_KNOWN);
1581
1582 btm_sec_change_pairing_state (BTM_PAIR_STATE_IDLE);
1583 return;
1584 }
1585 } else if (btm_cb.pairing_state != BTM_PAIR_STATE_KEY_ENTRY) {
1586 return;
1587 }
1588
1589 if (passkey > BTM_MAX_PASSKEY_VAL) {
1590 res = BTM_ILLEGAL_VALUE;
1591 }
1592
1593 btm_sec_change_pairing_state (BTM_PAIR_STATE_WAIT_AUTH_COMPLETE);
1594
1595 if (res != BTM_SUCCESS) {
1596 /* use BTM_PAIR_STATE_WAIT_AUTH_COMPLETE to report authentication failed event */
1597 btm_cb.acl_disc_reason = HCI_ERR_HOST_REJECT_SECURITY;
1598 btsnd_hcic_user_passkey_neg_reply (bd_addr);
1599 } else {
1600 btm_cb.acl_disc_reason = HCI_SUCCESS;
1601 btsnd_hcic_user_passkey_reply (bd_addr, passkey);
1602 }
1603 }
1604 #endif ///BT_SSP_INCLUDED == TRUE && SMP_INCLUDED == TRUE
1605
1606 /*******************************************************************************
1607 **
1608 ** Function BTM_SendKeypressNotif
1609 **
1610 ** Description This function is used during the passkey entry model
1611 ** by a device with KeyboardOnly IO capabilities
1612 ** (very likely to be a HID Device).
1613 ** It is called by a HID Device to inform the remote device when
1614 ** a key has been entered or erased.
1615 **
1616 ** Parameters: bd_addr - Address of the peer device
1617 ** type - notification type
1618 **
1619 *******************************************************************************/
1620 #if (BT_SSP_INCLUDED == TRUE && SMP_INCLUDED == TRUE)
BTM_SendKeypressNotif(BD_ADDR bd_addr,tBTM_SP_KEY_TYPE type)1621 void BTM_SendKeypressNotif(BD_ADDR bd_addr, tBTM_SP_KEY_TYPE type)
1622 {
1623 /* This API only make sense between PASSKEY_REQ and SP complete */
1624 if (btm_cb.pairing_state == BTM_PAIR_STATE_KEY_ENTRY) {
1625 btsnd_hcic_send_keypress_notif (bd_addr, type);
1626 }
1627 }
1628 #endif ///BT_SSP_INCLUDED == TRUE && SMP_INCLUDED == TRUE
1629
1630 #if BTM_OOB_INCLUDED == TRUE && SMP_INCLUDED == TRUE
1631 /*******************************************************************************
1632 **
1633 ** Function BTM_IoCapRsp
1634 **
1635 ** Description This function is called in response to BTM_SP_IO_REQ_EVT
1636 ** When the event data io_req.oob_data is set to BTM_OOB_UNKNOWN
1637 ** by the tBTM_SP_CALLBACK implementation, this function is
1638 ** called to provide the actual response
1639 **
1640 ** Parameters: bd_addr - Address of the peer device
1641 ** io_cap - The IO capability of local device.
1642 ** oob - BTM_OOB_NONE or BTM_OOB_PRESENT.
1643 ** auth_req- MITM protection required or not.
1644 **
1645 *******************************************************************************/
BTM_IoCapRsp(BD_ADDR bd_addr,tBTM_IO_CAP io_cap,tBTM_OOB_DATA oob,tBTM_AUTH_REQ auth_req)1646 void BTM_IoCapRsp(BD_ADDR bd_addr, tBTM_IO_CAP io_cap, tBTM_OOB_DATA oob, tBTM_AUTH_REQ auth_req)
1647 {
1648 #if (BT_USE_TRACES == TRUE && SMP_INCLUDED == TRUE)
1649 BTM_TRACE_EVENT ("BTM_IoCapRsp: state: %s oob: %d io_cap: %d\n",
1650 btm_pair_state_descr(btm_cb.pairing_state), oob, io_cap);
1651 #endif ///BT_USE_TRACES == TRUE && SMP_INCLUDED == TRUE
1652 if ( (btm_cb.pairing_state != BTM_PAIR_STATE_WAIT_LOCAL_IOCAPS)
1653 || (memcmp (btm_cb.pairing_bda, bd_addr, BD_ADDR_LEN) != 0) ) {
1654 return;
1655 }
1656
1657 if (oob < BTM_OOB_UNKNOWN && io_cap < BTM_IO_CAP_MAX) {
1658 btm_cb.devcb.loc_auth_req = auth_req;
1659 btm_cb.devcb.loc_io_caps = io_cap;
1660
1661 if (btm_cb.pairing_flags & BTM_PAIR_FLAGS_WE_STARTED_DD) {
1662 auth_req = (BTM_AUTH_DD_BOND | (auth_req & BTM_AUTH_YN_BIT));
1663 }
1664
1665 btsnd_hcic_io_cap_req_reply (bd_addr, io_cap, oob, auth_req);
1666 }
1667 }
1668
1669 /*******************************************************************************
1670 **
1671 ** Function BTM_ReadLocalOobData
1672 **
1673 ** Description This function is called to read the local OOB data from
1674 ** LM
1675 **
1676 *******************************************************************************/
BTM_ReadLocalOobData(void)1677 tBTM_STATUS BTM_ReadLocalOobData(void)
1678 {
1679 tBTM_STATUS status = BTM_SUCCESS;
1680
1681 if (btsnd_hcic_read_local_oob_data() == FALSE) {
1682 status = BTM_NO_RESOURCES;
1683 }
1684
1685 return status;
1686 }
1687
1688 /*******************************************************************************
1689 **
1690 ** Function BTM_RemoteOobDataReply
1691 **
1692 ** Description This function is called to provide the remote OOB data for
1693 ** Simple Pairing in response to BTM_SP_RMT_OOB_EVT
1694 **
1695 ** Parameters: bd_addr - Address of the peer device
1696 ** c - simple pairing Hash C.
1697 ** r - simple pairing Randomizer C.
1698 **
1699 *******************************************************************************/
BTM_RemoteOobDataReply(tBTM_STATUS res,BD_ADDR bd_addr,BT_OCTET16 c,BT_OCTET16 r)1700 void BTM_RemoteOobDataReply(tBTM_STATUS res, BD_ADDR bd_addr, BT_OCTET16 c, BT_OCTET16 r)
1701 {
1702 #if (BT_USE_TRACES == TRUE && SMP_INCLUDED == TRUE)
1703 BTM_TRACE_EVENT ("%s() - State: %s res: %d\n", __func__,
1704 btm_pair_state_descr(btm_cb.pairing_state), res);
1705 #endif ///BT_USE_TRACES == TRUE && SMP_INCLUDED == TRUE
1706 /* If timeout already expired or has been canceled, ignore the reply */
1707 if (btm_cb.pairing_state != BTM_PAIR_STATE_WAIT_LOCAL_OOB_RSP) {
1708 return;
1709 }
1710
1711 btm_sec_change_pairing_state (BTM_PAIR_STATE_WAIT_AUTH_COMPLETE);
1712
1713 if (res != BTM_SUCCESS) {
1714 /* use BTM_PAIR_STATE_WAIT_AUTH_COMPLETE to report authentication failed event */
1715 btm_cb.acl_disc_reason = HCI_ERR_HOST_REJECT_SECURITY;
1716 btsnd_hcic_rem_oob_neg_reply (bd_addr);
1717 } else {
1718 btm_cb.acl_disc_reason = HCI_SUCCESS;
1719 btsnd_hcic_rem_oob_reply (bd_addr, c, r);
1720 }
1721 }
1722
1723 /*******************************************************************************
1724 **
1725 ** Function BTM_BuildOobData
1726 **
1727 ** Description This function is called to build the OOB data payload to
1728 ** be sent over OOB (non-Bluetooth) link
1729 **
1730 ** Parameters: p_data - the location for OOB data
1731 ** max_len - p_data size.
1732 ** c - simple pairing Hash C.
1733 ** r - simple pairing Randomizer C.
1734 ** name_len- 0, local device name would not be included.
1735 ** otherwise, the local device name is included for
1736 ** up to this specified length
1737 **
1738 ** Returns Number of bytes in p_data.
1739 **
1740 *******************************************************************************/
BTM_BuildOobData(UINT8 * p_data,UINT16 max_len,BT_OCTET16 c,BT_OCTET16 r,UINT8 name_len)1741 UINT16 BTM_BuildOobData(UINT8 *p_data, UINT16 max_len, BT_OCTET16 c,
1742 BT_OCTET16 r, UINT8 name_len)
1743 {
1744 UINT8 *p = p_data;
1745 UINT16 len = 0;
1746 #if BTM_MAX_LOC_BD_NAME_LEN > 0
1747 UINT16 name_size;
1748 UINT8 name_type = BTM_EIR_SHORTENED_LOCAL_NAME_TYPE;
1749 #endif
1750
1751 if (p_data && max_len >= BTM_OOB_MANDATORY_SIZE) {
1752 /* add mandatory part */
1753 UINT16_TO_STREAM(p, len);
1754 BDADDR_TO_STREAM(p, controller_get_interface()->get_address()->address);
1755
1756 len = BTM_OOB_MANDATORY_SIZE;
1757 max_len -= len;
1758
1759 /* now optional part */
1760
1761 /* add Hash C */
1762 UINT16 delta = BTM_OOB_HASH_C_SIZE + 2;
1763 if (max_len >= delta) {
1764 *p++ = BTM_OOB_HASH_C_SIZE + 1;
1765 *p++ = BTM_EIR_OOB_SSP_HASH_C_TYPE;
1766 ARRAY_TO_STREAM(p, c, BTM_OOB_HASH_C_SIZE);
1767 len += delta;
1768 max_len -= delta;
1769 }
1770
1771 /* add Rand R */
1772 delta = BTM_OOB_RAND_R_SIZE + 2;
1773 if (max_len >= delta) {
1774 *p++ = BTM_OOB_RAND_R_SIZE + 1;
1775 *p++ = BTM_EIR_OOB_SSP_RAND_R_TYPE;
1776 ARRAY_TO_STREAM(p, r, BTM_OOB_RAND_R_SIZE);
1777 len += delta;
1778 max_len -= delta;
1779 }
1780
1781 /* add class of device */
1782 delta = BTM_OOB_COD_SIZE + 2;
1783 if (max_len >= delta) {
1784 *p++ = BTM_OOB_COD_SIZE + 1;
1785 *p++ = BTM_EIR_OOB_COD_TYPE;
1786 DEVCLASS_TO_STREAM(p, btm_cb.devcb.dev_class);
1787 len += delta;
1788 max_len -= delta;
1789 }
1790 #if BTM_MAX_LOC_BD_NAME_LEN > 0
1791 name_size = name_len;
1792 if (name_size > strlen(btm_cb.cfg.bd_name)) {
1793 name_type = BTM_EIR_COMPLETE_LOCAL_NAME_TYPE;
1794 name_size = (UINT16)strlen(btm_cb.cfg.bd_name);
1795 }
1796 delta = name_size + 2;
1797 if (max_len >= delta) {
1798 *p++ = name_size + 1;
1799 *p++ = name_type;
1800 ARRAY_TO_STREAM (p, btm_cb.cfg.bd_name, name_size);
1801 len += delta;
1802 max_len -= delta;
1803 }
1804 #endif
1805 /* update len */
1806 p = p_data;
1807 UINT16_TO_STREAM(p, len);
1808 }
1809 return len;
1810 }
1811
1812 /*******************************************************************************
1813 **
1814 ** Function BTM_ReadOobData
1815 **
1816 ** Description This function is called to parse the OOB data payload
1817 ** received over OOB (non-Bluetooth) link
1818 **
1819 ** Parameters: p_data - the location for OOB data
1820 ** eir_tag - The associated EIR tag to read the data.
1821 ** *p_len(output) - the length of the data with the given tag.
1822 **
1823 ** Returns the beginning of the data with the given tag.
1824 ** NULL, if the tag is not found.
1825 **
1826 *******************************************************************************/
BTM_ReadOobData(UINT8 * p_data,UINT8 eir_tag,UINT8 * p_len)1827 UINT8 *BTM_ReadOobData(UINT8 *p_data, UINT8 eir_tag, UINT8 *p_len)
1828 {
1829 UINT8 *p = p_data;
1830 UINT16 max_len;
1831 UINT8 len, type;
1832 UINT8 *p_ret = NULL;
1833 UINT8 ret_len = 0;
1834
1835 if (p_data) {
1836 STREAM_TO_UINT16(max_len, p);
1837 if (max_len >= BTM_OOB_MANDATORY_SIZE) {
1838 if (BTM_EIR_OOB_BD_ADDR_TYPE == eir_tag) {
1839 p_ret = p; /* the location for bd_addr */
1840 ret_len = BTM_OOB_BD_ADDR_SIZE;
1841 } else {
1842 p += BD_ADDR_LEN;
1843 max_len -= BTM_OOB_MANDATORY_SIZE;
1844 /* now the optional data in EIR format */
1845 while (max_len > 0) {
1846 len = *p++; /* tag data len + 1 */
1847 type = *p++;
1848 if (eir_tag == type) {
1849 p_ret = p;
1850 ret_len = len - 1;
1851 break;
1852 }
1853 /* the data size of this tag is len + 1 (tag data len + 2) */
1854 if (max_len > len) {
1855 max_len -= len;
1856 max_len--;
1857 len--;
1858 p += len;
1859 } else {
1860 max_len = 0;
1861 }
1862 }
1863 }
1864 }
1865 }
1866
1867 if (p_len) {
1868 *p_len = ret_len;
1869 }
1870
1871 return p_ret;
1872 }
1873 #endif ///BTM_OOB_INCLUDED == TRUE && SMP_INCLUDED == TRUE
1874
1875 #if (CLASSIC_BT_INCLUDED == TRUE)
1876 /*******************************************************************************
1877 **
1878 ** Function BTM_BothEndsSupportSecureConnections
1879 **
1880 ** Description This function is called to check if both the local device and the peer device
1881 ** specified by bd_addr support BR/EDR Secure Connections.
1882 **
1883 ** Parameters: bd_addr - address of the peer
1884 **
1885 ** Returns TRUE if BR/EDR Secure Connections are supported by both local
1886 ** and the remote device.
1887 ** else FALSE.
1888 **
1889 *******************************************************************************/
BTM_BothEndsSupportSecureConnections(BD_ADDR bd_addr)1890 BOOLEAN BTM_BothEndsSupportSecureConnections(BD_ADDR bd_addr)
1891 {
1892 return ((controller_get_interface()->supports_secure_connections()) &&
1893 (BTM_PeerSupportsSecureConnections(bd_addr)));
1894 }
1895
1896 /*******************************************************************************
1897 **
1898 ** Function BTM_PeerSupportsSecureConnections
1899 **
1900 ** Description This function is called to check if the peer supports
1901 ** BR/EDR Secure Connections.
1902 **
1903 ** Parameters: bd_addr - address of the peer
1904 **
1905 ** Returns TRUE if BR/EDR Secure Connections are supported by the peer,
1906 ** else FALSE.
1907 **
1908 *******************************************************************************/
BTM_PeerSupportsSecureConnections(BD_ADDR bd_addr)1909 BOOLEAN BTM_PeerSupportsSecureConnections(BD_ADDR bd_addr)
1910 {
1911 tBTM_SEC_DEV_REC *p_dev_rec;
1912
1913 if ((p_dev_rec = btm_find_dev(bd_addr)) == NULL) {
1914 BTM_TRACE_WARNING("%s: unknown BDA: %08x%04x\n", __FUNCTION__,
1915 (bd_addr[0] << 24) + (bd_addr[1] << 16) + (bd_addr[2] << 8) + bd_addr[3],
1916 (bd_addr[4] << 8) + bd_addr[5]);
1917 return FALSE;
1918 }
1919
1920 return (p_dev_rec->remote_supports_secure_connections);
1921 }
1922
1923 /*******************************************************************************
1924 **
1925 ** Function BTM_SetOutService
1926 **
1927 ** Description This function is called to set the service for
1928 ** outgoing connections.
1929 **
1930 ** If the profile/application calls BTM_SetSecurityLevel
1931 ** before initiating a connection, this function does not
1932 ** need to be called.
1933 **
1934 ** Returns void
1935 **
1936 *******************************************************************************/
BTM_SetOutService(BD_ADDR bd_addr,UINT8 service_id,UINT32 mx_chan_id)1937 void BTM_SetOutService(BD_ADDR bd_addr, UINT8 service_id, UINT32 mx_chan_id)
1938 {
1939 tBTM_SEC_DEV_REC *p_dev_rec;
1940 tBTM_SEC_SERV_REC *p_serv_rec = &btm_cb.sec_serv_rec[0];
1941
1942 btm_cb.p_out_serv = p_serv_rec;
1943 p_dev_rec = btm_find_dev (bd_addr);
1944
1945 for (int i = 0; i < BTM_SEC_MAX_SERVICE_RECORDS; i++, p_serv_rec++) {
1946 if ((p_serv_rec->security_flags & BTM_SEC_IN_USE)
1947 && (p_serv_rec->service_id == service_id)
1948 && (p_serv_rec->orig_mx_chan_id == mx_chan_id)) {
1949 BTM_TRACE_API("BTM_SetOutService p_out_serv id %d, psm 0x%04x, proto_id %d, chan_id %d\n",
1950 p_serv_rec->service_id, p_serv_rec->psm, p_serv_rec->mx_proto_id, p_serv_rec->orig_mx_chan_id);
1951 btm_cb.p_out_serv = p_serv_rec;
1952 if (p_dev_rec) {
1953 p_dev_rec->p_cur_service = p_serv_rec;
1954 }
1955 break;
1956 }
1957 }
1958 }
1959 #endif ///CLASSIC_BT_INCLUDED == TRUE
1960
1961
1962 /************************************************************************
1963 ** I N T E R N A L F U N C T I O N S
1964 *************************************************************************/
1965 /*******************************************************************************
1966 **
1967 ** Function btm_sec_is_upgrade_possible
1968 **
1969 ** Description This function returns TRUE if the existing link key
1970 ** can be upgraded or if the link key does not exist.
1971 **
1972 ** Returns BOOLEAN
1973 **
1974 *******************************************************************************/
1975 #if (SMP_INCLUDED == TRUE)
btm_sec_is_upgrade_possible(tBTM_SEC_DEV_REC * p_dev_rec,BOOLEAN is_originator)1976 static BOOLEAN btm_sec_is_upgrade_possible(tBTM_SEC_DEV_REC *p_dev_rec, BOOLEAN is_originator)
1977 {
1978 UINT16 mtm_check = is_originator ? BTM_SEC_OUT_MITM : BTM_SEC_IN_MITM;
1979 BOOLEAN is_possible = TRUE;
1980
1981 if (p_dev_rec->sec_flags & BTM_SEC_LINK_KEY_KNOWN) {
1982 is_possible = FALSE;
1983 if (p_dev_rec->p_cur_service) {
1984 BTM_TRACE_DEBUG ("%s() id: %d, link_key_typet: %d, rmt_io_caps: %d, chk flags: 0x%x, flags: 0x%x\n",
1985 __func__, p_dev_rec->p_cur_service->service_id, p_dev_rec->link_key_type,
1986 p_dev_rec->rmt_io_caps, mtm_check, p_dev_rec->p_cur_service->security_flags);
1987 } else {
1988 BTM_TRACE_DEBUG ("%s() link_key_typet: %d, rmt_io_caps: %d, chk flags: 0x%x\n",
1989 __func__, p_dev_rec->link_key_type, p_dev_rec->rmt_io_caps, mtm_check);
1990 }
1991 /* Already have a link key to the connected peer. Is the link key secure enough?
1992 ** Is a link key upgrade even possible?
1993 */
1994 if ((p_dev_rec->security_required & mtm_check) /* needs MITM */
1995 && ((p_dev_rec->link_key_type == BTM_LKEY_TYPE_UNAUTH_COMB) ||
1996 (p_dev_rec->link_key_type == BTM_LKEY_TYPE_UNAUTH_COMB_P_256))
1997 /* has unauthenticated
1998 link key */
1999 && (p_dev_rec->rmt_io_caps < BTM_IO_CAP_MAX) /* a valid peer IO cap */
2000 && (btm_sec_io_map[p_dev_rec->rmt_io_caps][btm_cb.devcb.loc_io_caps]))
2001 /* authenticated
2002 link key is possible */
2003 {
2004 /* upgrade is possible: check if the application wants the upgrade.
2005 * If the application is configured to use a global MITM flag,
2006 * it probably would not want to upgrade the link key based on the security level database */
2007 is_possible = TRUE;
2008 }
2009 }
2010 BTM_TRACE_DEBUG ("%s() is_possible: %d sec_flags: 0x%x\n", __func__, is_possible, p_dev_rec->sec_flags);
2011 return is_possible;
2012 }
2013 #endif ///SMP_INCLUDED == TRUE
2014
2015 /*******************************************************************************
2016 **
2017 ** Function btm_sec_check_upgrade
2018 **
2019 ** Description This function is called to check if the existing link key
2020 ** needs to be upgraded.
2021 **
2022 ** Returns void
2023 **
2024 *******************************************************************************/
2025 #if (SMP_INCLUDED == TRUE)
btm_sec_check_upgrade(tBTM_SEC_DEV_REC * p_dev_rec,BOOLEAN is_originator)2026 static void btm_sec_check_upgrade(tBTM_SEC_DEV_REC *p_dev_rec, BOOLEAN is_originator)
2027 {
2028
2029 BTM_TRACE_DEBUG ("%s()\n", __func__);
2030
2031 /* Only check if link key already exists */
2032 if (!(p_dev_rec->sec_flags & BTM_SEC_LINK_KEY_KNOWN)) {
2033 return;
2034 }
2035
2036 if (btm_sec_is_upgrade_possible (p_dev_rec, is_originator) == TRUE) {
2037 BTM_TRACE_DEBUG ("need upgrade!! sec_flags:0x%x\n", p_dev_rec->sec_flags);
2038 /* upgrade is possible: check if the application wants the upgrade.
2039 * If the application is configured to use a global MITM flag,
2040 * it probably would not want to upgrade the link key based on the security level database */
2041 tBTM_SP_UPGRADE evt_data;
2042 memcpy (evt_data.bd_addr, p_dev_rec->bd_addr, BD_ADDR_LEN);
2043 evt_data.upgrade = TRUE;
2044 if (btm_cb.api.p_sp_callback) {
2045 (*btm_cb.api.p_sp_callback) (BTM_SP_UPGRADE_EVT, (tBTM_SP_EVT_DATA *)&evt_data);
2046 }
2047
2048 BTM_TRACE_DEBUG ("evt_data.upgrade:0x%x\n", evt_data.upgrade);
2049 if (evt_data.upgrade) {
2050 /* if the application confirms the upgrade, set the upgrade bit */
2051 p_dev_rec->sm4 |= BTM_SM4_UPGRADE;
2052
2053 /* Clear the link key known to go through authentication/pairing again */
2054 p_dev_rec->sec_flags &= ~(BTM_SEC_LINK_KEY_KNOWN | BTM_SEC_LINK_KEY_AUTHED);
2055 p_dev_rec->sec_flags &= ~BTM_SEC_AUTHENTICATED;
2056 BTM_TRACE_DEBUG ("sec_flags:0x%x\n", p_dev_rec->sec_flags);
2057 }
2058 }
2059 }
2060 #endif ///SMP_INCLUDED == TRUE
2061
2062 /*******************************************************************************
2063 **
2064 ** Function btm_sec_l2cap_access_req
2065 **
2066 ** Description This function is called by the L2CAP to grant permission to
2067 ** establish L2CAP connection to or from the peer device.
2068 **
2069 ** Parameters: bd_addr - Address of the peer device
2070 ** psm - L2CAP PSM
2071 ** is_originator - TRUE if protocol above L2CAP originates
2072 ** connection
2073 ** p_callback - Pointer to callback function called if
2074 ** this function returns PENDING after required
2075 ** procedures are complete. MUST NOT BE NULL.
2076 **
2077 ** Returns tBTM_STATUS
2078 **
2079 *******************************************************************************/
btm_sec_l2cap_access_req(BD_ADDR bd_addr,UINT16 psm,UINT16 handle,CONNECTION_TYPE conn_type,tBTM_SEC_CALLBACK * p_callback,void * p_ref_data)2080 tBTM_STATUS btm_sec_l2cap_access_req (BD_ADDR bd_addr, UINT16 psm, UINT16 handle,
2081 CONNECTION_TYPE conn_type,
2082 tBTM_SEC_CALLBACK *p_callback,
2083 void *p_ref_data)
2084 {
2085 #if (SMP_INCLUDED == TRUE)
2086 tBTM_SEC_DEV_REC *p_dev_rec;
2087 tBTM_SEC_SERV_REC *p_serv_rec;
2088 UINT16 security_required;
2089 UINT16 old_security_required;
2090 BOOLEAN old_is_originator;
2091 tBTM_STATUS rc = BTM_SUCCESS;
2092 BOOLEAN chk_acp_auth_done = FALSE;
2093 BOOLEAN is_originator;
2094 BOOLEAN transport = FALSE; /* should check PSM range in LE connection oriented L2CAP connection */
2095
2096 #if (L2CAP_UCD_INCLUDED == TRUE)
2097 if (conn_type & CONNECTION_TYPE_ORIG_MASK) {
2098 is_originator = TRUE;
2099 } else {
2100 is_originator = FALSE;
2101 }
2102
2103 BTM_TRACE_DEBUG ("%s() conn_type: 0x%x, %p\n", __func__, conn_type, p_ref_data);
2104 #else
2105 is_originator = conn_type;
2106
2107 BTM_TRACE_DEBUG ("%s() is_originator:%d, %p\n", __func__, is_originator, p_ref_data);
2108 #endif
2109
2110 /* Find or get oldest record */
2111 p_dev_rec = btm_find_or_alloc_dev (bd_addr);
2112
2113 p_dev_rec->hci_handle = handle;
2114
2115 /* Find the service record for the PSM */
2116 p_serv_rec = btm_sec_find_first_serv (conn_type, psm);
2117
2118 /* If there is no application registered with this PSM do not allow connection */
2119 if (!p_serv_rec) {
2120 BTM_TRACE_WARNING ("%s() PSM: %d no application registerd\n", __func__, psm);
2121 (*p_callback) (bd_addr, transport, p_ref_data, BTM_MODE_UNSUPPORTED);
2122 return (BTM_MODE_UNSUPPORTED);
2123 }
2124
2125 /* Services level0 by default have no security */
2126 if ((btm_sec_is_serv_level0(psm)) && (!btm_cb.devcb.secure_connections_only)) {
2127 (*p_callback) (bd_addr, transport, p_ref_data, BTM_SUCCESS_NO_SECURITY);
2128 return (BTM_SUCCESS);
2129 }
2130 #if (L2CAP_UCD_INCLUDED == TRUE)
2131 if ( conn_type & CONNECTION_TYPE_CONNLESS_MASK ) {
2132 if (btm_cb.security_mode == BTM_SEC_MODE_SC) {
2133 security_required = btm_sec_set_serv_level4_flags (p_serv_rec->ucd_security_flags,
2134 is_originator);
2135 } else {
2136 security_required = p_serv_rec->ucd_security_flags;
2137 }
2138
2139 rc = BTM_CMD_STARTED;
2140 if (is_originator) {
2141 if (((security_required & BTM_SEC_OUT_FLAGS) == 0) ||
2142 ((((security_required & BTM_SEC_OUT_FLAGS) == BTM_SEC_OUT_AUTHENTICATE) && (p_dev_rec->sec_flags & BTM_SEC_AUTHENTICATED))) ||
2143 ((((security_required & BTM_SEC_OUT_FLAGS) == (BTM_SEC_OUT_AUTHENTICATE | BTM_SEC_OUT_ENCRYPT)) && (p_dev_rec->sec_flags & BTM_SEC_ENCRYPTED))) ||
2144 ((((security_required & BTM_SEC_OUT_FLAGS) == BTM_SEC_OUT_FLAGS) && (p_dev_rec->sec_flags & BTM_SEC_AUTHORIZED))) ) {
2145 rc = BTM_SUCCESS;
2146 }
2147 } else {
2148 if (((security_required & BTM_SEC_IN_FLAGS) == 0) ||
2149 ((((security_required & BTM_SEC_IN_FLAGS) == BTM_SEC_IN_AUTHENTICATE) && (p_dev_rec->sec_flags & BTM_SEC_AUTHENTICATED))) ||
2150 ((((security_required & BTM_SEC_IN_FLAGS) == (BTM_SEC_IN_AUTHENTICATE | BTM_SEC_IN_ENCRYPT)) && (p_dev_rec->sec_flags & BTM_SEC_ENCRYPTED))) ||
2151 ((((security_required & BTM_SEC_IN_FLAGS) == BTM_SEC_IN_FLAGS) && (p_dev_rec->sec_flags & BTM_SEC_AUTHORIZED))) ) {
2152 // Check for 16 digits (or MITM)
2153 if (((security_required & BTM_SEC_IN_MIN_16_DIGIT_PIN) == 0) ||
2154 (((security_required & BTM_SEC_IN_MIN_16_DIGIT_PIN) == BTM_SEC_IN_MIN_16_DIGIT_PIN) &&
2155 btm_dev_16_digit_authenticated(p_dev_rec))) {
2156 rc = BTM_SUCCESS;
2157 }
2158 }
2159 }
2160
2161 if ((rc == BTM_SUCCESS) && (security_required & BTM_SEC_MODE4_LEVEL4) &&
2162 (p_dev_rec->link_key_type != BTM_LKEY_TYPE_AUTH_COMB_P_256)) {
2163 rc = BTM_CMD_STARTED;
2164 }
2165
2166 if (rc == BTM_SUCCESS) {
2167 if (p_callback) {
2168 (*p_callback) (bd_addr, transport, (void *)p_ref_data, BTM_SUCCESS);
2169 }
2170
2171 return (BTM_SUCCESS);
2172 }
2173 } else
2174 #endif
2175 {
2176 if (btm_cb.security_mode == BTM_SEC_MODE_SC) {
2177 security_required = btm_sec_set_serv_level4_flags (p_serv_rec->security_flags,
2178 is_originator);
2179 } else {
2180 security_required = p_serv_rec->security_flags;
2181 }
2182 }
2183
2184 BTM_TRACE_DEBUG("%s: security_required 0x%04x, is_originator 0x%02x, psm 0x%04x\n",
2185 __FUNCTION__, security_required, is_originator, psm);
2186
2187 if ((!is_originator) && (security_required & BTM_SEC_MODE4_LEVEL4)) {
2188 BOOLEAN local_supports_sc = controller_get_interface()->supports_secure_connections();
2189 /* acceptor receives L2CAP Channel Connect Request for Secure Connections Only service */
2190 if (!(local_supports_sc) || !(p_dev_rec->remote_supports_secure_connections)) {
2191 BTM_TRACE_DEBUG("%s: SC only service, local_support_for_sc %d\n"
2192 "rmt_support_for_sc : %d -> fail pairing\n", __FUNCTION__,
2193 local_supports_sc,
2194 p_dev_rec->remote_supports_secure_connections);
2195 if (p_callback) {
2196 (*p_callback) (bd_addr, transport, (void *)p_ref_data,
2197 BTM_MODE4_LEVEL4_NOT_SUPPORTED);
2198 }
2199
2200 return (BTM_MODE4_LEVEL4_NOT_SUPPORTED);
2201 }
2202 }
2203
2204 /* there are some devices (moto KRZR) which connects to several services at the same time */
2205 /* we will process one after another */
2206 if ( (p_dev_rec->p_callback) || (btm_cb.pairing_state != BTM_PAIR_STATE_IDLE) ) {
2207 #if (BT_USE_TRACES == TRUE && SMP_INCLUDED == TRUE)
2208 BTM_TRACE_EVENT ("%s() - busy - PSM:%d delayed state: %s mode:%d, sm4:0x%x\n", __func__,
2209 psm, btm_pair_state_descr(btm_cb.pairing_state), btm_cb.security_mode, p_dev_rec->sm4);
2210 #endif ///BT_USE_TRACES == TRUE && SMP_INCLUDED == TRUE
2211 BTM_TRACE_EVENT ("security_flags:x%x, sec_flags:x%x\n", security_required, p_dev_rec->sec_flags);
2212 rc = BTM_CMD_STARTED;
2213 if ((btm_cb.security_mode == BTM_SEC_MODE_UNDEFINED ||
2214 btm_cb.security_mode == BTM_SEC_MODE_NONE ||
2215 btm_cb.security_mode == BTM_SEC_MODE_SERVICE ||
2216 btm_cb.security_mode == BTM_SEC_MODE_LINK) ||
2217 (BTM_SM4_KNOWN == p_dev_rec->sm4) || (BTM_SEC_IS_SM4(p_dev_rec->sm4) &&
2218 (btm_sec_is_upgrade_possible(p_dev_rec, is_originator) == FALSE))) {
2219 /* legacy mode - local is legacy or local is lisbon/peer is legacy
2220 * or SM4 with no possibility of link key upgrade */
2221 if (is_originator) {
2222 if (((security_required & BTM_SEC_OUT_FLAGS) == 0) ||
2223 ((((security_required & BTM_SEC_OUT_FLAGS) == BTM_SEC_OUT_AUTHENTICATE) && btm_dev_authenticated(p_dev_rec))) ||
2224 ((((security_required & BTM_SEC_OUT_FLAGS) == (BTM_SEC_OUT_AUTHENTICATE | BTM_SEC_OUT_ENCRYPT)) && btm_dev_encrypted(p_dev_rec))) ||
2225 ((((security_required & BTM_SEC_OUT_FLAGS) == BTM_SEC_OUT_FLAGS) && btm_dev_authorized(p_dev_rec) && btm_dev_encrypted(p_dev_rec))) ) {
2226 rc = BTM_SUCCESS;
2227 }
2228 } else {
2229 if (((security_required & BTM_SEC_IN_FLAGS) == 0) ||
2230 (((security_required & BTM_SEC_IN_FLAGS) == BTM_SEC_IN_AUTHENTICATE) && btm_dev_authenticated(p_dev_rec)) ||
2231 (((security_required & BTM_SEC_IN_FLAGS) == (BTM_SEC_IN_AUTHENTICATE | BTM_SEC_IN_ENCRYPT)) && btm_dev_encrypted(p_dev_rec)) ||
2232 (((security_required & BTM_SEC_IN_FLAGS) == BTM_SEC_IN_AUTHORIZE) && (btm_dev_authorized(p_dev_rec) || btm_serv_trusted(p_dev_rec, p_serv_rec))) ||
2233 (((security_required & BTM_SEC_IN_FLAGS) == (BTM_SEC_IN_AUTHENTICATE | BTM_SEC_IN_AUTHORIZE)) && ((btm_dev_authorized(p_dev_rec) || btm_serv_trusted(p_dev_rec, p_serv_rec)) && btm_dev_authenticated(p_dev_rec))) ||
2234 (((security_required & BTM_SEC_IN_FLAGS) == (BTM_SEC_IN_ENCRYPT | BTM_SEC_IN_AUTHORIZE)) && ((btm_dev_authorized(p_dev_rec) || btm_serv_trusted(p_dev_rec, p_serv_rec)) && btm_dev_encrypted(p_dev_rec))) ||
2235 (((security_required & BTM_SEC_IN_FLAGS) == BTM_SEC_IN_FLAGS) && btm_dev_encrypted(p_dev_rec) && (btm_dev_authorized(p_dev_rec) || btm_serv_trusted(p_dev_rec, p_serv_rec)))) {
2236 // Check for 16 digits (or MITM)
2237 if (((security_required & BTM_SEC_IN_MIN_16_DIGIT_PIN) == 0) ||
2238 (((security_required & BTM_SEC_IN_MIN_16_DIGIT_PIN) == BTM_SEC_IN_MIN_16_DIGIT_PIN) && btm_dev_16_digit_authenticated(p_dev_rec))) {
2239 rc = BTM_SUCCESS;
2240 }
2241 }
2242 }
2243
2244 if ((rc == BTM_SUCCESS) && (security_required & BTM_SEC_MODE4_LEVEL4) &&
2245 (p_dev_rec->link_key_type != BTM_LKEY_TYPE_AUTH_COMB_P_256)) {
2246 rc = BTM_CMD_STARTED;
2247 }
2248
2249 if (rc == BTM_SUCCESS) {
2250 if (p_callback) {
2251 (*p_callback) (bd_addr, transport, (void *)p_ref_data, BTM_SUCCESS);
2252 }
2253 return (BTM_SUCCESS);
2254 }
2255 }
2256
2257 btm_cb.sec_req_pending = TRUE;
2258 return (BTM_CMD_STARTED);
2259 }
2260
2261 /* Save pointer to service record */
2262 p_dev_rec->p_cur_service = p_serv_rec;
2263
2264 /* Modify security_required in btm_sec_l2cap_access_req for Lisbon */
2265 if (btm_cb.security_mode == BTM_SEC_MODE_SP ||
2266 btm_cb.security_mode == BTM_SEC_MODE_SP_DEBUG ||
2267 btm_cb.security_mode == BTM_SEC_MODE_SC) {
2268 if (BTM_SEC_IS_SM4(p_dev_rec->sm4)) {
2269 if (is_originator) {
2270 /* SM4 to SM4 -> always authenticate & encrypt */
2271 security_required |= (BTM_SEC_OUT_AUTHENTICATE | BTM_SEC_OUT_ENCRYPT);
2272 } else { /* acceptor */
2273 /* SM4 to SM4: the acceptor needs to make sure the authentication is already done */
2274 chk_acp_auth_done = TRUE;
2275 /* SM4 to SM4 -> always authenticate & encrypt */
2276 security_required |= (BTM_SEC_IN_AUTHENTICATE | BTM_SEC_IN_ENCRYPT);
2277 }
2278 } else if (!(BTM_SM4_KNOWN & p_dev_rec->sm4)) {
2279 /* the remote features are not known yet */
2280 BTM_TRACE_ERROR("%s: (%s) remote features unknown!!sec_flags:0x%02x\n", __FUNCTION__,
2281 (is_originator) ? "initiator" : "acceptor", p_dev_rec->sec_flags);
2282
2283 p_dev_rec->sm4 |= BTM_SM4_REQ_PEND;
2284 return (BTM_CMD_STARTED);
2285 }
2286 }
2287
2288 BTM_TRACE_DEBUG ("%s() sm4:0x%x, sec_flags:0x%x, security_required:0x%x chk:%d\n", __func__,
2289 p_dev_rec->sm4, p_dev_rec->sec_flags, security_required, chk_acp_auth_done);
2290
2291 old_security_required = p_dev_rec->security_required;
2292 old_is_originator = p_dev_rec->is_originator;
2293 p_dev_rec->security_required = security_required;
2294 p_dev_rec->p_ref_data = p_ref_data;
2295 p_dev_rec->is_originator = is_originator;
2296
2297 #if (L2CAP_UCD_INCLUDED == TRUE)
2298 if ( conn_type & CONNECTION_TYPE_CONNLESS_MASK ) {
2299 p_dev_rec->is_ucd = TRUE;
2300 } else {
2301 p_dev_rec->is_ucd = FALSE;
2302 }
2303 #endif
2304
2305 /* If there are multiple service records used through the same PSM */
2306 /* leave security decision for the multiplexor on the top */
2307 #if (L2CAP_UCD_INCLUDED == TRUE)
2308 if (((btm_sec_find_next_serv (p_serv_rec)) != NULL)
2309 && (!( conn_type & CONNECTION_TYPE_CONNLESS_MASK ))) /* if not UCD */
2310 #else
2311 if ((btm_sec_find_next_serv (p_serv_rec)) != NULL)
2312 #endif
2313 {
2314 BTM_TRACE_DEBUG ("no next_serv sm4:0x%x, chk:%d\n", p_dev_rec->sm4, chk_acp_auth_done);
2315 if (!BTM_SEC_IS_SM4(p_dev_rec->sm4)) {
2316 BTM_TRACE_EVENT ("Security Manager: l2cap_access_req PSM:%d postponed for multiplexer\n", psm);
2317 /* pre-Lisbon: restore the old settings */
2318 p_dev_rec->security_required = old_security_required;
2319 p_dev_rec->is_originator = old_is_originator;
2320
2321 (*p_callback) (bd_addr, transport, p_ref_data, BTM_SUCCESS);
2322
2323 return (BTM_SUCCESS);
2324 }
2325 }
2326
2327 /* if the originator is using dynamic PSM in legacy mode, do not start any security process now
2328 * The layer above L2CAP needs to carry out the security requirement after L2CAP connect
2329 * response is received */
2330 if (is_originator &&
2331 ((btm_cb.security_mode == BTM_SEC_MODE_UNDEFINED ||
2332 btm_cb.security_mode == BTM_SEC_MODE_NONE ||
2333 btm_cb.security_mode == BTM_SEC_MODE_SERVICE ||
2334 btm_cb.security_mode == BTM_SEC_MODE_LINK) ||
2335 !BTM_SEC_IS_SM4(p_dev_rec->sm4)) && (psm >= 0x1001)) {
2336 BTM_TRACE_EVENT ("dynamic PSM:0x%x in legacy mode - postponed for upper layer\n", psm);
2337 /* restore the old settings */
2338 p_dev_rec->security_required = old_security_required;
2339 p_dev_rec->is_originator = old_is_originator;
2340
2341 (*p_callback) (bd_addr, transport, p_ref_data, BTM_SUCCESS);
2342
2343 return (BTM_SUCCESS);
2344 }
2345
2346 if (chk_acp_auth_done) {
2347 BTM_TRACE_DEBUG ("(SM4 to SM4) btm_sec_l2cap_access_req rspd. authenticated: x%x, enc: x%x\n",
2348 (p_dev_rec->sec_flags & BTM_SEC_AUTHENTICATED), (p_dev_rec->sec_flags & BTM_SEC_ENCRYPTED));
2349 /* SM4, but we do not know for sure which level of security we need.
2350 * as long as we have a link key, it's OK */
2351 if ((0 == (p_dev_rec->sec_flags & BTM_SEC_AUTHENTICATED))
2352 || (0 == (p_dev_rec->sec_flags & BTM_SEC_ENCRYPTED))) {
2353 rc = BTM_DELAY_CHECK;
2354 /*
2355 2046 may report HCI_Encryption_Change and L2C Connection Request out of sequence
2356 because of data path issues. Delay this disconnect a little bit
2357 */
2358 BTM_TRACE_API("%s peer should have initiated security process by now (SM4 to SM4)\n", __func__);
2359 p_dev_rec->p_callback = p_callback;
2360 p_dev_rec->sec_state = BTM_SEC_STATE_DELAY_FOR_ENC;
2361 (*p_callback) (bd_addr, transport, p_ref_data, rc);
2362
2363 return BTM_SUCCESS;
2364 }
2365 }
2366
2367 p_dev_rec->p_callback = p_callback;
2368
2369 if (p_dev_rec->last_author_service_id == BTM_SEC_NO_LAST_SERVICE_ID
2370 || p_dev_rec->last_author_service_id != p_dev_rec->p_cur_service->service_id) {
2371 /* Although authentication and encryption are per connection
2372 ** authorization is per access request. For example when serial connection
2373 ** is up and authorized and client requests to read file (access to other
2374 ** scn), we need to request user's permission again.
2375 */
2376 p_dev_rec->sec_flags &= ~BTM_SEC_AUTHORIZED;
2377 }
2378
2379 if (BTM_SEC_IS_SM4(p_dev_rec->sm4)) {
2380 if ((p_dev_rec->security_required & BTM_SEC_MODE4_LEVEL4) &&
2381 (p_dev_rec->link_key_type != BTM_LKEY_TYPE_AUTH_COMB_P_256)) {
2382 /* BTM_LKEY_TYPE_AUTH_COMB_P_256 is the only acceptable key in this case */
2383 if ((p_dev_rec->sec_flags & BTM_SEC_LINK_KEY_KNOWN) != 0) {
2384 p_dev_rec->sm4 |= BTM_SM4_UPGRADE;
2385 }
2386 p_dev_rec->sec_flags &= ~(BTM_SEC_LINK_KEY_KNOWN | BTM_SEC_LINK_KEY_AUTHED |
2387 BTM_SEC_AUTHENTICATED);
2388 BTM_TRACE_DEBUG ("%s: sec_flags:0x%x", __FUNCTION__, p_dev_rec->sec_flags);
2389 } else {
2390 /* If we already have a link key to the connected peer, is it secure enough? */
2391 btm_sec_check_upgrade(p_dev_rec, is_originator);
2392 }
2393 }
2394
2395 BTM_TRACE_EVENT ("%s() PSM:%d Handle:%d State:%d Flags: 0x%x Required: 0x%x Service ID:%d\n",
2396 __func__, psm, handle, p_dev_rec->sec_state, p_dev_rec->sec_flags,
2397 p_dev_rec->security_required, p_dev_rec->p_cur_service->service_id);
2398
2399 if ((rc = btm_sec_execute_procedure (p_dev_rec)) != BTM_CMD_STARTED) {
2400 p_dev_rec->p_callback = NULL;
2401 (*p_callback) (bd_addr, transport, p_dev_rec->p_ref_data, (UINT8)rc);
2402 }
2403
2404 return (rc);
2405 #else
2406 return BTM_MODE_UNSUPPORTED;
2407 #endif ///SMP_INCLUDED == TRUE
2408 }
2409
2410 /*******************************************************************************
2411 **
2412 ** Function btm_sec_mx_access_request
2413 **
2414 ** Description This function is called by all Multiplexing Protocols during
2415 ** establishing connection to or from peer device to grant
2416 ** permission to establish application connection.
2417 **
2418 ** Parameters: bd_addr - Address of the peer device
2419 ** psm - L2CAP PSM
2420 ** is_originator - TRUE if protocol above L2CAP originates
2421 ** connection
2422 ** mx_proto_id - protocol ID of the multiplexer
2423 ** mx_chan_id - multiplexer channel to reach application
2424 ** p_callback - Pointer to callback function called if
2425 ** this function returns PENDING after required
2426 ** procedures are completed
2427 ** p_ref_data - Pointer to any reference data needed by the
2428 ** the callback function.
2429 **
2430 ** Returns BTM_CMD_STARTED
2431 **
2432 *******************************************************************************/
btm_sec_mx_access_request(BD_ADDR bd_addr,UINT16 psm,BOOLEAN is_originator,UINT32 mx_proto_id,UINT32 mx_chan_id,tBTM_SEC_CALLBACK * p_callback,void * p_ref_data)2433 tBTM_STATUS btm_sec_mx_access_request (BD_ADDR bd_addr, UINT16 psm, BOOLEAN is_originator,
2434 UINT32 mx_proto_id, UINT32 mx_chan_id,
2435 tBTM_SEC_CALLBACK *p_callback, void *p_ref_data)
2436 {
2437 #if (SMP_INCLUDED == TRUE)
2438 tBTM_SEC_DEV_REC *p_dev_rec;
2439 tBTM_SEC_SERV_REC *p_serv_rec;
2440 tBTM_STATUS rc;
2441 UINT16 security_required;
2442 BOOLEAN transport = FALSE;/* should check PSM range in LE connection oriented L2CAP connection */
2443
2444 BTM_TRACE_DEBUG ("%s() is_originator: %d\n", __func__, is_originator);
2445 /* Find or get oldest record */
2446 p_dev_rec = btm_find_or_alloc_dev (bd_addr);
2447
2448 /* Find the service record for the PSM */
2449 p_serv_rec = btm_sec_find_mx_serv (is_originator, psm, mx_proto_id, mx_chan_id);
2450
2451 /* If there is no application registered with this PSM do not allow connection */
2452 if (!p_serv_rec) {
2453 if (p_callback) {
2454 (*p_callback) (bd_addr, transport, p_ref_data, BTM_MODE_UNSUPPORTED);
2455 }
2456
2457 BTM_TRACE_ERROR ("Security Manager: MX service not found PSM:%d Proto:%d SCN:%d\n",
2458 psm, mx_proto_id, mx_chan_id);
2459 return BTM_NO_RESOURCES;
2460 }
2461
2462 if ((btm_cb.security_mode == BTM_SEC_MODE_SC) && (!btm_sec_is_serv_level0(psm))) {
2463 security_required = btm_sec_set_serv_level4_flags (p_serv_rec->security_flags,
2464 is_originator);
2465 } else {
2466 security_required = p_serv_rec->security_flags;
2467 }
2468
2469 /* there are some devices (moto phone) which connects to several services at the same time */
2470 /* we will process one after another */
2471 if ( (p_dev_rec->p_callback) || (btm_cb.pairing_state != BTM_PAIR_STATE_IDLE) ) {
2472 #if (BT_USE_TRACES == TRUE && SMP_INCLUDED == TRUE)
2473 BTM_TRACE_EVENT ("%s() service PSM:%d Proto:%d SCN:%d delayed state: %s\n", __func__,
2474 psm, mx_proto_id, mx_chan_id, btm_pair_state_descr(btm_cb.pairing_state));
2475 #endif ///BT_USE_TRACES == TRUE && SMP_INCLUDED == TRUE
2476 rc = BTM_CMD_STARTED;
2477
2478 if ((btm_cb.security_mode == BTM_SEC_MODE_UNDEFINED ||
2479 btm_cb.security_mode == BTM_SEC_MODE_NONE ||
2480 btm_cb.security_mode == BTM_SEC_MODE_SERVICE ||
2481 btm_cb.security_mode == BTM_SEC_MODE_LINK) ||
2482 (BTM_SM4_KNOWN == p_dev_rec->sm4) || (BTM_SEC_IS_SM4(p_dev_rec->sm4) &&
2483 (btm_sec_is_upgrade_possible(p_dev_rec, is_originator) == FALSE))) {
2484 /* legacy mode - local is legacy or local is lisbon/peer is legacy
2485 * or SM4 with no possibility of link key upgrade */
2486 if (is_originator) {
2487 if (((security_required & BTM_SEC_OUT_FLAGS) == 0) ||
2488 ((((security_required & BTM_SEC_OUT_FLAGS) == BTM_SEC_OUT_AUTHENTICATE) && btm_dev_authenticated(p_dev_rec))) ||
2489 ((((security_required & BTM_SEC_OUT_FLAGS) == (BTM_SEC_OUT_AUTHENTICATE | BTM_SEC_OUT_ENCRYPT)) && btm_dev_encrypted(p_dev_rec)))
2490 ) {
2491 rc = BTM_SUCCESS;
2492 }
2493 } else {
2494 if (((security_required & BTM_SEC_IN_FLAGS) == 0) ||
2495 ((((security_required & BTM_SEC_IN_FLAGS) == BTM_SEC_IN_AUTHENTICATE) && btm_dev_authenticated(p_dev_rec))) ||
2496 (((security_required & BTM_SEC_IN_FLAGS) == BTM_SEC_IN_AUTHORIZE) && (btm_dev_authorized(p_dev_rec) || btm_serv_trusted(p_dev_rec, p_serv_rec))) ||
2497 (((security_required & BTM_SEC_IN_FLAGS) == (BTM_SEC_IN_AUTHORIZE | BTM_SEC_IN_AUTHENTICATE)) && ((btm_dev_authorized(p_dev_rec) || btm_serv_trusted(p_dev_rec, p_serv_rec)) && btm_dev_authenticated(p_dev_rec))) ||
2498 (((security_required & BTM_SEC_IN_FLAGS) == (BTM_SEC_IN_AUTHORIZE | BTM_SEC_IN_ENCRYPT)) && ((btm_dev_authorized(p_dev_rec) || btm_serv_trusted(p_dev_rec, p_serv_rec)) && btm_dev_encrypted(p_dev_rec))) ||
2499 ((((security_required & BTM_SEC_IN_FLAGS) == (BTM_SEC_IN_AUTHENTICATE | BTM_SEC_IN_ENCRYPT)) && btm_dev_encrypted(p_dev_rec)))
2500 ) {
2501 // Check for 16 digits (or MITM)
2502 if (((security_required & BTM_SEC_IN_MIN_16_DIGIT_PIN) == 0) ||
2503 (((security_required & BTM_SEC_IN_MIN_16_DIGIT_PIN) == BTM_SEC_IN_MIN_16_DIGIT_PIN) && btm_dev_16_digit_authenticated(p_dev_rec))) {
2504 rc = BTM_SUCCESS;
2505 }
2506 }
2507 }
2508 if ((rc == BTM_SUCCESS) && (security_required & BTM_SEC_MODE4_LEVEL4) &&
2509 (p_dev_rec->link_key_type != BTM_LKEY_TYPE_AUTH_COMB_P_256)) {
2510 rc = BTM_CMD_STARTED;
2511 }
2512 }
2513
2514 if (rc == BTM_SUCCESS) {
2515 BTM_TRACE_EVENT("%s: allow to bypass, checking authorization\n", __FUNCTION__);
2516 /* the security in BTM_SEC_IN_FLAGS is fullfilled so far, check the requirements in */
2517 /* btm_sec_execute_procedure */
2518 if ((is_originator && (p_serv_rec->security_flags & BTM_SEC_OUT_AUTHORIZE)) ||
2519 (!is_originator && (p_serv_rec->security_flags & BTM_SEC_IN_AUTHORIZE))) {
2520 BTM_TRACE_EVENT("%s: still need authorization\n", __FUNCTION__);
2521 rc = BTM_CMD_STARTED;
2522 }
2523 }
2524
2525 /* Check whether there is a pending security procedure, if so we should always queue */
2526 /* the new security request */
2527 if (p_dev_rec->sec_state != BTM_SEC_STATE_IDLE) {
2528 BTM_TRACE_EVENT("%s: There is a pending security procedure\n", __FUNCTION__);
2529 rc = BTM_CMD_STARTED;
2530 }
2531 if (rc == BTM_CMD_STARTED) {
2532 BTM_TRACE_EVENT("%s: call btm_sec_queue_mx_request\n", __FUNCTION__);
2533 btm_sec_queue_mx_request (bd_addr, psm, is_originator, mx_proto_id,
2534 mx_chan_id, p_callback, p_ref_data);
2535 } else { /* rc == BTM_SUCCESS */
2536 /* access granted */
2537 if (p_callback) {
2538 (*p_callback) (bd_addr, transport, p_ref_data, (UINT8)rc);
2539 }
2540 }
2541 #if (BT_USE_TRACES == TRUE && SMP_INCLUDED == TRUE)
2542 BTM_TRACE_EVENT("%s: return with rc = 0x%02x in delayed state %s\n", __FUNCTION__, rc,
2543 btm_pair_state_descr(btm_cb.pairing_state));
2544 #endif ///BT_USE_TRACES == TRUE && SMP_INCLUDED == TRUE
2545 return rc;
2546 }
2547
2548 if ((!is_originator) && ((security_required & BTM_SEC_MODE4_LEVEL4) ||
2549 (btm_cb.security_mode == BTM_SEC_MODE_SC))) {
2550 BOOLEAN local_supports_sc = controller_get_interface()->supports_secure_connections();
2551 /* acceptor receives service connection establishment Request for */
2552 /* Secure Connections Only service */
2553 if (!(local_supports_sc) || !(p_dev_rec->remote_supports_secure_connections)) {
2554 BTM_TRACE_DEBUG("%s: SC only service,local_support_for_sc %d,\n"
2555 "remote_support_for_sc %d: fail pairing\n", __FUNCTION__,
2556 local_supports_sc, p_dev_rec->remote_supports_secure_connections);
2557
2558 if (p_callback) {
2559 (*p_callback) (bd_addr, transport, (void *)p_ref_data,
2560 BTM_MODE4_LEVEL4_NOT_SUPPORTED);
2561 }
2562
2563 return (BTM_MODE4_LEVEL4_NOT_SUPPORTED);
2564 }
2565 }
2566
2567 p_dev_rec->p_cur_service = p_serv_rec;
2568 p_dev_rec->security_required = security_required;
2569
2570 if (btm_cb.security_mode == BTM_SEC_MODE_SP ||
2571 btm_cb.security_mode == BTM_SEC_MODE_SP_DEBUG ||
2572 btm_cb.security_mode == BTM_SEC_MODE_SC) {
2573 if (BTM_SEC_IS_SM4(p_dev_rec->sm4)) {
2574 if ((p_dev_rec->security_required & BTM_SEC_MODE4_LEVEL4) &&
2575 (p_dev_rec->link_key_type != BTM_LKEY_TYPE_AUTH_COMB_P_256)) {
2576 /* BTM_LKEY_TYPE_AUTH_COMB_P_256 is the only acceptable key in this case */
2577 if ((p_dev_rec->sec_flags & BTM_SEC_LINK_KEY_KNOWN) != 0) {
2578 p_dev_rec->sm4 |= BTM_SM4_UPGRADE;
2579 }
2580
2581 p_dev_rec->sec_flags &= ~(BTM_SEC_LINK_KEY_KNOWN | BTM_SEC_LINK_KEY_AUTHED |
2582 BTM_SEC_AUTHENTICATED);
2583 BTM_TRACE_DEBUG("%s: sec_flags:0x%x\n", __FUNCTION__, p_dev_rec->sec_flags);
2584 } else {
2585 /* If we already have a link key, check if that link key is good enough */
2586 btm_sec_check_upgrade(p_dev_rec, is_originator);
2587 }
2588 }
2589 }
2590
2591 p_dev_rec->is_originator = is_originator;
2592 p_dev_rec->p_callback = p_callback;
2593 p_dev_rec->p_ref_data = p_ref_data;
2594
2595 /* Although authentication and encryption are per connection */
2596 /* authorization is per access request. For example when serial connection */
2597 /* is up and authorized and client requests to read file (access to other */
2598 /* scn, we need to request user's permission again. */
2599 p_dev_rec->sec_flags &= ~(BTM_SEC_AUTHORIZED);
2600
2601 BTM_TRACE_EVENT ("%s() proto_id:%d chan_id:%d State:%d Flags:0x%x Required:0x%x Service ID:%d\n",
2602 __func__, mx_proto_id, mx_chan_id, p_dev_rec->sec_state, p_dev_rec->sec_flags,
2603 p_dev_rec->security_required, p_dev_rec->p_cur_service->service_id);
2604
2605 if ((rc = btm_sec_execute_procedure (p_dev_rec)) != BTM_CMD_STARTED) {
2606 if (p_callback) {
2607 p_dev_rec->p_callback = NULL;
2608 (*p_callback) (bd_addr, transport, p_ref_data, (UINT8)rc);
2609 }
2610 }
2611
2612 return rc;
2613 #else
2614 return BTM_MODE_UNSUPPORTED;
2615 #endif ///SMP_INCLUDED == TRUE
2616 }
2617
2618 /*******************************************************************************
2619 **
2620 ** Function btm_sec_conn_req
2621 **
2622 ** Description This function is when the peer device is requesting
2623 ** connection
2624 **
2625 ** Returns void
2626 **
2627 *******************************************************************************/
2628 #if (SMP_INCLUDED == TRUE)
btm_sec_conn_req(UINT8 * bda,UINT8 * dc)2629 void btm_sec_conn_req (UINT8 *bda, UINT8 *dc)
2630 {
2631 tBTM_SEC_DEV_REC *p_dev_rec = btm_find_dev (bda);
2632 /* Some device may request a connection before we are done with the HCI_Reset sequence */
2633 if (!controller_get_interface()->get_is_ready()) {
2634 BTM_TRACE_ERROR ("Security Manager: connect request when device not ready\n");
2635 btsnd_hcic_reject_conn (bda, HCI_ERR_HOST_REJECT_DEVICE);
2636 return;
2637 }
2638
2639 /* Security guys wants us not to allow connection from not paired devices */
2640
2641 /* Check if connection is allowed for only paired devices */
2642 if (btm_cb.connect_only_paired) {
2643 if (!p_dev_rec || !(p_dev_rec->sec_flags & BTM_SEC_LINK_KEY_AUTHED)) {
2644 BTM_TRACE_ERROR ("Security Manager: connect request from non-paired device\n");
2645 btsnd_hcic_reject_conn (bda, HCI_ERR_HOST_REJECT_DEVICE);
2646 return;
2647 }
2648 }
2649
2650 #if BTM_ALLOW_CONN_IF_NONDISCOVER == FALSE
2651 /* If non-discoverable, only allow known devices to connect */
2652 if (btm_cb.btm_inq_vars.discoverable_mode == BTM_NON_DISCOVERABLE) {
2653 if (!p_dev_rec) {
2654 BTM_TRACE_ERROR ("Security Manager: connect request from not paired device\n");
2655 btsnd_hcic_reject_conn (bda, HCI_ERR_HOST_REJECT_DEVICE);
2656 return;
2657 }
2658 }
2659 #endif
2660
2661 if ((btm_cb.pairing_state != BTM_PAIR_STATE_IDLE)
2662 && (btm_cb.pairing_flags & BTM_PAIR_FLAGS_WE_STARTED_DD)
2663 && (!memcmp (btm_cb.pairing_bda, bda, BD_ADDR_LEN))) {
2664 BTM_TRACE_ERROR ("Security Manager: reject connect request from bonding device\n");
2665
2666 /* incoming connection from bonding device is rejected */
2667 btm_cb.pairing_flags |= BTM_PAIR_FLAGS_REJECTED_CONNECT;
2668 btsnd_hcic_reject_conn (bda, HCI_ERR_HOST_REJECT_DEVICE);
2669 return;
2670 }
2671
2672 /* Host is not interested or approved connection. Save BDA and DC and */
2673 /* pass request to L2CAP */
2674 memcpy (btm_cb.connecting_bda, bda, BD_ADDR_LEN);
2675 memcpy (btm_cb.connecting_dc, dc, DEV_CLASS_LEN);
2676
2677 if (l2c_link_hci_conn_req (bda)) {
2678 if (!p_dev_rec) {
2679 /* accept the connection -> allocate a device record */
2680 p_dev_rec = btm_sec_alloc_dev (bda);
2681 }
2682 if (p_dev_rec) {
2683 p_dev_rec->sm4 |= BTM_SM4_CONN_PEND;
2684 }
2685 }
2686 }
2687 #endif ///SMP_INCLUDED == TRUE
2688
2689 /*******************************************************************************
2690 **
2691 ** Function btm_sec_bond_cancel_complete
2692 **
2693 ** Description This function is called to report bond cancel complete
2694 ** event.
2695 **
2696 ** Returns void
2697 **
2698 *******************************************************************************/
2699 #if (SMP_INCLUDED == TRUE)
btm_sec_bond_cancel_complete(void)2700 static void btm_sec_bond_cancel_complete (void)
2701 {
2702 tBTM_SEC_DEV_REC *p_dev_rec;
2703
2704 if ((btm_cb.pairing_flags & BTM_PAIR_FLAGS_DISC_WHEN_DONE) ||
2705 (BTM_PAIR_STATE_WAIT_LOCAL_PIN == btm_cb.pairing_state &&
2706 BTM_PAIR_FLAGS_WE_STARTED_DD & btm_cb.pairing_flags) ||
2707 (btm_cb.pairing_state == BTM_PAIR_STATE_GET_REM_NAME &&
2708 BTM_PAIR_FLAGS_WE_CANCEL_DD & btm_cb.pairing_flags)) {
2709 /* for dedicated bonding in legacy mode, authentication happens at "link level"
2710 * btm_sec_connected is called with failed status.
2711 * In theory, the code that handles is_pairing_device/TRUE should clean out security related code.
2712 * However, this function may clean out the security related flags and btm_sec_connected would not know
2713 * this function also needs to do proper clean up.
2714 */
2715 if ((p_dev_rec = btm_find_dev (btm_cb.pairing_bda)) != NULL) {
2716 p_dev_rec->security_required = BTM_SEC_NONE;
2717 }
2718 btm_sec_change_pairing_state (BTM_PAIR_STATE_IDLE);
2719
2720 /* Notify application that the cancel succeeded */
2721 if (btm_cb.api.p_bond_cancel_cmpl_callback) {
2722 btm_cb.api.p_bond_cancel_cmpl_callback(BTM_SUCCESS);
2723 }
2724 }
2725 }
2726 #endif ///SMP_INCLUDED == TRUE
2727
2728
2729 /*******************************************************************************
2730 **
2731 ** Function btm_create_conn_cancel_complete
2732 **
2733 ** Description This function is called when the command complete message
2734 ** is received from the HCI for the create connection cancel
2735 ** command.
2736 **
2737 ** Returns void
2738 **
2739 *******************************************************************************/
btm_create_conn_cancel_complete(UINT8 * p)2740 void btm_create_conn_cancel_complete (UINT8 *p)
2741 {
2742 UINT8 status;
2743
2744 STREAM_TO_UINT8 (status, p);
2745 //BTM_TRACE_EVENT ("btm_create_conn_cancel_complete(): in State: %s status:%d\n",
2746 // btm_pair_state_descr(btm_cb.pairing_state), status);
2747
2748 /* if the create conn cancel cmd was issued by the bond cancel,
2749 ** the application needs to be notified that bond cancel succeeded
2750 */
2751 switch (status) {
2752 case HCI_SUCCESS:
2753 #if (SMP_INCLUDED == TRUE)
2754 btm_sec_bond_cancel_complete();
2755 #endif ///SMP_INCLUDED == TRUE
2756 break;
2757 case HCI_ERR_CONNECTION_EXISTS:
2758 case HCI_ERR_NO_CONNECTION:
2759 default:
2760 /* Notify application of the error */
2761 if (btm_cb.api.p_bond_cancel_cmpl_callback) {
2762 btm_cb.api.p_bond_cancel_cmpl_callback(BTM_ERR_PROCESSING);
2763 }
2764 break;
2765 }
2766 }
2767
2768 /*******************************************************************************
2769 **
2770 ** Function btm_sec_check_pending_reqs
2771 **
2772 ** Description This function is called at the end of the security procedure
2773 ** to let L2CAP and RFCOMM know to re-submit any pending requests
2774 **
2775 ** Returns void
2776 **
2777 *******************************************************************************/
2778 #if (SMP_INCLUDED == TRUE)
btm_sec_check_pending_reqs(void)2779 void btm_sec_check_pending_reqs (void)
2780 {
2781 tBTM_SEC_QUEUE_ENTRY *p_e;
2782 fixed_queue_t *bq;
2783
2784 if (btm_cb.pairing_state == BTM_PAIR_STATE_IDLE) {
2785 /* First, resubmit L2CAP requests */
2786 if (btm_cb.sec_req_pending) {
2787 btm_cb.sec_req_pending = FALSE;
2788 #if (CLASSIC_BT_INCLUDED == TRUE)
2789 l2cu_resubmit_pending_sec_req (NULL);
2790 #endif ///SMP_INCLUDED == TRUE
2791 }
2792
2793 /* Now, re-submit anything in the mux queue */
2794 bq = btm_cb.sec_pending_q;
2795
2796 btm_cb.sec_pending_q = fixed_queue_new(QUEUE_SIZE_MAX);
2797
2798
2799 while ((p_e = (tBTM_SEC_QUEUE_ENTRY *)fixed_queue_dequeue(bq, 0)) != NULL) {
2800 /* Check that the ACL is still up before starting security procedures */
2801 if (btm_bda_to_acl(p_e->bd_addr, p_e->transport) != NULL) {
2802 if (p_e->psm != 0) {
2803 BTM_TRACE_EVENT("%s PSM:0x%04x Is_Orig:%u mx_proto_id:%u mx_chan_id:%u\n",
2804 __FUNCTION__, p_e->psm, p_e->is_orig,
2805 p_e->mx_proto_id, p_e->mx_chan_id);
2806
2807 btm_sec_mx_access_request (p_e->bd_addr, p_e->psm, p_e->is_orig,
2808 p_e->mx_proto_id, p_e->mx_chan_id,
2809 p_e->p_callback, p_e->p_ref_data);
2810 } else {
2811 BTM_SetEncryption(p_e->bd_addr, p_e->transport, p_e->p_callback,
2812 p_e->p_ref_data);
2813 }
2814 }
2815
2816 osi_free (p_e);
2817 }
2818 fixed_queue_free(bq, NULL);
2819 }
2820 }
2821 #endif ///SMP_INCLUDED == TRUE
2822
2823
2824 /*******************************************************************************
2825 **
2826 ** Function btm_sec_init
2827 **
2828 ** Description This function is on the SEC startup
2829 **
2830 ** Returns void
2831 **
2832 *******************************************************************************/
2833 #if (SMP_INCLUDED == TRUE)
btm_sec_init(UINT8 sec_mode)2834 void btm_sec_init (UINT8 sec_mode)
2835 {
2836 btm_cb.security_mode = sec_mode;
2837 memset (btm_cb.pairing_bda, 0xff, BD_ADDR_LEN);
2838 btm_cb.max_collision_delay = BTM_SEC_MAX_COLLISION_DELAY;
2839 }
2840 #endif ///SMP_INCLUDED == TRUE
2841
2842 /*******************************************************************************
2843 **
2844 ** Function btm_sec_device_down
2845 **
2846 ** Description This function should be called when device is disabled or
2847 ** turned off
2848 **
2849 ** Returns void
2850 **
2851 *******************************************************************************/
2852 #if (SMP_INCLUDED == TRUE)
btm_sec_device_down(void)2853 void btm_sec_device_down (void)
2854 {
2855 #if (BT_USE_TRACES == TRUE && SMP_INCLUDED == TRUE)
2856 BTM_TRACE_EVENT ("%s() State: %s\n", __func__, btm_pair_state_descr(btm_cb.pairing_state));
2857 #endif ///BT_USE_TRACES == TRUE && SMP_INCLUDED == TRUE
2858 btm_sec_change_pairing_state (BTM_PAIR_STATE_IDLE);
2859 }
2860 #endif ///SMP_INCLUDED == TRUE
2861
2862
2863 /*******************************************************************************
2864 **
2865 ** Function btm_sec_dev_reset
2866 **
2867 ** Description This function should be called after device reset
2868 **
2869 ** Returns void
2870 **
2871 *******************************************************************************/
btm_sec_dev_reset(void)2872 void btm_sec_dev_reset (void)
2873 {
2874 if (controller_get_interface()->supports_simple_pairing()) {
2875 /* set the default IO capabilities */
2876 btm_cb.devcb.loc_io_caps = BTM_LOCAL_IO_CAPS;
2877 /* add mx service to use no security */
2878 BTM_SetSecurityLevel(FALSE, "RFC_MUX\n", BTM_SEC_SERVICE_RFC_MUX,
2879 BTM_SEC_NONE, BT_PSM_RFCOMM, BTM_SEC_PROTO_RFCOMM, 0);
2880 } else {
2881 btm_cb.security_mode = BTM_SEC_MODE_SERVICE;
2882 }
2883
2884 BTM_TRACE_DEBUG ("btm_sec_dev_reset sec mode: %d\n", btm_cb.security_mode);
2885 }
2886
2887 /*******************************************************************************
2888 **
2889 ** Function btm_sec_abort_access_req
2890 **
2891 ** Description This function is called by the L2CAP or RFCOMM to abort
2892 ** the pending operation.
2893 **
2894 ** Parameters: bd_addr - Address of the peer device
2895 **
2896 ** Returns void
2897 **
2898 *******************************************************************************/
btm_sec_abort_access_req(BD_ADDR bd_addr)2899 void btm_sec_abort_access_req (BD_ADDR bd_addr)
2900 {
2901 tBTM_SEC_DEV_REC *p_dev_rec = btm_find_dev (bd_addr);
2902
2903 if (!p_dev_rec) {
2904 return;
2905 }
2906
2907 if ((p_dev_rec->sec_state != BTM_SEC_STATE_AUTHORIZING)
2908 && (p_dev_rec->sec_state != BTM_SEC_STATE_AUTHENTICATING)) {
2909 return;
2910 }
2911
2912 p_dev_rec->sec_state = BTM_SEC_STATE_IDLE;
2913 p_dev_rec->p_callback = NULL;
2914 }
2915
2916 /*******************************************************************************
2917 **
2918 ** Function btm_sec_dd_create_conn
2919 **
2920 ** Description This function is called to create the ACL connection for
2921 ** the dedicated boding process
2922 **
2923 ** Returns void
2924 **
2925 *******************************************************************************/
2926 #if (SMP_INCLUDED == TRUE)
btm_sec_dd_create_conn(tBTM_SEC_DEV_REC * p_dev_rec)2927 static tBTM_STATUS btm_sec_dd_create_conn (tBTM_SEC_DEV_REC *p_dev_rec)
2928 {
2929 tL2C_LCB *p_lcb = l2cu_find_lcb_by_bd_addr(p_dev_rec->bd_addr, BT_TRANSPORT_BR_EDR);
2930 if (p_lcb && (p_lcb->link_state == LST_CONNECTED || p_lcb->link_state == LST_CONNECTING)) {
2931 BTM_TRACE_WARNING("%s Connection already exists\n", __func__);
2932 return BTM_CMD_STARTED;
2933 }
2934
2935 /* Make sure an L2cap link control block is available */
2936 if (!p_lcb && (p_lcb = l2cu_allocate_lcb (p_dev_rec->bd_addr, TRUE, BT_TRANSPORT_BR_EDR)) == NULL) {
2937 BTM_TRACE_WARNING ("Security Manager: failed allocate LCB [%02x%02x%02x%02x%02x%02x]\n",
2938 p_dev_rec->bd_addr[0], p_dev_rec->bd_addr[1], p_dev_rec->bd_addr[2],
2939 p_dev_rec->bd_addr[3], p_dev_rec->bd_addr[4], p_dev_rec->bd_addr[5]);
2940
2941 return (BTM_NO_RESOURCES);
2942 }
2943
2944 /* set up the control block to indicated dedicated bonding */
2945 btm_cb.pairing_flags |= BTM_PAIR_FLAGS_DISC_WHEN_DONE;
2946
2947 if (l2cu_create_conn(p_lcb, BT_TRANSPORT_BR_EDR) == FALSE) {
2948 BTM_TRACE_WARNING ("Security Manager: failed create [%02x%02x%02x%02x%02x%02x]\n",
2949 p_dev_rec->bd_addr[0], p_dev_rec->bd_addr[1], p_dev_rec->bd_addr[2],
2950 p_dev_rec->bd_addr[3], p_dev_rec->bd_addr[4], p_dev_rec->bd_addr[5]);
2951
2952 l2cu_release_lcb(p_lcb);
2953 return (BTM_NO_RESOURCES);
2954 }
2955
2956 btm_acl_update_busy_level (BTM_BLI_PAGE_EVT);
2957
2958 BTM_TRACE_DEBUG ("Security Manager: btm_sec_dd_create_conn [%02x%02x%02x%02x%02x%02x]\n",
2959 p_dev_rec->bd_addr[0], p_dev_rec->bd_addr[1], p_dev_rec->bd_addr[2],
2960 p_dev_rec->bd_addr[3], p_dev_rec->bd_addr[4], p_dev_rec->bd_addr[5]);
2961
2962 btm_sec_change_pairing_state (BTM_PAIR_STATE_WAIT_PIN_REQ);
2963 return (BTM_CMD_STARTED);
2964 }
2965 #endif ///SMP_INCLUDED == TRUE
2966
2967 /*******************************************************************************
2968 **
2969 ** Function btm_sec_rmt_name_request_complete
2970 **
2971 ** Description This function is called when remote name was obtained from
2972 ** the peer device
2973 **
2974 ** Returns void
2975 **
2976 *******************************************************************************/
2977 #if (SMP_INCLUDED == TRUE)
btm_sec_rmt_name_request_complete(UINT8 * p_bd_addr,UINT8 * p_bd_name,UINT8 status)2978 void btm_sec_rmt_name_request_complete (UINT8 *p_bd_addr, UINT8 *p_bd_name, UINT8 status)
2979 {
2980 tBTM_SEC_DEV_REC *p_dev_rec = NULL;
2981 int i;
2982 DEV_CLASS dev_class;
2983 UINT8 old_sec_state;
2984 UINT8 res;
2985
2986 BTM_TRACE_EVENT ("btm_sec_rmt_name_request_complete\n");
2987 if (((p_bd_addr == NULL) && !BTM_ACL_IS_CONNECTED(btm_cb.connecting_bda))
2988 || ((p_bd_addr != NULL) && !BTM_ACL_IS_CONNECTED(p_bd_addr))) {
2989 btm_acl_resubmit_page();
2990 }
2991
2992 /* If remote name request failed, p_bd_addr is null and we need to search */
2993 /* based on state assuming that we are doing 1 at a time */
2994 if (p_bd_addr) {
2995 p_dev_rec = btm_find_dev (p_bd_addr);
2996 } else {
2997 list_node_t *p_node = NULL;
2998 for (p_node = list_begin(btm_cb.p_sec_dev_rec_list); p_node; p_node = list_next(p_node)) {
2999 p_dev_rec = list_node(p_node);
3000 if ((p_dev_rec->sec_flags & BTM_SEC_IN_USE)
3001 && (p_dev_rec->sec_state == BTM_SEC_STATE_GETTING_NAME)) {
3002 p_bd_addr = p_dev_rec->bd_addr;
3003 break;
3004 }
3005 }
3006 if (!p_bd_addr) {
3007 p_dev_rec = NULL;
3008 }
3009 }
3010
3011
3012 /* Commenting out trace due to obf/compilation problems.
3013 */
3014 #if (BT_USE_TRACES == TRUE && SMP_INCLUDED == TRUE)
3015 if (!p_bd_name) {
3016 p_bd_name = (UINT8 *)"";
3017 }
3018
3019 if (p_dev_rec) {
3020 BTM_TRACE_EVENT ("Security Manager: rmt_name_complete PairState: %s RemName: %s status: %d State:%d p_dev_rec: %p \n",
3021 btm_pair_state_descr (btm_cb.pairing_state), p_bd_name,
3022 status, p_dev_rec->sec_state, p_dev_rec);
3023 } else {
3024 BTM_TRACE_EVENT ("Security Manager: rmt_name_complete PairState: %s RemName: %s status: %d\n",
3025 btm_pair_state_descr (btm_cb.pairing_state), p_bd_name,
3026 status);
3027 }
3028 #endif
3029
3030 if (p_dev_rec) {
3031 old_sec_state = p_dev_rec->sec_state;
3032 if (status == HCI_SUCCESS) {
3033 BCM_STRNCPY_S ((char *)p_dev_rec->sec_bd_name, (char *)p_bd_name, BTM_MAX_REM_BD_NAME_LEN);
3034 p_dev_rec->sec_flags |= BTM_SEC_NAME_KNOWN;
3035 BTM_TRACE_EVENT ("setting BTM_SEC_NAME_KNOWN sec_flags:0x%x\n", p_dev_rec->sec_flags);
3036 } else {
3037 /* Notify all clients waiting for name to be resolved even if it failed so clients can continue */
3038 p_dev_rec->sec_bd_name[0] = 0;
3039 }
3040
3041 if (p_dev_rec->sec_state == BTM_SEC_STATE_GETTING_NAME) {
3042 p_dev_rec->sec_state = BTM_SEC_STATE_IDLE;
3043 }
3044
3045 /* Notify all clients waiting for name to be resolved */
3046 for (i = 0; i < BTM_SEC_MAX_RMT_NAME_CALLBACKS; i++) {
3047 if (btm_cb.p_rmt_name_callback[i] && p_bd_addr) {
3048 (*btm_cb.p_rmt_name_callback[i])(p_bd_addr, p_dev_rec->dev_class,
3049 p_dev_rec->sec_bd_name);
3050 }
3051 }
3052 } else {
3053 dev_class[0] = 0;
3054 dev_class[1] = 0;
3055 dev_class[2] = 0;
3056
3057 /* Notify all clients waiting for name to be resolved even if not found so clients can continue */
3058 for (i = 0; i < BTM_SEC_MAX_RMT_NAME_CALLBACKS; i++) {
3059 if (btm_cb.p_rmt_name_callback[i] && p_bd_addr) {
3060 (*btm_cb.p_rmt_name_callback[i])(p_bd_addr, dev_class, (UINT8 *)"");
3061 }
3062 }
3063
3064 return;
3065 }
3066
3067 /* If we were delaying asking UI for a PIN because name was not resolved, ask now */
3068 if ( (btm_cb.pairing_state == BTM_PAIR_STATE_WAIT_LOCAL_PIN) && p_bd_addr
3069 && (memcmp (btm_cb.pairing_bda, p_bd_addr, BD_ADDR_LEN) == 0) ) {
3070 BTM_TRACE_EVENT ("btm_sec_rmt_name_request_complete() delayed pin now being requested flags:0x%x, (p_pin_callback=%p)\n", btm_cb.pairing_flags, btm_cb.api.p_pin_callback);
3071
3072 if (((btm_cb.pairing_flags & BTM_PAIR_FLAGS_WE_STARTED_DD) == 0) &&
3073 ((btm_cb.pairing_flags & BTM_PAIR_FLAGS_PIN_REQD) == 0) &&
3074 btm_cb.api.p_pin_callback) {
3075 BTM_TRACE_EVENT ("btm_sec_rmt_name_request_complete() calling pin_callback\n");
3076 btm_cb.pairing_flags |= BTM_PAIR_FLAGS_PIN_REQD;
3077 (*btm_cb.api.p_pin_callback) (p_dev_rec->bd_addr, p_dev_rec->dev_class, p_bd_name,
3078 (p_dev_rec->p_cur_service == NULL) ? FALSE
3079 : (p_dev_rec->p_cur_service->security_flags & BTM_SEC_IN_MIN_16_DIGIT_PIN));
3080 }
3081
3082 /* Set the same state again to force the timer to be restarted */
3083 btm_sec_change_pairing_state (BTM_PAIR_STATE_WAIT_LOCAL_PIN);
3084 return;
3085 }
3086
3087 /* Check if we were delaying bonding because name was not resolved */
3088 if ( btm_cb.pairing_state == BTM_PAIR_STATE_GET_REM_NAME) {
3089 if (p_bd_addr && memcmp (btm_cb.pairing_bda, p_bd_addr, BD_ADDR_LEN) == 0) {
3090 BTM_TRACE_EVENT ("btm_sec_rmt_name_request_complete() continue bonding sm4: 0x%04x, status:0x%x\n", p_dev_rec->sm4, status);
3091 if (btm_cb.pairing_flags & BTM_PAIR_FLAGS_WE_CANCEL_DD) {
3092 btm_sec_bond_cancel_complete();
3093 return;
3094 }
3095
3096 if (status != HCI_SUCCESS) {
3097 btm_sec_change_pairing_state (BTM_PAIR_STATE_IDLE);
3098
3099 if (btm_cb.api.p_auth_complete_callback)
3100 (*btm_cb.api.p_auth_complete_callback) (p_dev_rec->bd_addr, p_dev_rec->dev_class,
3101 p_dev_rec->sec_bd_name, status);
3102 return;
3103 }
3104
3105 /* if peer is very old legacy devices, HCI_RMT_HOST_SUP_FEAT_NOTIFY_EVT is not reported */
3106 if (BTM_SEC_IS_SM4_UNKNOWN(p_dev_rec->sm4)) {
3107 /* set the KNOWN flag only if BTM_PAIR_FLAGS_REJECTED_CONNECT is not set.*/
3108 /* If it is set, there may be a race condition */
3109 BTM_TRACE_DEBUG ("btm_sec_rmt_name_request_complete IS_SM4_UNKNOWN Flags:0x%04x\n",
3110 btm_cb.pairing_flags);
3111 if ((btm_cb.pairing_flags & BTM_PAIR_FLAGS_REJECTED_CONNECT) == 0) {
3112 p_dev_rec->sm4 |= BTM_SM4_KNOWN;
3113 }
3114 }
3115
3116 BTM_TRACE_DEBUG("%s, SM4 Value: %x, Legacy:%d,IS SM4:%d, Unknown:%d\n", __FUNCTION__,
3117 p_dev_rec->sm4, BTM_SEC_IS_SM4_LEGACY(p_dev_rec->sm4),
3118 BTM_SEC_IS_SM4(p_dev_rec->sm4), BTM_SEC_IS_SM4_UNKNOWN(p_dev_rec->sm4));
3119
3120 /* BT 2.1 or carkit, bring up the connection to force the peer to request PIN.
3121 ** Else prefetch (btm_sec_check_prefetch_pin will do the prefetching if needed)
3122 */
3123 if ((p_dev_rec->sm4 != BTM_SM4_KNOWN) || !btm_sec_check_prefetch_pin(p_dev_rec)) {
3124 /* if we rejected incoming connection request, we have to wait HCI_Connection_Complete event */
3125 /* before originating */
3126 if (btm_cb.pairing_flags & BTM_PAIR_FLAGS_REJECTED_CONNECT) {
3127 BTM_TRACE_WARNING ("btm_sec_rmt_name_request_complete: waiting HCI_Connection_Complete after rejecting connection\n");
3128 }
3129 /* Both we and the peer are 2.1 - continue to create connection */
3130 else if (btm_sec_dd_create_conn(p_dev_rec) != BTM_CMD_STARTED) {
3131 BTM_TRACE_WARNING ("btm_sec_rmt_name_request_complete: failed to start connection\n");
3132
3133 btm_sec_change_pairing_state (BTM_PAIR_STATE_IDLE);
3134
3135 if (btm_cb.api.p_auth_complete_callback) {
3136 (*btm_cb.api.p_auth_complete_callback) (p_dev_rec->bd_addr, p_dev_rec->dev_class,
3137 p_dev_rec->sec_bd_name, HCI_ERR_MEMORY_FULL);
3138 }
3139 }
3140 }
3141 return;
3142 } else {
3143 BTM_TRACE_WARNING ("btm_sec_rmt_name_request_complete: wrong BDA, retry with pairing BDA\n");
3144
3145 BTM_ReadRemoteDeviceName (btm_cb.pairing_bda, NULL, BT_TRANSPORT_BR_EDR);
3146 return;
3147 }
3148 }
3149
3150 /* check if we were delaying link_key_callback because name was not resolved */
3151 if (p_dev_rec->link_key_not_sent) {
3152 /* If HCI connection complete has not arrived, wait for it */
3153 if (p_dev_rec->hci_handle == BTM_SEC_INVALID_HANDLE) {
3154 return;
3155 }
3156
3157 p_dev_rec->link_key_not_sent = FALSE;
3158 btm_send_link_key_notif(p_dev_rec);
3159
3160 /* If its not us who perform authentication, we should tell stackserver */
3161 /* that some authentication has been completed */
3162 /* This is required when different entities receive link notification and auth complete */
3163 if (!(p_dev_rec->security_required & BTM_SEC_OUT_AUTHENTICATE)) {
3164 if (btm_cb.api.p_auth_complete_callback) {
3165 res = (*btm_cb.api.p_auth_complete_callback) (p_dev_rec->bd_addr,
3166 p_dev_rec->dev_class,
3167 p_dev_rec->sec_bd_name, HCI_SUCCESS);
3168 if (res == BTM_SEC_DEV_REC_REMOVED) {
3169 p_dev_rec = NULL;
3170 }
3171 }
3172
3173 }
3174 }
3175
3176 /* If this is a bonding procedure can disconnect the link now */
3177 if ((btm_cb.pairing_flags & BTM_PAIR_FLAGS_WE_STARTED_DD)
3178 && (p_dev_rec->sec_flags & BTM_SEC_AUTHENTICATED)) {
3179 BTM_TRACE_WARNING ("btm_sec_rmt_name_request_complete (none/ce)\n");
3180 p_dev_rec->security_required &= ~(BTM_SEC_OUT_AUTHENTICATE);
3181 l2cu_start_post_bond_timer(p_dev_rec->hci_handle);
3182 return;
3183 }
3184
3185 if (old_sec_state != BTM_SEC_STATE_GETTING_NAME) {
3186 return;
3187 }
3188
3189 /* If get name failed, notify the waiting layer */
3190 if (status != HCI_SUCCESS) {
3191 btm_sec_dev_rec_cback_event (p_dev_rec, BTM_ERR_PROCESSING, FALSE);
3192 return;
3193 }
3194
3195 if (p_dev_rec->sm4 & BTM_SM4_REQ_PEND) {
3196 BTM_TRACE_EVENT ("waiting for remote features!!\n");
3197 return;
3198 }
3199
3200 /* Remote Name succeeded, execute the next security procedure, if any */
3201 status = (UINT8)btm_sec_execute_procedure (p_dev_rec);
3202
3203 /* If result is pending reply from the user or from the device is pending */
3204 if (status == BTM_CMD_STARTED) {
3205 return;
3206 }
3207
3208 /* There is no next procedure or start of procedure failed, notify the waiting layer */
3209 btm_sec_dev_rec_cback_event (p_dev_rec, status, FALSE);
3210 }
3211 #endif ///SMP_INCLUDED == TRUE
3212
3213
3214 /*******************************************************************************
3215 **
3216 ** Function btm_sec_rmt_host_support_feat_evt
3217 **
3218 ** Description This function is called when the
3219 ** HCI_RMT_HOST_SUP_FEAT_NOTIFY_EVT is received
3220 **
3221 ** Returns void
3222 **
3223 *******************************************************************************/
btm_sec_rmt_host_support_feat_evt(UINT8 * p)3224 void btm_sec_rmt_host_support_feat_evt (UINT8 *p)
3225 {
3226 tBTM_SEC_DEV_REC *p_dev_rec;
3227 BD_ADDR bd_addr; /* peer address */
3228 BD_FEATURES features;
3229
3230 STREAM_TO_BDADDR (bd_addr, p);
3231 p_dev_rec = btm_find_or_alloc_dev (bd_addr);
3232
3233 BTM_TRACE_EVENT ("btm_sec_rmt_host_support_feat_evt sm4: 0x%x p[0]: 0x%x\n", p_dev_rec->sm4, p[0]);
3234
3235 if (BTM_SEC_IS_SM4_UNKNOWN(p_dev_rec->sm4)) {
3236 p_dev_rec->sm4 = BTM_SM4_KNOWN;
3237 STREAM_TO_ARRAY(features, p, HCI_FEATURE_BYTES_PER_PAGE);
3238 if (HCI_SSP_HOST_SUPPORTED(features)) {
3239 p_dev_rec->sm4 = BTM_SM4_TRUE;
3240 }
3241 BTM_TRACE_EVENT ("btm_sec_rmt_host_support_feat_evt sm4: 0x%x features[0]: 0x%x\n", p_dev_rec->sm4, features[0]);
3242 }
3243 }
3244
3245 /*******************************************************************************
3246 **
3247 ** Function btm_io_capabilities_req
3248 **
3249 ** Description This function is called when LM request for the IO
3250 ** capability of the local device and
3251 ** if the OOB data is present for the device in the event
3252 **
3253 ** Returns void
3254 **
3255 *******************************************************************************/
3256 #if (SMP_INCLUDED == TRUE)
btm_io_capabilities_req(UINT8 * p)3257 void btm_io_capabilities_req (UINT8 *p)
3258 {
3259 tBTM_SP_IO_REQ evt_data;
3260 UINT8 err_code = 0;
3261 tBTM_SEC_DEV_REC *p_dev_rec;
3262 BOOLEAN is_orig = TRUE;
3263 UINT8 callback_rc = BTM_SUCCESS;
3264
3265 STREAM_TO_BDADDR (evt_data.bd_addr, p);
3266
3267 /* setup the default response according to compile options */
3268 /* assume that the local IO capability does not change
3269 * loc_io_caps is initialized with the default value */
3270 evt_data.io_cap = btm_cb.devcb.loc_io_caps;
3271 evt_data.oob_data = BTM_OOB_NONE;
3272 evt_data.auth_req = BTM_DEFAULT_AUTH_REQ;
3273 #if (BT_USE_TRACES == TRUE && SMP_INCLUDED == TRUE)
3274 BTM_TRACE_EVENT("%s: State: %s\n", __FUNCTION__, btm_pair_state_descr(btm_cb.pairing_state));
3275 #endif ///BT_USE_TRACES == TRUE && SMP_INCLUDED == TRUE
3276 p_dev_rec = btm_find_or_alloc_dev (evt_data.bd_addr);
3277
3278 BTM_TRACE_DEBUG("%s:Security mode: %d, Num Read Remote Feat pages: %d\n", __FUNCTION__,
3279 btm_cb.security_mode, p_dev_rec->num_read_pages);
3280
3281 if ((btm_cb.security_mode == BTM_SEC_MODE_SC) && (p_dev_rec->num_read_pages == 0)) {
3282 BTM_TRACE_EVENT("%s: Device security mode is SC only.\n"
3283 "To continue need to know remote features.\n", __FUNCTION__);
3284
3285 p_dev_rec->remote_features_needed = TRUE;
3286 return;
3287 }
3288
3289 p_dev_rec->sm4 |= BTM_SM4_TRUE;
3290 #if (BT_USE_TRACES == TRUE && SMP_INCLUDED == TRUE)
3291 BTM_TRACE_EVENT("%s: State: %s Flags: 0x%04x p_cur_service: %p\n",
3292 __FUNCTION__, btm_pair_state_descr(btm_cb.pairing_state),
3293 btm_cb.pairing_flags, p_dev_rec->p_cur_service);
3294 #endif ///BT_USE_TRACES == TRUE && SMP_INCLUDED == TRUE
3295 if (p_dev_rec->p_cur_service) {
3296 BTM_TRACE_EVENT("%s: cur_service psm: 0x%04x, security_flags: 0x%04x\n",
3297 __FUNCTION__, p_dev_rec->p_cur_service->psm,
3298 p_dev_rec->p_cur_service->security_flags);
3299 }
3300
3301 switch (btm_cb.pairing_state) {
3302 /* initiator connecting */
3303 case BTM_PAIR_STATE_IDLE:
3304 //TODO: Handle Idle pairing state
3305 //security_required = p_dev_rec->security_required;
3306 break;
3307
3308 /* received IO capability response already->acceptor */
3309 case BTM_PAIR_STATE_INCOMING_SSP:
3310 is_orig = FALSE;
3311
3312 if (btm_cb.pairing_flags & BTM_PAIR_FLAGS_PEER_STARTED_DD) {
3313 /* acceptor in dedicated bonding */
3314 evt_data.auth_req = BTM_DEFAULT_DD_AUTH_REQ;
3315 }
3316 break;
3317
3318 /* initiator, at this point it is expected to be dedicated bonding
3319 initiated by local device */
3320 case BTM_PAIR_STATE_WAIT_PIN_REQ:
3321 if (!memcmp (evt_data.bd_addr, btm_cb.pairing_bda, BD_ADDR_LEN)) {
3322 evt_data.auth_req = BTM_DEFAULT_DD_AUTH_REQ;
3323 } else {
3324 err_code = HCI_ERR_HOST_BUSY_PAIRING;
3325 }
3326 break;
3327
3328 /* any other state is unexpected */
3329 default:
3330 err_code = HCI_ERR_HOST_BUSY_PAIRING;
3331 BTM_TRACE_ERROR("%s: Unexpected Pairing state received %d\n", __FUNCTION__,
3332 btm_cb.pairing_state);
3333 break;
3334 }
3335
3336 if (btm_cb.pairing_disabled) {
3337 /* pairing is not allowed */
3338 BTM_TRACE_DEBUG("%s: Pairing is not allowed -> fail pairing.\n", __FUNCTION__);
3339 err_code = HCI_ERR_PAIRING_NOT_ALLOWED;
3340 } else if (btm_cb.security_mode == BTM_SEC_MODE_SC) {
3341 BOOLEAN local_supports_sc = controller_get_interface()->supports_secure_connections();
3342 /* device in Secure Connections Only mode */
3343 if (!(local_supports_sc) || !(p_dev_rec->remote_supports_secure_connections)) {
3344 BTM_TRACE_DEBUG("%s: SC only service, local_support_for_sc %d,\n"
3345 " remote_support_for_sc 0x%02x -> fail pairing\n", __FUNCTION__,
3346 local_supports_sc, p_dev_rec->remote_supports_secure_connections);
3347
3348 err_code = HCI_ERR_PAIRING_NOT_ALLOWED;
3349 }
3350 }
3351
3352 if (err_code != 0) {
3353 /* coverity[uninit_use_in_call]
3354 Event uninit_use_in_call: Using uninitialized element of array "evt_data.bd_addr" in call to function "memcmp"
3355 False-positive: evt_data.bd_addr is set at the beginning with: STREAM_TO_BDADDR (evt_data.bd_addr, p);
3356 */
3357 btsnd_hcic_io_cap_req_neg_reply(evt_data.bd_addr, err_code);
3358 return;
3359 }
3360
3361 evt_data.is_orig = is_orig;
3362
3363 if (is_orig) {
3364 /* local device initiated the pairing non-bonding -> use p_cur_service */
3365 if (!(btm_cb.pairing_flags & BTM_PAIR_FLAGS_WE_STARTED_DD) &&
3366 p_dev_rec->p_cur_service &&
3367 (p_dev_rec->p_cur_service->security_flags & BTM_SEC_OUT_AUTHENTICATE)) {
3368 if (btm_cb.security_mode == BTM_SEC_MODE_SC) {
3369 /* SC only mode device requires MITM protection */
3370 evt_data.auth_req = BTM_AUTH_SP_YES;
3371 } else {
3372 evt_data.auth_req = (p_dev_rec->p_cur_service->security_flags &
3373 BTM_SEC_OUT_MITM) ? BTM_AUTH_SP_YES : BTM_AUTH_SP_NO;
3374 }
3375 }
3376 }
3377
3378 /* Notify L2CAP to increase timeout */
3379 l2c_pin_code_request (evt_data.bd_addr);
3380
3381 memcpy (btm_cb.pairing_bda, evt_data.bd_addr, BD_ADDR_LEN);
3382
3383 /* coverity[uninit_use_in_call]
3384 Event uninit_use_in_call: Using uninitialized element of array "evt_data.bd_addr" in call to function "memcmp"
3385 False-positive: False-positive: evt_data.bd_addr is set at the beginning with: STREAM_TO_BDADDR (evt_data.bd_addr, p);
3386 */
3387 if (!memcmp (evt_data.bd_addr, btm_cb.connecting_bda, BD_ADDR_LEN)) {
3388 memcpy (p_dev_rec->dev_class, btm_cb.connecting_dc, DEV_CLASS_LEN);
3389 }
3390
3391 btm_sec_change_pairing_state (BTM_PAIR_STATE_WAIT_LOCAL_IOCAPS);
3392
3393 callback_rc = BTM_SUCCESS;
3394 if (p_dev_rec->sm4 & BTM_SM4_UPGRADE) {
3395 p_dev_rec->sm4 &= ~BTM_SM4_UPGRADE;
3396
3397 /* link key upgrade: always use SPGB_YES - assuming we want to save the link key */
3398 evt_data.auth_req = BTM_AUTH_SPGB_YES;
3399 } else if (btm_cb.api.p_sp_callback) {
3400 /* the callback function implementation may change the IO capability... */
3401 callback_rc = (*btm_cb.api.p_sp_callback) (BTM_SP_IO_REQ_EVT, (tBTM_SP_EVT_DATA *)&evt_data);
3402 }
3403
3404 #if BTM_OOB_INCLUDED == TRUE
3405 if ((callback_rc == BTM_SUCCESS) || (BTM_OOB_UNKNOWN != evt_data.oob_data))
3406 #else
3407 if (callback_rc == BTM_SUCCESS)
3408 #endif
3409 {
3410 if ((btm_cb.pairing_flags & BTM_PAIR_FLAGS_WE_STARTED_DD)) {
3411 evt_data.auth_req = (BTM_AUTH_DD_BOND | (evt_data.auth_req & BTM_AUTH_YN_BIT));
3412 }
3413
3414 if (btm_cb.security_mode == BTM_SEC_MODE_SC) {
3415 /* At this moment we know that both sides are SC capable, device in */
3416 /* SC only mode requires MITM for any service so let's set MITM bit */
3417 evt_data.auth_req |= BTM_AUTH_YN_BIT;
3418 BTM_TRACE_DEBUG("%s: for device in \"SC only\" mode set auth_req to 0x%02x\n",
3419 __FUNCTION__, evt_data.auth_req);
3420 }
3421
3422 /* if the user does not indicate "reply later" by setting the oob_data to unknown */
3423 /* send the response right now. Save the current IO capability in the control block */
3424 btm_cb.devcb.loc_auth_req = evt_data.auth_req;
3425 btm_cb.devcb.loc_io_caps = evt_data.io_cap;
3426 #if (BT_USE_TRACES == TRUE && SMP_INCLUDED == TRUE)
3427 BTM_TRACE_EVENT("%s: State: %s IO_CAP:%d oob_data:%d auth_req:%d",
3428 __FUNCTION__, btm_pair_state_descr(btm_cb.pairing_state), evt_data.io_cap,
3429 evt_data.oob_data, evt_data.auth_req);
3430 #endif ///BT_USE_TRACES == TRUE && SMP_INCLUDED == TRUE
3431 btsnd_hcic_io_cap_req_reply(evt_data.bd_addr, evt_data.io_cap,
3432 evt_data.oob_data, evt_data.auth_req);
3433 }
3434 }
3435
3436 /*******************************************************************************
3437 **
3438 ** Function btm_io_capabilities_rsp
3439 **
3440 ** Description This function is called when the IO capability of the
3441 ** specified device is received
3442 **
3443 ** Returns void
3444 **
3445 *******************************************************************************/
btm_io_capabilities_rsp(UINT8 * p)3446 void btm_io_capabilities_rsp (UINT8 *p)
3447 {
3448 tBTM_SEC_DEV_REC *p_dev_rec;
3449 tBTM_SP_IO_RSP evt_data;
3450
3451 STREAM_TO_BDADDR (evt_data.bd_addr, p);
3452 STREAM_TO_UINT8 (evt_data.io_cap, p);
3453 STREAM_TO_UINT8 (evt_data.oob_data, p);
3454 STREAM_TO_UINT8 (evt_data.auth_req, p);
3455
3456 /* Allocate a new device record or reuse the oldest one */
3457 p_dev_rec = btm_find_or_alloc_dev (evt_data.bd_addr);
3458
3459 /* If no security is in progress, this indicates incoming security */
3460 if (btm_cb.pairing_state == BTM_PAIR_STATE_IDLE) {
3461 memcpy (btm_cb.pairing_bda, evt_data.bd_addr, BD_ADDR_LEN);
3462
3463 btm_sec_change_pairing_state (BTM_PAIR_STATE_INCOMING_SSP);
3464
3465 /* Make sure we reset the trusted mask to help against attacks */
3466 BTM_SEC_CLR_TRUSTED_DEVICE(p_dev_rec->trusted_mask);
3467
3468 /* work around for FW bug */
3469 btm_inq_stop_on_ssp();
3470 }
3471
3472 /* Notify L2CAP to increase timeout */
3473 l2c_pin_code_request (evt_data.bd_addr);
3474
3475 /* We must have a device record here.
3476 * Use the connecting device's CoD for the connection */
3477 /* coverity[uninit_use_in_call]
3478 Event uninit_use_in_call: Using uninitialized element of array "evt_data.bd_addr" in call to function "memcmp"
3479 FALSE-POSITIVE error from Coverity test-tool. evt_data.bd_addr is set at the beginning with: STREAM_TO_BDADDR (evt_data.bd_addr, p);
3480 */
3481 if (!memcmp (evt_data.bd_addr, btm_cb.connecting_bda, BD_ADDR_LEN)) {
3482 memcpy (p_dev_rec->dev_class, btm_cb.connecting_dc, DEV_CLASS_LEN);
3483 }
3484
3485 /* peer sets dedicated bonding bit and we did not initiate dedicated bonding */
3486 if (btm_cb.pairing_state == BTM_PAIR_STATE_INCOMING_SSP /* peer initiated bonding */
3487 && (evt_data.auth_req & BTM_AUTH_DD_BOND) ) { /* and dedicated bonding bit is set */
3488 btm_cb.pairing_flags |= BTM_PAIR_FLAGS_PEER_STARTED_DD;
3489 }
3490
3491 /* save the IO capability in the device record */
3492 p_dev_rec->rmt_io_caps = evt_data.io_cap;
3493 p_dev_rec->rmt_auth_req = evt_data.auth_req;
3494
3495 if (btm_cb.api.p_sp_callback) {
3496 (*btm_cb.api.p_sp_callback) (BTM_SP_IO_RSP_EVT, (tBTM_SP_EVT_DATA *)&evt_data);
3497 }
3498 }
3499
3500 /*******************************************************************************
3501 **
3502 ** Function btm_proc_sp_req_evt
3503 **
3504 ** Description This function is called to process/report
3505 ** HCI_USER_CONFIRMATION_REQUEST_EVT
3506 ** or HCI_USER_PASSKEY_REQUEST_EVT
3507 ** or HCI_USER_PASSKEY_NOTIFY_EVT
3508 **
3509 ** Returns void
3510 **
3511 *******************************************************************************/
btm_proc_sp_req_evt(tBTM_SP_EVT event,UINT8 * p)3512 void btm_proc_sp_req_evt (tBTM_SP_EVT event, UINT8 *p)
3513 {
3514 tBTM_STATUS status = BTM_ERR_PROCESSING;
3515 tBTM_SP_EVT_DATA evt_data;
3516 UINT8 *p_bda = evt_data.cfm_req.bd_addr;
3517 tBTM_SEC_DEV_REC *p_dev_rec;
3518
3519 /* All events start with bd_addr */
3520 STREAM_TO_BDADDR (p_bda, p);
3521 #if (BT_USE_TRACES == TRUE && SMP_INCLUDED == TRUE)
3522 BTM_TRACE_EVENT ("btm_proc_sp_req_evt() BDA: %08x%04x event: 0x%x, State: %s\n",
3523 (p_bda[0] << 24) + (p_bda[1] << 16) + (p_bda[2] << 8) + p_bda[3], (p_bda[4] << 8) + p_bda[5],
3524 event, btm_pair_state_descr(btm_cb.pairing_state));
3525 #endif ///BT_USE_TRACES == TRUE && SMP_INCLUDED == TRUE
3526 if ( ((p_dev_rec = btm_find_dev (p_bda)) != NULL)
3527 && (btm_cb.pairing_state != BTM_PAIR_STATE_IDLE)
3528 && (memcmp (btm_cb.pairing_bda, p_bda, BD_ADDR_LEN) == 0) ) {
3529 memcpy (evt_data.cfm_req.bd_addr, p_dev_rec->bd_addr, BD_ADDR_LEN);
3530 memcpy (evt_data.cfm_req.dev_class, p_dev_rec->dev_class, DEV_CLASS_LEN);
3531
3532 BCM_STRCPY_S ((char *)evt_data.cfm_req.bd_name,(char *)p_dev_rec->sec_bd_name);
3533
3534 switch (event) {
3535 case BTM_SP_CFM_REQ_EVT:
3536 /* Numeric confirmation. Need user to conf the passkey */
3537 btm_sec_change_pairing_state (BTM_PAIR_STATE_WAIT_NUMERIC_CONFIRM);
3538
3539 /* The device record must be allocated in the "IO cap exchange" step */
3540 STREAM_TO_UINT32 (evt_data.cfm_req.num_val, p);
3541
3542 evt_data.cfm_req.just_works = TRUE;
3543
3544 /* process user confirm req in association with the auth_req param */
3545 // #if (BTM_LOCAL_IO_CAPS == BTM_IO_CAP_IO)
3546 if ( (p_dev_rec->rmt_io_caps == BTM_IO_CAP_IO)
3547 && (btm_cb.devcb.loc_io_caps == BTM_IO_CAP_IO)
3548 && ((p_dev_rec->rmt_auth_req & BTM_AUTH_SP_YES) || (btm_cb.devcb.loc_auth_req & BTM_AUTH_SP_YES)) ) {
3549 /* Both devices are DisplayYesNo and one or both devices want to authenticate
3550 -> use authenticated link key */
3551 evt_data.cfm_req.just_works = FALSE;
3552 }
3553 // #endif
3554 BTM_TRACE_DEBUG ("btm_proc_sp_req_evt() just_works:%d, io loc:%d, rmt:%d, auth loc:%d, rmt:%d\n",
3555 evt_data.cfm_req.just_works, btm_cb.devcb.loc_io_caps, p_dev_rec->rmt_io_caps,
3556 btm_cb.devcb.loc_auth_req, p_dev_rec->rmt_auth_req);
3557
3558 evt_data.cfm_req.loc_auth_req = btm_cb.devcb.loc_auth_req;
3559 evt_data.cfm_req.rmt_auth_req = p_dev_rec->rmt_auth_req;
3560 evt_data.cfm_req.loc_io_caps = btm_cb.devcb.loc_io_caps;
3561 evt_data.cfm_req.rmt_io_caps = p_dev_rec->rmt_io_caps;
3562 break;
3563
3564 case BTM_SP_KEY_NOTIF_EVT:
3565 /* Passkey notification (other side is a keyboard) */
3566 STREAM_TO_UINT32 (evt_data.key_notif.passkey, p);
3567
3568 BTM_TRACE_DEBUG ("BTM_SP_KEY_NOTIF_EVT: passkey: %u\n", evt_data.key_notif.passkey);
3569
3570 btm_sec_change_pairing_state (BTM_PAIR_STATE_WAIT_AUTH_COMPLETE);
3571 break;
3572
3573 #if (BT_SSP_INCLUDED == TRUE)
3574 case BTM_SP_KEY_REQ_EVT:
3575 /* HCI_USER_PASSKEY_REQUEST_EVT */
3576 btm_sec_change_pairing_state (BTM_PAIR_STATE_KEY_ENTRY);
3577 break;
3578 #endif
3579 }
3580
3581 if (btm_cb.api.p_sp_callback) {
3582 status = (*btm_cb.api.p_sp_callback) (event, (tBTM_SP_EVT_DATA *)&evt_data);
3583 if (status != BTM_NOT_AUTHORIZED) {
3584 return;
3585 }
3586 /* else BTM_NOT_AUTHORIZED means when the app wants to reject the req right now */
3587 } else if ( (event == BTM_SP_CFM_REQ_EVT) && (evt_data.cfm_req.just_works == TRUE) ) {
3588 /* automatically reply with just works if no sp_cback */
3589 status = BTM_SUCCESS;
3590 }
3591
3592 if (event == BTM_SP_CFM_REQ_EVT) {
3593 BTM_TRACE_DEBUG ("calling BTM_ConfirmReqReply with status: %d\n", status);
3594 BTM_ConfirmReqReply (status, p_bda);
3595 }
3596 #if (BT_SSP_INCLUDED == TRUE)
3597 else if (event == BTM_SP_KEY_REQ_EVT) {
3598 BTM_PasskeyReqReply(status, p_bda, 0);
3599 }
3600 #endif
3601 return;
3602 }
3603 /* Something bad. we can only fail this connection */
3604 btm_cb.acl_disc_reason = HCI_ERR_HOST_REJECT_SECURITY;
3605
3606 if (BTM_SP_CFM_REQ_EVT == event) {
3607 btsnd_hcic_user_conf_reply (p_bda, FALSE);
3608 } else if (BTM_SP_KEY_NOTIF_EVT == event) {
3609 /* do nothing -> it very unlikely to happen.
3610 This event is most likely to be received by a HID host when it first connects to a HID device.
3611 Usually the Host initiated the connection in this case.
3612 On Mobile platforms, if there's a security process happening,
3613 the host probably can not initiate another connection.
3614 BTW (PC) is another story. */
3615 if (NULL != (p_dev_rec = btm_find_dev (p_bda)) ) {
3616 btm_sec_disconnect (p_dev_rec->hci_handle, HCI_ERR_AUTH_FAILURE);
3617 }
3618 }
3619
3620 #if (BT_SSP_INCLUDED == TRUE)
3621 else {
3622 btsnd_hcic_user_passkey_neg_reply(p_bda);
3623 }
3624 #endif
3625 }
3626
3627
3628 /*******************************************************************************
3629 **
3630 ** Function btm_keypress_notif_evt
3631 **
3632 ** Description This function is called when a key press notification is
3633 ** received
3634 **
3635 ** Returns void
3636 **
3637 *******************************************************************************/
btm_keypress_notif_evt(UINT8 * p)3638 void btm_keypress_notif_evt (UINT8 *p)
3639 {
3640 tBTM_SP_KEYPRESS evt_data;
3641 UINT8 *p_bda;
3642
3643 /* parse & report BTM_SP_KEYPRESS_EVT */
3644 if (btm_cb.api.p_sp_callback) {
3645 p_bda = evt_data.bd_addr;
3646
3647 STREAM_TO_BDADDR (p_bda, p);
3648 evt_data.notif_type = *p;
3649
3650 (*btm_cb.api.p_sp_callback) (BTM_SP_KEYPRESS_EVT, (tBTM_SP_EVT_DATA *)&evt_data);
3651 }
3652 }
3653
3654 /*******************************************************************************
3655 **
3656 ** Function btm_simple_pair_complete
3657 **
3658 ** Description This function is called when simple pairing process is
3659 ** complete
3660 **
3661 ** Returns void
3662 **
3663 *******************************************************************************/
btm_simple_pair_complete(UINT8 * p)3664 void btm_simple_pair_complete (UINT8 *p)
3665 {
3666 tBTM_SP_COMPLT evt_data;
3667 tBTM_SEC_DEV_REC *p_dev_rec;
3668 UINT8 status;
3669 BOOLEAN disc = FALSE;
3670
3671 status = *p++;
3672 STREAM_TO_BDADDR (evt_data.bd_addr, p);
3673
3674 if ((p_dev_rec = btm_find_dev (evt_data.bd_addr)) == NULL) {
3675 BTM_TRACE_ERROR ("btm_simple_pair_complete() with unknown BDA: %08x%04x\n",
3676 (evt_data.bd_addr[0] << 24) + (evt_data.bd_addr[1] << 16) + (evt_data.bd_addr[2] << 8) + evt_data.bd_addr[3],
3677 (evt_data.bd_addr[4] << 8) + evt_data.bd_addr[5]);
3678 return;
3679 }
3680 #if (BT_USE_TRACES == TRUE && SMP_INCLUDED == TRUE)
3681 BTM_TRACE_EVENT ("btm_simple_pair_complete() Pair State: %s Status:%d sec_state: %u\n",
3682 btm_pair_state_descr(btm_cb.pairing_state), status, p_dev_rec->sec_state);
3683 #endif ///BT_USE_TRACES == TRUE && SMP_INCLUDED == TRUE
3684 evt_data.status = BTM_ERR_PROCESSING;
3685 if (status == HCI_SUCCESS) {
3686 evt_data.status = BTM_SUCCESS;
3687 p_dev_rec->sec_flags |= BTM_SEC_AUTHENTICATED;
3688 } else {
3689 if (status == HCI_ERR_PAIRING_NOT_ALLOWED) {
3690 /* The test spec wants the peer device to get this failure code. */
3691 btm_sec_change_pairing_state (BTM_PAIR_STATE_WAIT_DISCONNECT);
3692
3693 /* Change the timer to 1 second */
3694 btu_start_timer (&btm_cb.pairing_tle, BTU_TTYPE_USER_FUNC, BT_1SEC_TIMEOUT);
3695 } else if (memcmp (btm_cb.pairing_bda, evt_data.bd_addr, BD_ADDR_LEN) == 0) {
3696 /* stop the timer */
3697 btu_stop_timer (&btm_cb.pairing_tle);
3698
3699 if (p_dev_rec->sec_state != BTM_SEC_STATE_AUTHENTICATING) {
3700 /* the initiating side: will receive auth complete event. disconnect ACL at that time */
3701 disc = TRUE;
3702 }
3703 } else {
3704 disc = TRUE;
3705 }
3706 }
3707
3708 /* Let the pairing state stay active, p_auth_complete_callback will report the failure */
3709 memcpy (evt_data.bd_addr, p_dev_rec->bd_addr, BD_ADDR_LEN);
3710 memcpy (evt_data.dev_class, p_dev_rec->dev_class, DEV_CLASS_LEN);
3711
3712 if (btm_cb.api.p_sp_callback) {
3713 (*btm_cb.api.p_sp_callback) (BTM_SP_COMPLT_EVT, (tBTM_SP_EVT_DATA *)&evt_data);
3714 }
3715
3716 if (disc) {
3717 /* simple pairing failed */
3718 /* Avoid sending disconnect on HCI_ERR_PEER_USER */
3719 if ((status != HCI_ERR_PEER_USER) && (status != HCI_ERR_CONN_CAUSE_LOCAL_HOST)) {
3720 btm_sec_send_hci_disconnect (p_dev_rec, HCI_ERR_AUTH_FAILURE, p_dev_rec->hci_handle);
3721 }
3722 }
3723 }
3724 #endif ///SMP_INCLUDED == TRUE
3725
3726
3727 #if BTM_OOB_INCLUDED == TRUE && SMP_INCLUDED == TRUE
3728 /*******************************************************************************
3729 **
3730 ** Function btm_rem_oob_req
3731 **
3732 ** Description This function is called to process/report
3733 ** HCI_REMOTE_OOB_DATA_REQUEST_EVT
3734 **
3735 ** Returns void
3736 **
3737 *******************************************************************************/
btm_rem_oob_req(UINT8 * p)3738 void btm_rem_oob_req (UINT8 *p)
3739 {
3740 UINT8 *p_bda;
3741 tBTM_SP_RMT_OOB evt_data;
3742 tBTM_SEC_DEV_REC *p_dev_rec;
3743 BT_OCTET16 c;
3744 BT_OCTET16 r;
3745
3746 p_bda = evt_data.bd_addr;
3747
3748 STREAM_TO_BDADDR (p_bda, p);
3749
3750 BTM_TRACE_EVENT ("btm_rem_oob_req() BDA: %02x:%02x:%02x:%02x:%02x:%02x\n",
3751 p_bda[0], p_bda[1], p_bda[2], p_bda[3], p_bda[4], p_bda[5]);
3752
3753 if ( (NULL != (p_dev_rec = btm_find_dev (p_bda))) &&
3754 btm_cb.api.p_sp_callback) {
3755 memcpy (evt_data.bd_addr, p_dev_rec->bd_addr, BD_ADDR_LEN);
3756 memcpy (evt_data.dev_class, p_dev_rec->dev_class, DEV_CLASS_LEN);
3757 BCM_STRNCPY_S((char *)evt_data.bd_name, (char *)p_dev_rec->sec_bd_name, BTM_MAX_REM_BD_NAME_LEN);
3758 evt_data.bd_name[BTM_MAX_REM_BD_NAME_LEN] = 0;
3759
3760 btm_sec_change_pairing_state(BTM_PAIR_STATE_WAIT_LOCAL_OOB_RSP);
3761 if ((*btm_cb.api.p_sp_callback) (BTM_SP_RMT_OOB_EVT, (tBTM_SP_EVT_DATA *)&evt_data) == BTM_NOT_AUTHORIZED) {
3762 BTM_RemoteOobDataReply(TRUE, p_bda, c, r);
3763 }
3764 return;
3765 }
3766
3767 /* something bad. we can only fail this connection */
3768 btm_cb.acl_disc_reason = HCI_ERR_HOST_REJECT_SECURITY;
3769 btsnd_hcic_rem_oob_neg_reply (p_bda);
3770 }
3771
3772 /*******************************************************************************
3773 **
3774 ** Function btm_read_local_oob_complete
3775 **
3776 ** Description This function is called when read local oob data is
3777 ** completed by the LM
3778 **
3779 ** Returns void
3780 **
3781 *******************************************************************************/
btm_read_local_oob_complete(UINT8 * p)3782 void btm_read_local_oob_complete (UINT8 *p)
3783 {
3784 tBTM_SP_LOC_OOB evt_data;
3785 UINT8 status = *p++;
3786
3787 BTM_TRACE_EVENT ("btm_read_local_oob_complete:%d\n", status);
3788 if (status == HCI_SUCCESS) {
3789 evt_data.status = BTM_SUCCESS;
3790 STREAM_TO_ARRAY16(evt_data.c, p);
3791 STREAM_TO_ARRAY16(evt_data.r, p);
3792 } else {
3793 evt_data.status = BTM_ERR_PROCESSING;
3794 }
3795
3796 if (btm_cb.api.p_sp_callback) {
3797 (*btm_cb.api.p_sp_callback) (BTM_SP_LOC_OOB_EVT, (tBTM_SP_EVT_DATA *)&evt_data);
3798 }
3799 }
3800 #endif /* BTM_OOB_INCLUDED */
3801
3802 /*******************************************************************************
3803 **
3804 ** Function btm_sec_auth_collision
3805 **
3806 ** Description This function is called when authentication or encryption
3807 ** needs to be retried at a later time.
3808 **
3809 ** Returns void
3810 **
3811 *******************************************************************************/
3812 #if (SMP_INCLUDED == TRUE)
btm_sec_auth_collision(UINT16 handle)3813 static void btm_sec_auth_collision (UINT16 handle)
3814 {
3815 tBTM_SEC_DEV_REC *p_dev_rec;
3816
3817 if (!btm_cb.collision_start_time) {
3818 btm_cb.collision_start_time = osi_time_get_os_boottime_ms();
3819 }
3820
3821 if ((osi_time_get_os_boottime_ms() - btm_cb.collision_start_time) < btm_cb.max_collision_delay)
3822 {
3823 if (handle == BTM_SEC_INVALID_HANDLE)
3824 {
3825 if ((p_dev_rec = btm_sec_find_dev_by_sec_state (BTM_SEC_STATE_AUTHENTICATING)) == NULL) {
3826 p_dev_rec = btm_sec_find_dev_by_sec_state (BTM_SEC_STATE_ENCRYPTING);
3827 }
3828 } else {
3829 p_dev_rec = btm_find_dev_by_handle (handle);
3830 }
3831
3832 if (p_dev_rec != NULL) {
3833 BTM_TRACE_DEBUG ("btm_sec_auth_collision: state %d (retrying in a moment...)\n", p_dev_rec->sec_state);
3834 /* We will restart authentication after timeout */
3835 if (p_dev_rec->sec_state == BTM_SEC_STATE_AUTHENTICATING || p_dev_rec->sec_state == BTM_SEC_STATE_ENCRYPTING) {
3836 p_dev_rec->sec_state = 0;
3837 }
3838
3839 btm_cb.p_collided_dev_rec = p_dev_rec;
3840 btm_cb.sec_collision_tle.param = (UINT32) btm_sec_collision_timeout;
3841 btu_start_timer (&btm_cb.sec_collision_tle, BTU_TTYPE_USER_FUNC, BT_1SEC_TIMEOUT);
3842 }
3843 }
3844 }
3845 #endif ///SMP_INCLUDED == TRUE
3846
3847 /*******************************************************************************
3848 **
3849 ** Function btm_sec_auth_complete
3850 **
3851 ** Description This function is when authentication of the connection is
3852 ** completed by the LM
3853 **
3854 ** Returns void
3855 **
3856 *******************************************************************************/
3857 #if (SMP_INCLUDED == TRUE)
btm_sec_auth_complete(UINT16 handle,UINT8 status)3858 void btm_sec_auth_complete (UINT16 handle, UINT8 status)
3859 {
3860 UINT8 res;
3861 UINT8 old_sm4;
3862 tBTM_PAIRING_STATE old_state = btm_cb.pairing_state;
3863 tBTM_SEC_DEV_REC *p_dev_rec = btm_find_dev_by_handle (handle);
3864 BOOLEAN are_bonding = FALSE;
3865
3866 /* Commenting out trace due to obf/compilation problems.
3867 */
3868 #if (BT_USE_TRACES == TRUE && SMP_INCLUDED == TRUE)
3869 if (p_dev_rec) {
3870 BTM_TRACE_EVENT ("Security Manager: auth_complete PairState: %s handle:%u status:%d dev->sec_state: %u Bda:%08x, RName:%s\n",
3871 btm_pair_state_descr (btm_cb.pairing_state),
3872 handle, status,
3873 p_dev_rec->sec_state,
3874 (p_dev_rec->bd_addr[2] << 24) + (p_dev_rec->bd_addr[3] << 16) + (p_dev_rec->bd_addr[4] << 8) + p_dev_rec->bd_addr[5],
3875 p_dev_rec->sec_bd_name);
3876 } else {
3877 BTM_TRACE_EVENT ("Security Manager: auth_complete PairState: %s handle:%u status:%d\n",
3878 btm_pair_state_descr (btm_cb.pairing_state),
3879 handle, status);
3880 }
3881 #endif
3882
3883 /* For transaction collision we need to wait and repeat. There is no need */
3884 /* for random timeout because only slave should receive the result */
3885 if ((status == HCI_ERR_LMP_ERR_TRANS_COLLISION) || (status == HCI_ERR_DIFF_TRANSACTION_COLLISION)) {
3886 btm_sec_auth_collision(handle);
3887 return;
3888 }
3889 btm_cb.collision_start_time = 0;
3890
3891 btm_restore_mode();
3892
3893 /* Check if connection was made just to do bonding. If we authenticate
3894 the connection that is up, this is the last event received.
3895 */
3896 if (p_dev_rec
3897 && (btm_cb.pairing_flags & BTM_PAIR_FLAGS_WE_STARTED_DD)
3898 && !(btm_cb.pairing_flags & BTM_PAIR_FLAGS_DISC_WHEN_DONE)) {
3899 p_dev_rec->security_required &= ~BTM_SEC_OUT_AUTHENTICATE;
3900
3901 l2cu_start_post_bond_timer (p_dev_rec->hci_handle);
3902 }
3903
3904 if (!p_dev_rec) {
3905 return;
3906 }
3907
3908 /* keep the old sm4 flag and clear the retry bit in control block */
3909 old_sm4 = p_dev_rec->sm4;
3910 p_dev_rec->sm4 &= ~BTM_SM4_RETRY;
3911
3912 if ( (btm_cb.pairing_state != BTM_PAIR_STATE_IDLE)
3913 && (btm_cb.pairing_flags & BTM_PAIR_FLAGS_WE_STARTED_DD)
3914 && (memcmp (p_dev_rec->bd_addr, btm_cb.pairing_bda, BD_ADDR_LEN) == 0) ) {
3915 are_bonding = TRUE;
3916 }
3917
3918 if ( (btm_cb.pairing_state != BTM_PAIR_STATE_IDLE)
3919 && (memcmp (p_dev_rec->bd_addr, btm_cb.pairing_bda, BD_ADDR_LEN) == 0) ) {
3920 btm_sec_change_pairing_state (BTM_PAIR_STATE_IDLE);
3921 }
3922
3923 if (p_dev_rec->sec_state != BTM_SEC_STATE_AUTHENTICATING) {
3924 if ( (btm_cb.api.p_auth_complete_callback && status != HCI_SUCCESS)
3925 && (old_state != BTM_PAIR_STATE_IDLE) ) {
3926 (*btm_cb.api.p_auth_complete_callback) (p_dev_rec->bd_addr,
3927 p_dev_rec->dev_class,
3928 p_dev_rec->sec_bd_name, status);
3929 }
3930 return;
3931 }
3932
3933 /* There can be a race condition, when we are starting authentication and
3934 ** the peer device is doing encryption.
3935 ** If first we receive encryption change up, then initiated authentication
3936 ** can not be performed. According to the spec we can not do authentication
3937 ** on the encrypted link, so device is correct.
3938 */
3939 if ((status == HCI_ERR_COMMAND_DISALLOWED)
3940 && ((p_dev_rec->sec_flags & (BTM_SEC_AUTHENTICATED | BTM_SEC_ENCRYPTED)) ==
3941 (BTM_SEC_AUTHENTICATED | BTM_SEC_ENCRYPTED))) {
3942 status = HCI_SUCCESS;
3943 }
3944
3945 /* Currently we do not notify user if it is a keyboard which connects */
3946 /* User probably Disabled the keyboard while it was asleep. Let her try */
3947 if (btm_cb.api.p_auth_complete_callback) {
3948 /* report the authentication status */
3949 if (old_state != BTM_PAIR_STATE_IDLE) {
3950 res = (*btm_cb.api.p_auth_complete_callback) (p_dev_rec->bd_addr,
3951 p_dev_rec->dev_class,
3952 p_dev_rec->sec_bd_name, status);
3953 if (res == BTM_SEC_DEV_REC_REMOVED) {
3954 p_dev_rec = NULL;
3955 }
3956 }
3957 }
3958
3959 p_dev_rec->sec_state = BTM_SEC_STATE_IDLE;
3960
3961 #if (CLASSIC_BT_INCLUDED == TRUE)
3962 btm_sec_update_legacy_auth_state(btm_bda_to_acl(p_dev_rec->bd_addr, BT_TRANSPORT_BR_EDR), BTM_ACL_LEGACY_AUTH_SELF);
3963 #endif
3964 /* If this is a bonding procedure can disconnect the link now */
3965 if (are_bonding) {
3966 p_dev_rec->security_required &= ~BTM_SEC_OUT_AUTHENTICATE;
3967
3968 if (status != HCI_SUCCESS) {
3969 if (((status != HCI_ERR_PEER_USER) && (status != HCI_ERR_CONN_CAUSE_LOCAL_HOST))) {
3970 btm_sec_send_hci_disconnect (p_dev_rec, HCI_ERR_PEER_USER, p_dev_rec->hci_handle);
3971 }
3972 } else {
3973 BTM_TRACE_DEBUG ("TRYING TO DECIDE IF CAN USE SMP_BR_CHNL\n");
3974 if (p_dev_rec->new_encryption_key_is_p256 && (btm_sec_use_smp_br_chnl(p_dev_rec))
3975 /* no LE keys are available, do deriving */
3976 && (!(p_dev_rec->sec_flags & BTM_SEC_LE_LINK_KEY_KNOWN) ||
3977 /* or BR key is higher security than existing LE keys */
3978 (!(p_dev_rec->sec_flags & BTM_SEC_LE_LINK_KEY_AUTHED) &&
3979 (p_dev_rec->sec_flags & BTM_SEC_LINK_KEY_AUTHED)))) {
3980 BTM_TRACE_DEBUG ("link encrypted afer dedic bonding can use SMP_BR_CHNL\n");
3981
3982 if (btm_sec_is_master(p_dev_rec)) {
3983 // Encryption is required to start SM over BR/EDR
3984 // indicate that this is encryption after authentication
3985 BTM_SetEncryption(p_dev_rec->bd_addr, BT_TRANSPORT_BR_EDR, NULL, NULL);
3986 }
3987 }
3988 l2cu_start_post_bond_timer (p_dev_rec->hci_handle);
3989 }
3990
3991 return;
3992 }
3993
3994 /* If authentication failed, notify the waiting layer */
3995 if (status != HCI_SUCCESS) {
3996 if ((old_sm4 & BTM_SM4_RETRY) == 0) {
3997 /* allow retry only once */
3998 if (status == HCI_ERR_LMP_ERR_TRANS_COLLISION) {
3999 /* not retried yet. set the retry bit */
4000 p_dev_rec->sm4 |= BTM_SM4_RETRY;
4001 BTM_TRACE_DEBUG ("Collision retry sm4:x%x sec_flags:0x%x\n", p_dev_rec->sm4, p_dev_rec->sec_flags);
4002 }
4003 /* this retry for missing key is for Lisbon or later only.
4004 * Legacy device do not need this. the controller will drive the retry automatically */
4005 else if (HCI_ERR_KEY_MISSING == status && BTM_SEC_IS_SM4(p_dev_rec->sm4)) {
4006 /* not retried yet. set the retry bit */
4007 p_dev_rec->sm4 |= BTM_SM4_RETRY;
4008 p_dev_rec->sec_flags &= ~BTM_SEC_LINK_KEY_KNOWN;
4009 BTM_TRACE_DEBUG ("Retry for missing key sm4:x%x sec_flags:0x%x\n", p_dev_rec->sm4, p_dev_rec->sec_flags);
4010
4011 /* With BRCM controller, we do not need to delete the stored link key in controller.
4012 If the stack may sit on top of other controller, we may need this
4013 BTM_DeleteStoredLinkKey (bd_addr, NULL); */
4014 }
4015
4016 if (p_dev_rec->sm4 & BTM_SM4_RETRY) {
4017 btm_sec_execute_procedure (p_dev_rec);
4018 return;
4019 }
4020 }
4021
4022 btm_sec_dev_rec_cback_event (p_dev_rec, BTM_ERR_PROCESSING, FALSE);
4023
4024 if (btm_cb.pairing_flags & BTM_PAIR_FLAGS_DISC_WHEN_DONE) {
4025 btm_sec_send_hci_disconnect (p_dev_rec, HCI_ERR_AUTH_FAILURE, p_dev_rec->hci_handle);
4026 }
4027 return;
4028 }
4029
4030 p_dev_rec->sec_flags |= BTM_SEC_AUTHENTICATED;
4031
4032 if (p_dev_rec->pin_code_length >= 16 ||
4033 p_dev_rec->link_key_type == BTM_LKEY_TYPE_AUTH_COMB ||
4034 p_dev_rec->link_key_type == BTM_LKEY_TYPE_AUTH_COMB_P_256) {
4035 // If we have MITM protection we have a higher level of security than
4036 // provided by 16 digits PIN
4037 p_dev_rec->sec_flags |= BTM_SEC_16_DIGIT_PIN_AUTHED;
4038 }
4039
4040 /* Authentication succeeded, execute the next security procedure, if any */
4041 status = btm_sec_execute_procedure (p_dev_rec);
4042
4043 /* If there is no next procedure, or procedure failed to start, notify the caller */
4044 if (status != BTM_CMD_STARTED) {
4045 btm_sec_dev_rec_cback_event (p_dev_rec, status, FALSE);
4046 }
4047 }
4048 #endif ///SMP_INCLUDED == TRUE
4049
4050
4051 /*******************************************************************************
4052 **
4053 ** Function btm_sec_encrypt_change
4054 **
4055 ** Description This function is when encryption of the connection is
4056 ** completed by the LM
4057 **
4058 ** Returns void
4059 **
4060 *******************************************************************************/
4061 #if (SMP_INCLUDED == TRUE)
btm_sec_encrypt_change(UINT16 handle,UINT8 status,UINT8 encr_enable)4062 void btm_sec_encrypt_change (UINT16 handle, UINT8 status, UINT8 encr_enable)
4063 {
4064 tBTM_SEC_DEV_REC *p_dev_rec = btm_find_dev_by_handle (handle);
4065 #if BLE_INCLUDED == TRUE && SMP_INCLUDED == TRUE
4066 tACL_CONN *p_acl = NULL;
4067 #endif
4068 BTM_TRACE_EVENT ("Security Manager: encrypt_change status:%d State:%d, encr_enable = %d\n",
4069 status, (p_dev_rec) ? p_dev_rec->sec_state : 0, encr_enable);
4070 BTM_TRACE_DEBUG ("before update p_dev_rec->sec_flags=0x%x\n", (p_dev_rec) ? p_dev_rec->sec_flags : 0 );
4071
4072 /* For transaction collision we need to wait and repeat. There is no need */
4073 /* for random timeout because only slave should receive the result */
4074 if ((status == HCI_ERR_LMP_ERR_TRANS_COLLISION) ||
4075 (status == HCI_ERR_DIFF_TRANSACTION_COLLISION)) {
4076 btm_sec_auth_collision(handle);
4077 return;
4078 }
4079 btm_cb.collision_start_time = 0;
4080
4081 if (!p_dev_rec) {
4082 return;
4083 }
4084
4085 if ((status == HCI_SUCCESS) && encr_enable) {
4086 if (p_dev_rec->hci_handle == handle) {
4087 p_dev_rec->sec_flags |= (BTM_SEC_AUTHENTICATED | BTM_SEC_ENCRYPTED);
4088 if (p_dev_rec->pin_code_length >= 16 ||
4089 p_dev_rec->link_key_type == BTM_LKEY_TYPE_AUTH_COMB ||
4090 p_dev_rec->link_key_type == BTM_LKEY_TYPE_AUTH_COMB_P_256) {
4091 p_dev_rec->sec_flags |= BTM_SEC_16_DIGIT_PIN_AUTHED;
4092 }
4093 } else {
4094 p_dev_rec->sec_flags |= BTM_SEC_LE_ENCRYPTED;
4095 }
4096 }
4097
4098 /* It is possible that we decrypted the link to perform role switch */
4099 /* mark link not to be encrypted, so that when we execute security next time it will kick in again */
4100 if ((status == HCI_SUCCESS) && !encr_enable) {
4101 if (p_dev_rec->hci_handle == handle) {
4102 p_dev_rec->sec_flags &= ~BTM_SEC_ENCRYPTED;
4103 } else {
4104 p_dev_rec->sec_flags &= ~BTM_SEC_LE_ENCRYPTED;
4105 }
4106 }
4107
4108 BTM_TRACE_DEBUG ("after update p_dev_rec->sec_flags=0x%x\n", p_dev_rec->sec_flags );
4109
4110 #if BLE_INCLUDED == TRUE && SMP_INCLUDED == TRUE
4111 p_acl = btm_handle_to_acl(handle);
4112
4113 if (p_acl != NULL) {
4114 btm_sec_check_pending_enc_req(p_dev_rec, p_acl->transport, encr_enable);
4115 }
4116
4117 if (p_acl && p_acl->transport == BT_TRANSPORT_LE) {
4118 if (status == HCI_ERR_KEY_MISSING || status == HCI_ERR_AUTH_FAILURE ||
4119 status == HCI_ERR_ENCRY_MODE_NOT_ACCEPTABLE) {
4120 p_dev_rec->sec_flags &= ~ (BTM_SEC_LE_LINK_KEY_KNOWN);
4121 p_dev_rec->ble.key_type = BTM_LE_KEY_NONE;
4122 }
4123 btm_ble_link_encrypted(p_dev_rec->ble.pseudo_addr, encr_enable);
4124 return;
4125 } else {
4126 /* BR/EDR connection, update the encryption key size to be 16 as always */
4127 p_dev_rec->enc_key_size = 16;
4128 }
4129
4130 BTM_TRACE_DEBUG ("in %s new_encr_key_256 is %d\n",
4131 __func__, p_dev_rec->new_encryption_key_is_p256);
4132
4133 if ((status == HCI_SUCCESS) && encr_enable && (p_dev_rec->hci_handle == handle)) {
4134 if (p_dev_rec->new_encryption_key_is_p256) {
4135 if (btm_sec_use_smp_br_chnl(p_dev_rec) &&
4136 btm_sec_is_master(p_dev_rec) &&
4137 /* if LE key is not known, do deriving */
4138 (!(p_dev_rec->sec_flags & BTM_SEC_LE_LINK_KEY_KNOWN) ||
4139 /* or BR key is higher security than existing LE keys */
4140 (!(p_dev_rec->sec_flags & BTM_SEC_LE_LINK_KEY_AUTHED)
4141 && (p_dev_rec->sec_flags & BTM_SEC_LINK_KEY_AUTHED)))) {
4142 /* BR/EDR is encrypted with LK that can be used to derive LE LTK */
4143 p_dev_rec->new_encryption_key_is_p256 = FALSE;
4144
4145 if (p_dev_rec->no_smp_on_br) {
4146 BTM_TRACE_DEBUG ("%s NO SM over BR/EDR\n", __func__);
4147 } else {
4148 #if (CLASSIC_BT_INCLUDED == TRUE)
4149 BTM_TRACE_DEBUG ("%s start SM over BR/EDR\n", __func__);
4150 SMP_BR_PairWith(p_dev_rec->bd_addr);
4151 #endif ///CLASSIC_BT_INCLUDED == TRUE
4152 }
4153 }
4154 } else {
4155 // BR/EDR is successfully encrypted. Correct LK type if needed
4156 // (BR/EDR LK derived from LE LTK was used for encryption)
4157 if ((encr_enable == 1) && /* encryption is ON for SSP */
4158 /* LK type is for BR/EDR SC */
4159 (p_dev_rec->link_key_type == BTM_LKEY_TYPE_UNAUTH_COMB_P_256 ||
4160 p_dev_rec->link_key_type == BTM_LKEY_TYPE_AUTH_COMB_P_256)) {
4161 if (p_dev_rec->link_key_type == BTM_LKEY_TYPE_UNAUTH_COMB_P_256) {
4162 p_dev_rec->link_key_type = BTM_LKEY_TYPE_UNAUTH_COMB;
4163 } else { /* BTM_LKEY_TYPE_AUTH_COMB_P_256 */
4164 p_dev_rec->link_key_type = BTM_LKEY_TYPE_AUTH_COMB;
4165 }
4166
4167 BTM_TRACE_DEBUG("updated link key type to %d\n", p_dev_rec->link_key_type);
4168 btm_send_link_key_notif(p_dev_rec);
4169 }
4170 }
4171 }
4172 #else
4173 btm_sec_check_pending_enc_req (p_dev_rec, BT_TRANSPORT_BR_EDR, encr_enable);
4174 #endif /* BLE_INCLUDED == TRUE && SMP_INCLUDED == TRUE */
4175
4176 /* If this encryption was started by peer do not need to do anything */
4177 if (p_dev_rec->sec_state != BTM_SEC_STATE_ENCRYPTING) {
4178 if (BTM_SEC_STATE_DELAY_FOR_ENC == p_dev_rec->sec_state) {
4179 p_dev_rec->sec_state = BTM_SEC_STATE_IDLE;
4180 p_dev_rec->p_callback = NULL;
4181 #if (CLASSIC_BT_INCLUDED == TRUE)
4182 l2cu_resubmit_pending_sec_req (p_dev_rec->bd_addr);
4183 #endif ///CLASSIC_BT_INCLUDED == TRUE
4184 }
4185 return;
4186 }
4187
4188 p_dev_rec->sec_state = BTM_SEC_STATE_IDLE;
4189 /* If encryption setup failed, notify the waiting layer */
4190 if (status != HCI_SUCCESS) {
4191 btm_sec_dev_rec_cback_event (p_dev_rec, BTM_ERR_PROCESSING, FALSE);
4192 return;
4193 }
4194
4195 /* Encryption setup succeeded, execute the next security procedure, if any */
4196 status = (UINT8)btm_sec_execute_procedure (p_dev_rec);
4197 /* If there is no next procedure, or procedure failed to start, notify the caller */
4198 if (status != BTM_CMD_STARTED) {
4199 btm_sec_dev_rec_cback_event (p_dev_rec, status, FALSE);
4200 }
4201 }
4202 #endif ///SMP_INCLUDED == TRUE
4203
4204 /*******************************************************************************
4205 **
4206 ** Function btm_sec_connect_after_reject_timeout
4207 **
4208 ** Description Connection for bonding could not start because of the collision
4209 ** Initiate outgoing connection
4210 **
4211 ** Returns Pointer to the TLE struct
4212 **
4213 *******************************************************************************/
4214 #if (SMP_INCLUDED == TRUE)
btm_sec_connect_after_reject_timeout(TIMER_LIST_ENT * p_tle)4215 static void btm_sec_connect_after_reject_timeout (TIMER_LIST_ENT *p_tle)
4216 {
4217 tBTM_SEC_DEV_REC *p_dev_rec = btm_cb.p_collided_dev_rec;
4218 UNUSED(p_tle);
4219
4220 BTM_TRACE_EVENT ("btm_sec_connect_after_reject_timeout()\n");
4221 btm_cb.sec_collision_tle.param = 0;
4222 btm_cb.p_collided_dev_rec = 0;
4223
4224 if (btm_sec_dd_create_conn(p_dev_rec) != BTM_CMD_STARTED) {
4225 BTM_TRACE_WARNING ("Security Manager: btm_sec_connect_after_reject_timeout: failed to start connection\n");
4226
4227 btm_sec_change_pairing_state (BTM_PAIR_STATE_IDLE);
4228
4229 if (btm_cb.api.p_auth_complete_callback) {
4230 (*btm_cb.api.p_auth_complete_callback) (p_dev_rec->bd_addr, p_dev_rec->dev_class,
4231 p_dev_rec->sec_bd_name, HCI_ERR_MEMORY_FULL);
4232 }
4233 }
4234 }
4235 #endif ///SMP_INCLUDED == TRUE
4236
4237 /*******************************************************************************
4238 **
4239 ** Function btm_sec_connected
4240 **
4241 ** Description This function is when a connection to the peer device is
4242 ** establsihed
4243 **
4244 ** Returns void
4245 **
4246 *******************************************************************************/
4247 #if (SMP_INCLUDED == TRUE)
btm_sec_connected(UINT8 * bda,UINT16 handle,UINT8 status,UINT8 enc_mode)4248 void btm_sec_connected (UINT8 *bda, UINT16 handle, UINT8 status, UINT8 enc_mode)
4249 {
4250 tBTM_SEC_DEV_REC *p_dev_rec = btm_find_dev (bda);
4251 UINT8 res;
4252 UINT8 sec_dev_rec_status;
4253 BOOLEAN is_pairing_device = FALSE;
4254 tACL_CONN *p_acl_cb;
4255 UINT8 bit_shift = 0;
4256
4257 btm_acl_resubmit_page();
4258
4259 /* Commenting out trace due to obf/compilation problems.
4260 */
4261 #if (BT_USE_TRACES == TRUE && SMP_INCLUDED == TRUE)
4262 if (p_dev_rec) {
4263 BTM_TRACE_EVENT ("Security Manager: btm_sec_connected in state: %s handle:%d status:%d enc_mode:%d bda:%x RName:%s\n",
4264 btm_pair_state_descr(btm_cb.pairing_state), handle, status, enc_mode,
4265 (bda[2] << 24) + (bda[3] << 16) + (bda[4] << 8) + bda[5],
4266 p_dev_rec->sec_bd_name);
4267 } else {
4268 BTM_TRACE_EVENT ("Security Manager: btm_sec_connected in state: %s handle:%d status:%d enc_mode:%d bda:%x \n",
4269 btm_pair_state_descr(btm_cb.pairing_state), handle, status, enc_mode,
4270 (bda[2] << 24) + (bda[3] << 16) + (bda[4] << 8) + bda[5]);
4271 }
4272 #endif
4273
4274 if (!p_dev_rec) {
4275 /* There is no device record for new connection. Allocate one */
4276 if (status == HCI_SUCCESS) {
4277 p_dev_rec = btm_sec_alloc_dev (bda);
4278 } else {
4279 /* If the device matches with stored paring address
4280 * reset the paring state to idle */
4281 if ((btm_cb.pairing_state != BTM_PAIR_STATE_IDLE) &&
4282 (memcmp (btm_cb.pairing_bda, bda, BD_ADDR_LEN) == 0)) {
4283 btm_sec_change_pairing_state(BTM_PAIR_STATE_IDLE);
4284 }
4285
4286 /* can not find the device record and the status is error,
4287 * just ignore it */
4288 return;
4289 }
4290 } else { /* Update the timestamp for this device */
4291
4292 #if BLE_INCLUDED == TRUE
4293 bit_shift = (handle == p_dev_rec->ble_hci_handle) ? 8 : 0;
4294 #endif
4295 p_dev_rec->timestamp = btm_cb.dev_rec_count++;
4296 if (p_dev_rec->sm4 & BTM_SM4_CONN_PEND) {
4297 /* tell L2CAP it's a bonding connection. */
4298 if ( (btm_cb.pairing_state != BTM_PAIR_STATE_IDLE)
4299 && (memcmp (btm_cb.pairing_bda, p_dev_rec->bd_addr, BD_ADDR_LEN) == 0)
4300 && (btm_cb.pairing_flags & BTM_PAIR_FLAGS_WE_STARTED_DD) ) {
4301 /* if incoming connection failed while pairing, then try to connect and continue */
4302 /* Motorola S9 disconnects without asking pin code */
4303 if ((status != HCI_SUCCESS) && (btm_cb.pairing_state == BTM_PAIR_STATE_WAIT_PIN_REQ)) {
4304 BTM_TRACE_WARNING ("Security Manager: btm_sec_connected: incoming connection failed without asking PIN\n");
4305
4306 p_dev_rec->sm4 &= ~BTM_SM4_CONN_PEND;
4307 if (p_dev_rec->sec_flags & BTM_SEC_NAME_KNOWN) {
4308 /* Start timer with 0 to initiate connection with new LCB */
4309 /* because L2CAP will delete current LCB with this event */
4310 btm_cb.p_collided_dev_rec = p_dev_rec;
4311 btm_cb.sec_collision_tle.param = (UINT32) btm_sec_connect_after_reject_timeout;
4312 btu_start_timer (&btm_cb.sec_collision_tle, BTU_TTYPE_USER_FUNC, 0);
4313 } else {
4314 btm_sec_change_pairing_state (BTM_PAIR_STATE_GET_REM_NAME);
4315 BTM_ReadRemoteDeviceName(p_dev_rec->bd_addr, NULL, BT_TRANSPORT_BR_EDR);
4316 }
4317 #if BTM_DISC_DURING_RS == TRUE
4318 p_dev_rec->rs_disc_pending = BTM_SEC_RS_NOT_PENDING; /* reset flag */
4319 #endif
4320 return;
4321 } else {
4322 l2cu_update_lcb_4_bonding(p_dev_rec->bd_addr, TRUE);
4323 }
4324 }
4325 /* always clear the pending flag */
4326 p_dev_rec->sm4 &= ~BTM_SM4_CONN_PEND;
4327 }
4328 }
4329
4330 #if BLE_INCLUDED == TRUE
4331 p_dev_rec->device_type |= BT_DEVICE_TYPE_BREDR;
4332 #endif
4333
4334 #if BTM_DISC_DURING_RS == TRUE
4335 p_dev_rec->rs_disc_pending = BTM_SEC_RS_NOT_PENDING; /* reset flag */
4336 #endif
4337
4338 p_dev_rec->rs_disc_pending = BTM_SEC_RS_NOT_PENDING; /* reset flag */
4339
4340 if ( (btm_cb.pairing_state != BTM_PAIR_STATE_IDLE)
4341 && (memcmp (btm_cb.pairing_bda, bda, BD_ADDR_LEN) == 0) ) {
4342 /* if we rejected incoming connection from bonding device */
4343 if ((status == HCI_ERR_HOST_REJECT_DEVICE)
4344 && (btm_cb.pairing_flags & BTM_PAIR_FLAGS_REJECTED_CONNECT)) {
4345 BTM_TRACE_WARNING ("Security Manager: btm_sec_connected: HCI_Conn_Comp Flags:0x%04x, sm4: 0x%x\n",
4346 btm_cb.pairing_flags, p_dev_rec->sm4);
4347
4348 btm_cb.pairing_flags &= ~BTM_PAIR_FLAGS_REJECTED_CONNECT;
4349 if (BTM_SEC_IS_SM4_UNKNOWN(p_dev_rec->sm4)) {
4350 /* Try again: RNR when no ACL causes HCI_RMT_HOST_SUP_FEAT_NOTIFY_EVT */
4351 btm_sec_change_pairing_state (BTM_PAIR_STATE_GET_REM_NAME);
4352 BTM_ReadRemoteDeviceName(bda, NULL, BT_TRANSPORT_BR_EDR);
4353 return;
4354 }
4355
4356 /* if we already have pin code */
4357 if (btm_cb.pairing_state != BTM_PAIR_STATE_WAIT_LOCAL_PIN) {
4358 /* Start timer with 0 to initiate connection with new LCB */
4359 /* because L2CAP will delete current LCB with this event */
4360 btm_cb.p_collided_dev_rec = p_dev_rec;
4361 btm_cb.sec_collision_tle.param = (UINT32) btm_sec_connect_after_reject_timeout;
4362 btu_start_timer (&btm_cb.sec_collision_tle, BTU_TTYPE_USER_FUNC, 0);
4363 }
4364
4365 return;
4366 }
4367 /* wait for incoming connection without resetting pairing state */
4368 else if (status == HCI_ERR_CONNECTION_EXISTS) {
4369 BTM_TRACE_WARNING ("Security Manager: btm_sec_connected: Wait for incoming connection\n");
4370 return;
4371 }
4372
4373 is_pairing_device = TRUE;
4374 }
4375
4376 /* If connection was made to do bonding restore link security if changed */
4377 btm_restore_mode();
4378
4379 /* if connection fails during pin request, notify application */
4380 if (status != HCI_SUCCESS) {
4381 /* If connection failed because of during pairing, need to tell user */
4382 if (is_pairing_device) {
4383 p_dev_rec->security_required &= ~BTM_SEC_OUT_AUTHENTICATE;
4384 p_dev_rec->sec_flags &= ~((BTM_SEC_LINK_KEY_KNOWN | BTM_SEC_LINK_KEY_AUTHED) << bit_shift);
4385 BTM_TRACE_DEBUG ("security_required:%x \n", p_dev_rec->security_required );
4386
4387 btm_sec_change_pairing_state (BTM_PAIR_STATE_IDLE);
4388
4389 /* We need to notify host that the key is not known any more */
4390 if (btm_cb.api.p_auth_complete_callback) {
4391 sec_dev_rec_status = (*btm_cb.api.p_auth_complete_callback) (p_dev_rec->bd_addr,
4392 p_dev_rec->dev_class,
4393 p_dev_rec->sec_bd_name, status);
4394 if (sec_dev_rec_status == BTM_SEC_DEV_REC_REMOVED) {
4395 p_dev_rec = NULL;
4396 }
4397 }
4398 }
4399 /*
4400 Do not send authentication failure, if following conditions hold good
4401 1. BTM Sec Pairing state is idle
4402 2. Link key for the remote device is present.
4403 3. Remote is SSP capable.
4404 */
4405 else if ((p_dev_rec->link_key_type <= BTM_LKEY_TYPE_REMOTE_UNIT) &&
4406 (((status == HCI_ERR_AUTH_FAILURE) ||
4407 (status == HCI_ERR_KEY_MISSING) ||
4408 (status == HCI_ERR_HOST_REJECT_SECURITY) ||
4409 (status == HCI_ERR_PAIRING_NOT_ALLOWED) ||
4410 (status == HCI_ERR_UNIT_KEY_USED) ||
4411 (status == HCI_ERR_PAIRING_WITH_UNIT_KEY_NOT_SUPPORTED) ||
4412 (status == HCI_ERR_ENCRY_MODE_NOT_ACCEPTABLE) ||
4413 (status == HCI_ERR_REPEATED_ATTEMPTS)))) {
4414 p_dev_rec->security_required &= ~BTM_SEC_OUT_AUTHENTICATE;
4415 p_dev_rec->sec_flags &= ~ (BTM_SEC_LE_LINK_KEY_KNOWN << bit_shift);
4416
4417
4418 #ifdef BRCM_NOT_4_BTE
4419 /* If we rejected pairing, pass this special result code */
4420 if (btm_cb.acl_disc_reason == HCI_ERR_HOST_REJECT_SECURITY) {
4421 status = HCI_ERR_HOST_REJECT_SECURITY;
4422 }
4423 #endif
4424
4425 /* We need to notify host that the key is not known any more */
4426 if (btm_cb.api.p_auth_complete_callback) {
4427 sec_dev_rec_status = (*btm_cb.api.p_auth_complete_callback) (p_dev_rec->bd_addr,
4428 p_dev_rec->dev_class,
4429 p_dev_rec->sec_bd_name, status);
4430 if (sec_dev_rec_status == BTM_SEC_DEV_REC_REMOVED) {
4431 p_dev_rec = NULL;
4432 }
4433 }
4434 }
4435
4436 if (status == HCI_ERR_CONNECTION_TOUT || status == HCI_ERR_LMP_RESPONSE_TIMEOUT ||
4437 status == HCI_ERR_UNSPECIFIED || status == HCI_ERR_PAGE_TIMEOUT) {
4438 btm_sec_dev_rec_cback_event (p_dev_rec, BTM_DEVICE_TIMEOUT, FALSE);
4439 } else {
4440 btm_sec_dev_rec_cback_event (p_dev_rec, BTM_ERR_PROCESSING, FALSE);
4441 }
4442
4443 return;
4444 }
4445
4446 /* If initiated dedicated bonding, return the link key now, and initiate disconnect */
4447 /* If dedicated bonding, and we now have a link key, we are all done */
4448 if ( is_pairing_device
4449 && (p_dev_rec->sec_flags & BTM_SEC_LINK_KEY_KNOWN) ) {
4450 if (p_dev_rec->link_key_not_sent) {
4451 p_dev_rec->link_key_not_sent = FALSE;
4452 btm_send_link_key_notif(p_dev_rec);
4453 }
4454
4455 p_dev_rec->security_required &= ~BTM_SEC_OUT_AUTHENTICATE;
4456
4457 /* remember flag before it is initialized */
4458 if (btm_cb.pairing_flags & BTM_PAIR_FLAGS_WE_STARTED_DD) {
4459 res = TRUE;
4460 } else {
4461 res = FALSE;
4462 }
4463
4464 if (btm_cb.api.p_auth_complete_callback) {
4465 sec_dev_rec_status = (*btm_cb.api.p_auth_complete_callback) (p_dev_rec->bd_addr,
4466 p_dev_rec->dev_class,
4467 p_dev_rec->sec_bd_name, HCI_SUCCESS);
4468 if (sec_dev_rec_status == BTM_SEC_DEV_REC_REMOVED) {
4469 p_dev_rec = NULL;
4470 }
4471 }
4472
4473 btm_sec_change_pairing_state (BTM_PAIR_STATE_IDLE);
4474
4475 if ( res ) {
4476 /* Let l2cap start bond timer */
4477 l2cu_update_lcb_4_bonding (p_dev_rec->bd_addr, TRUE);
4478 }
4479
4480 return;
4481 }
4482
4483 p_dev_rec->hci_handle = handle;
4484
4485 /* role may not be correct here, it will be updated by l2cap, but we need to */
4486 /* notify btm_acl that link is up, so starting of rmt name request will not */
4487 /* set paging flag up */
4488 p_acl_cb = btm_bda_to_acl(bda, BT_TRANSPORT_BR_EDR);
4489 if (p_acl_cb) {
4490 /* whatever is in btm_establish_continue() without reporting the BTM_BL_CONN_EVT event */
4491 #if (!defined(BTM_BYPASS_EXTRA_ACL_SETUP) || BTM_BYPASS_EXTRA_ACL_SETUP == FALSE)
4492 /* For now there are a some devices that do not like sending */
4493 /* commands events and data at the same time. */
4494 /* Set the packet types to the default allowed by the device */
4495 btm_set_packet_types (p_acl_cb, btm_cb.btm_acl_pkt_types_supported);
4496
4497 if (btm_cb.btm_def_link_policy) {
4498 BTM_SetLinkPolicy (p_acl_cb->remote_addr, &btm_cb.btm_def_link_policy);
4499 }
4500 #endif
4501 }
4502 btm_acl_created (bda, p_dev_rec->dev_class, p_dev_rec->sec_bd_name, handle, HCI_ROLE_SLAVE, BT_TRANSPORT_BR_EDR);
4503
4504 /* Initialize security flags. We need to do that because some */
4505 /* authorization complete could have come after the connection is dropped */
4506 /* and that would set wrong flag that link has been authorized already */
4507 p_dev_rec->sec_flags &= ~((BTM_SEC_AUTHORIZED | BTM_SEC_AUTHENTICATED |
4508 BTM_SEC_ENCRYPTED | BTM_SEC_ROLE_SWITCHED) << bit_shift);
4509
4510 if (enc_mode != HCI_ENCRYPT_MODE_DISABLED) {
4511 p_dev_rec->sec_flags |= ((BTM_SEC_AUTHENTICATED | BTM_SEC_ENCRYPTED) << bit_shift);
4512 }
4513
4514 if (btm_cb.security_mode == BTM_SEC_MODE_LINK) {
4515 p_dev_rec->sec_flags |= (BTM_SEC_AUTHENTICATED << bit_shift);
4516 }
4517
4518 if (p_dev_rec->pin_code_length >= 16 ||
4519 p_dev_rec->link_key_type == BTM_LKEY_TYPE_AUTH_COMB ||
4520 p_dev_rec->link_key_type == BTM_LKEY_TYPE_AUTH_COMB_P_256) {
4521 p_dev_rec->sec_flags |= (BTM_SEC_16_DIGIT_PIN_AUTHED << bit_shift);
4522 }
4523
4524 p_dev_rec->link_key_changed = FALSE;
4525
4526 /* After connection is established we perform security if we do not know */
4527 /* the name, or if we are originator because some procedure can have */
4528 /* been scheduled while connection was down */
4529 BTM_TRACE_DEBUG ("is_originator:%d \n", p_dev_rec->is_originator);
4530 if (!(p_dev_rec->sec_flags & BTM_SEC_NAME_KNOWN) || p_dev_rec->is_originator) {
4531 if ((res = btm_sec_execute_procedure (p_dev_rec)) != BTM_CMD_STARTED) {
4532 btm_sec_dev_rec_cback_event (p_dev_rec, res, FALSE);
4533 }
4534 }
4535 return;
4536 }
4537
4538 /*******************************************************************************
4539 **
4540 ** Function btm_sec_disconnect
4541 **
4542 ** Description This function is called to disconnect HCI link
4543 **
4544 ** Returns btm status
4545 **
4546 *******************************************************************************/
btm_sec_disconnect(UINT16 handle,UINT8 reason)4547 tBTM_STATUS btm_sec_disconnect (UINT16 handle, UINT8 reason)
4548 {
4549 tBTM_SEC_DEV_REC *p_dev_rec = btm_find_dev_by_handle (handle);
4550
4551 /* In some weird race condition we may not have a record */
4552 if (!p_dev_rec) {
4553 btsnd_hcic_disconnect (handle, reason);
4554 return (BTM_SUCCESS);
4555 }
4556
4557 /* If we are in the process of bonding we need to tell client that auth failed */
4558 if ( (btm_cb.pairing_state != BTM_PAIR_STATE_IDLE)
4559 && (memcmp (btm_cb.pairing_bda, p_dev_rec->bd_addr, BD_ADDR_LEN) == 0)
4560 && (btm_cb.pairing_flags & BTM_PAIR_FLAGS_WE_STARTED_DD) ) {
4561 /* we are currently doing bonding. Link will be disconnected when done */
4562 btm_cb.pairing_flags |= BTM_PAIR_FLAGS_DISC_WHEN_DONE;
4563 return (BTM_BUSY);
4564 }
4565
4566 return (btm_sec_send_hci_disconnect(p_dev_rec, reason, handle));
4567 }
4568
4569 /*******************************************************************************
4570 **
4571 ** Function btm_sec_disconnected
4572 **
4573 ** Description This function is when a connection to the peer device is
4574 ** dropped
4575 **
4576 ** Returns void
4577 **
4578 *******************************************************************************/
btm_sec_disconnected(UINT16 handle,UINT8 reason)4579 void btm_sec_disconnected (UINT16 handle, UINT8 reason)
4580 {
4581 tBTM_SEC_DEV_REC *p_dev_rec = btm_find_dev_by_handle (handle);
4582 UINT8 old_pairing_flags = btm_cb.pairing_flags;
4583 int result = HCI_ERR_AUTH_FAILURE;
4584 tBTM_SEC_CALLBACK *p_callback = NULL;
4585 tBT_TRANSPORT transport = BT_TRANSPORT_BR_EDR;
4586
4587 /* If page was delayed for disc complete, can do it now */
4588 btm_cb.discing = FALSE;
4589
4590 #if (CLASSIC_BT_INCLUDED == TRUE)
4591 btm_acl_resubmit_page();
4592 #endif
4593
4594 if (!p_dev_rec) {
4595 return;
4596 }
4597 p_dev_rec->enc_init_by_we = FALSE;
4598 transport = (handle == p_dev_rec->hci_handle) ? BT_TRANSPORT_BR_EDR : BT_TRANSPORT_LE;
4599
4600 p_dev_rec->rs_disc_pending = BTM_SEC_RS_NOT_PENDING; /* reset flag */
4601
4602 #if BTM_DISC_DURING_RS == TRUE
4603 p_dev_rec->rs_disc_pending = BTM_SEC_RS_NOT_PENDING; /* reset flag */
4604 #endif
4605
4606 /* clear unused flags */
4607 p_dev_rec->sm4 &= BTM_SM4_TRUE;
4608 #if (BT_USE_TRACES == TRUE && SMP_INCLUDED == TRUE)
4609 uint8_t *bd_addr = (uint8_t *)p_dev_rec->bd_addr;
4610 BTM_TRACE_EVENT("%s sec_req:x%x state:%s reason:%d bd_addr:%02x:%02x:%02x:%02x:%02x:%02x"
4611 " remote_name:%s\n", __func__, p_dev_rec->security_required, btm_pair_state_descr(btm_cb.pairing_state),
4612 reason, bd_addr[0], bd_addr[1], bd_addr[2], bd_addr[3], bd_addr[4], bd_addr[5], p_dev_rec->sec_bd_name);
4613 #endif ///BT_USE_TRACES == TRUE && SMP_INCLUDED == TRUE
4614 BTM_TRACE_EVENT("%s before update sec_flags=0x%x\n", __func__, p_dev_rec->sec_flags);
4615
4616 #if BLE_INCLUDED == TRUE && SMP_INCLUDED == TRUE
4617 btm_ble_update_mode_operation(HCI_ROLE_UNKNOWN, p_dev_rec->bd_addr, HCI_SUCCESS);
4618 /* see sec_flags processing in btm_acl_removed */
4619
4620 if (transport == BT_TRANSPORT_LE) {
4621 p_dev_rec->ble_hci_handle = BTM_SEC_INVALID_HANDLE;
4622 p_dev_rec->sec_flags &= ~(BTM_SEC_LE_AUTHENTICATED | BTM_SEC_LE_ENCRYPTED);
4623 p_dev_rec->enc_key_size = 0;
4624 } else
4625 #endif
4626 {
4627 p_dev_rec->hci_handle = BTM_SEC_INVALID_HANDLE;
4628 p_dev_rec->sec_flags &= ~(BTM_SEC_AUTHORIZED | BTM_SEC_AUTHENTICATED | BTM_SEC_ENCRYPTED
4629 | BTM_SEC_ROLE_SWITCHED | BTM_SEC_16_DIGIT_PIN_AUTHED);
4630 }
4631
4632 #if BLE_INCLUDED == TRUE && SMP_INCLUDED == TRUE
4633 if (p_dev_rec->sec_state == BTM_SEC_STATE_DISCONNECTING_BOTH) {
4634 p_dev_rec->sec_state = (transport == BT_TRANSPORT_LE) ?
4635 BTM_SEC_STATE_DISCONNECTING : BTM_SEC_STATE_DISCONNECTING_BLE;
4636 return;
4637 }
4638 #endif
4639 p_dev_rec->sec_state = BTM_SEC_STATE_IDLE;
4640 p_dev_rec->security_required = BTM_SEC_NONE;
4641
4642 p_callback = p_dev_rec->p_callback;
4643
4644 /* if security is pending, send callback to clean up the security state */
4645 if (p_callback) {
4646 p_dev_rec->p_callback = NULL; /* when the peer device time out the authentication before
4647 we do, this call back must be reset here */
4648 (*p_callback) (p_dev_rec->bd_addr, transport, p_dev_rec->p_ref_data, BTM_ERR_PROCESSING);
4649 }
4650
4651 BTM_TRACE_EVENT("%s after update sec_flags=0x%x\n", __func__, p_dev_rec->sec_flags);
4652
4653 /* If we are in the process of bonding we need to tell client that auth failed */
4654 if ( (btm_cb.pairing_state != BTM_PAIR_STATE_IDLE)
4655 && (memcmp (btm_cb.pairing_bda, p_dev_rec->bd_addr, BD_ADDR_LEN) == 0)) {
4656 btm_sec_change_pairing_state (BTM_PAIR_STATE_IDLE);
4657 p_dev_rec->sec_flags &= ~BTM_SEC_LINK_KEY_KNOWN;
4658 if (btm_cb.api.p_auth_complete_callback) {
4659 /* If the disconnection reason is REPEATED_ATTEMPTS,
4660 send this error message to complete callback function
4661 to display the error message of Repeated attempts.
4662 All others, send HCI_ERR_AUTH_FAILURE. */
4663 if (reason == HCI_ERR_REPEATED_ATTEMPTS) {
4664 result = HCI_ERR_REPEATED_ATTEMPTS;
4665 } else if (old_pairing_flags & BTM_PAIR_FLAGS_WE_STARTED_DD) {
4666 result = HCI_ERR_HOST_REJECT_SECURITY;
4667 }
4668 (*btm_cb.api.p_auth_complete_callback) (p_dev_rec->bd_addr, p_dev_rec->dev_class,
4669 p_dev_rec->sec_bd_name, result);
4670 }
4671 }
4672 }
4673
4674 /*******************************************************************************
4675 **
4676 ** Function btm_sec_link_key_notification
4677 **
4678 ** Description This function is called when a new connection link key is
4679 ** generated
4680 **
4681 ** Returns Pointer to the record or NULL
4682 **
4683 *******************************************************************************/
btm_sec_link_key_notification(UINT8 * p_bda,UINT8 * p_link_key,UINT8 key_type)4684 void btm_sec_link_key_notification (UINT8 *p_bda, UINT8 *p_link_key, UINT8 key_type)
4685 {
4686 tBTM_SEC_DEV_REC *p_dev_rec = btm_find_or_alloc_dev (p_bda);
4687 BOOLEAN we_are_bonding = FALSE;
4688 BOOLEAN ltk_derived_lk = FALSE;
4689 UINT8 res;
4690
4691 BTM_TRACE_EVENT ("btm_sec_link_key_notification() BDA:%04x%08x, TYPE: %d\n",
4692 (p_bda[0] << 8) + p_bda[1], (p_bda[2] << 24) + (p_bda[3] << 16) + (p_bda[4] << 8) + p_bda[5],
4693 key_type);
4694
4695 if ((key_type >= BTM_LTK_DERIVED_LKEY_OFFSET + BTM_LKEY_TYPE_COMBINATION) &&
4696 (key_type <= BTM_LTK_DERIVED_LKEY_OFFSET + BTM_LKEY_TYPE_AUTH_COMB_P_256)) {
4697 ltk_derived_lk = TRUE;
4698 key_type -= BTM_LTK_DERIVED_LKEY_OFFSET;
4699 }
4700 /* If connection was made to do bonding restore link security if changed */
4701 btm_restore_mode();
4702
4703 /* Store the previous state of secure connection as current state. Since
4704 * this is the first encounter with the remote device, whatever the remote
4705 * device's SC state is, it cannot lower the SC level from this. */
4706 p_dev_rec->remote_secure_connection_previous_state = p_dev_rec->remote_supports_secure_connections;
4707 if (p_dev_rec->remote_supports_secure_connections) {
4708 BTM_TRACE_EVENT ("Remote device supports Secure Connection");
4709 } else {
4710 BTM_TRACE_EVENT ("Remote device does not support Secure Connection");
4711 }
4712 if (key_type != BTM_LKEY_TYPE_CHANGED_COMB) {
4713 p_dev_rec->link_key_type = key_type;
4714 }
4715
4716 p_dev_rec->sec_flags |= BTM_SEC_LINK_KEY_KNOWN;
4717
4718 #if (CLASSIC_BT_INCLUDED == TRUE)
4719 btm_sec_update_legacy_auth_state(btm_bda_to_acl(p_dev_rec->bd_addr, BT_TRANSPORT_BR_EDR), BTM_ACL_LEGACY_AUTH_NONE);
4720 #endif
4721 /*
4722 * Until this point in time, we do not know if MITM was enabled, hence we
4723 * add the extended security flag here.
4724 */
4725 if (p_dev_rec->pin_code_length >= 16 ||
4726 p_dev_rec->link_key_type == BTM_LKEY_TYPE_AUTH_COMB ||
4727 p_dev_rec->link_key_type == BTM_LKEY_TYPE_AUTH_COMB_P_256) {
4728 p_dev_rec->sec_flags |= BTM_SEC_16_DIGIT_PIN_AUTHED;
4729 }
4730
4731 #if (BLE_INCLUDED == TRUE)
4732 /* BR/EDR connection, update the encryption key size to be 16 as always */
4733 p_dev_rec->enc_key_size = 16;
4734 #endif
4735 memcpy (p_dev_rec->link_key, p_link_key, LINK_KEY_LEN);
4736
4737 if ( (btm_cb.pairing_state != BTM_PAIR_STATE_IDLE)
4738 && (memcmp (btm_cb.pairing_bda, p_bda, BD_ADDR_LEN) == 0) ) {
4739 if (btm_cb.pairing_flags & BTM_PAIR_FLAGS_WE_STARTED_DD) {
4740 we_are_bonding = TRUE;
4741 } else {
4742 btm_sec_change_pairing_state (BTM_PAIR_STATE_IDLE);
4743 }
4744 }
4745
4746 /* save LTK derived LK no matter what */
4747 if (ltk_derived_lk) {
4748 if (btm_cb.api.p_link_key_callback) {
4749 BTM_TRACE_DEBUG ("%s() Save LTK derived LK (key_type = %d)\n",
4750 __FUNCTION__, p_dev_rec->link_key_type);
4751 (*btm_cb.api.p_link_key_callback) (p_bda, p_dev_rec->dev_class,
4752 p_dev_rec->sec_bd_name,
4753 p_link_key, p_dev_rec->link_key_type,
4754 p_dev_rec->remote_supports_secure_connections);
4755 }
4756 } else {
4757 if ((p_dev_rec->link_key_type == BTM_LKEY_TYPE_UNAUTH_COMB_P_256) ||
4758 (p_dev_rec->link_key_type == BTM_LKEY_TYPE_AUTH_COMB_P_256)) {
4759 p_dev_rec->new_encryption_key_is_p256 = TRUE;
4760 BTM_TRACE_DEBUG ("%s set new_encr_key_256 to %d\n",
4761 __func__, p_dev_rec->new_encryption_key_is_p256);
4762 }
4763 }
4764
4765 /* If name is not known at this point delay calling callback until the name is */
4766 /* resolved. Unless it is a HID Device and we really need to send all link keys. */
4767 if ((!(p_dev_rec->sec_flags & BTM_SEC_NAME_KNOWN)
4768 && ((p_dev_rec->dev_class[1] & BTM_COD_MAJOR_CLASS_MASK) != BTM_COD_MAJOR_PERIPHERAL))
4769 && !ltk_derived_lk) {
4770 BTM_TRACE_EVENT ("btm_sec_link_key_notification() Delayed BDA: %08x%04x Type:%d\n",
4771 (p_bda[0] << 24) + (p_bda[1] << 16) + (p_bda[2] << 8) + p_bda[3],
4772 (p_bda[4] << 8) + p_bda[5], key_type);
4773
4774 p_dev_rec->link_key_not_sent = TRUE;
4775
4776 /* If it is for bonding nothing else will follow, so we need to start name resolution */
4777 if (we_are_bonding) {
4778 if (!(btsnd_hcic_rmt_name_req (p_bda, HCI_PAGE_SCAN_REP_MODE_R1, HCI_MANDATARY_PAGE_SCAN_MODE, 0))) {
4779 btm_inq_rmt_name_failed();
4780 }
4781 }
4782
4783 BTM_TRACE_EVENT ("rmt_io_caps:%d, sec_flags:x%x, dev_class[1]:x%02x\n", p_dev_rec->rmt_io_caps, p_dev_rec->sec_flags, p_dev_rec->dev_class[1])
4784 return;
4785 }
4786
4787 /* If its not us who perform authentication, we should tell stackserver */
4788 /* that some authentication has been completed */
4789 /* This is required when different entities receive link notification and auth complete */
4790 if (!(p_dev_rec->security_required & BTM_SEC_OUT_AUTHENTICATE)
4791 /* for derived key, always send authentication callback for BR channel */
4792 || ltk_derived_lk) {
4793 if (btm_cb.api.p_auth_complete_callback) {
4794 res = (*btm_cb.api.p_auth_complete_callback) (p_dev_rec->bd_addr, p_dev_rec->dev_class,
4795 p_dev_rec->sec_bd_name, HCI_SUCCESS);
4796 if (res == BTM_SEC_DEV_REC_REMOVED) {
4797 p_dev_rec = NULL;
4798 }
4799 }
4800 }
4801
4802 /* We will save link key only if the user authorized it - BTE report link key in all cases */
4803 #ifdef BRCM_NONE_BTE
4804 if (p_dev_rec->sec_flags & BTM_SEC_LINK_KEY_AUTHED)
4805 #endif
4806 {
4807 if (btm_cb.api.p_link_key_callback) {
4808 if (ltk_derived_lk) {
4809 BTM_TRACE_DEBUG ("btm_sec_link_key_notification() LTK derived LK is saved already"
4810 " (key_type = %d)\n", p_dev_rec->link_key_type);
4811 } else {
4812 (*btm_cb.api.p_link_key_callback) (p_bda, p_dev_rec->dev_class,
4813 p_dev_rec->sec_bd_name,
4814 p_link_key, p_dev_rec->link_key_type,
4815 p_dev_rec->remote_supports_secure_connections);
4816 }
4817 }
4818 }
4819 }
4820
4821 /*******************************************************************************
4822 **
4823 ** Function btm_sec_link_key_request
4824 **
4825 ** Description This function is called when controller requests link key
4826 **
4827 ** Returns Pointer to the record or NULL
4828 **
4829 *******************************************************************************/
btm_sec_link_key_request(UINT8 * p_bda)4830 void btm_sec_link_key_request (UINT8 *p_bda)
4831 {
4832 tBTM_SEC_DEV_REC *p_dev_rec = btm_find_or_alloc_dev (p_bda);
4833
4834 BTM_TRACE_EVENT ("btm_sec_link_key_request() BDA: %02x:%02x:%02x:%02x:%02x:%02x\n",
4835 p_bda[0], p_bda[1], p_bda[2], p_bda[3], p_bda[4], p_bda[5]);
4836
4837 if ( (btm_cb.pairing_state == BTM_PAIR_STATE_WAIT_PIN_REQ) &&
4838 (btm_cb.collision_start_time != 0) &&
4839 (memcmp (btm_cb.p_collided_dev_rec->bd_addr, p_bda, BD_ADDR_LEN) == 0) ) {
4840 BTM_TRACE_EVENT ("btm_sec_link_key_request() rejecting link key req "
4841 "State: %d START_TIMEOUT : %d\n",
4842 btm_cb.pairing_state, btm_cb.collision_start_time);
4843 btsnd_hcic_link_key_neg_reply (p_bda);
4844 return;
4845 }
4846 if (p_dev_rec->sec_flags & BTM_SEC_LINK_KEY_KNOWN) {
4847 btsnd_hcic_link_key_req_reply (p_bda, p_dev_rec->link_key);
4848 return;
4849 }
4850
4851 /* Notify L2CAP to increase timeout */
4852 l2c_pin_code_request (p_bda);
4853
4854 /* The link key is not in the database and it is not known to the manager */
4855 btsnd_hcic_link_key_neg_reply (p_bda);
4856 }
4857 #endif ///SMP_INCLUDED == TRUE
4858
4859 /*******************************************************************************
4860 **
4861 ** Function btm_sec_pairing_timeout
4862 **
4863 ** Description This function is called when host does not provide PIN
4864 ** within requested time
4865 **
4866 ** Returns Pointer to the TLE struct
4867 **
4868 *******************************************************************************/
4869 #if (SMP_INCLUDED == TRUE)
btm_sec_pairing_timeout(TIMER_LIST_ENT * p_tle)4870 static void btm_sec_pairing_timeout (TIMER_LIST_ENT *p_tle)
4871 {
4872 tBTM_CB *p_cb = &btm_cb;
4873 tBTM_SEC_DEV_REC *p_dev_rec;
4874 #if BTM_OOB_INCLUDED == TRUE
4875 #if (BTM_LOCAL_IO_CAPS == BTM_IO_CAP_NONE)
4876 tBTM_AUTH_REQ auth_req = BTM_AUTH_AP_NO;
4877 #else
4878 tBTM_AUTH_REQ auth_req = BTM_AUTH_AP_YES;
4879 #endif
4880 #endif
4881 UINT8 name[2];
4882 UNUSED(p_tle);
4883
4884 p_cb->pairing_tle.param = 0;
4885 /* Coverity: FALSE-POSITIVE error from Coverity tool. Please do NOT remove following comment. */
4886 /* coverity[UNUSED_VALUE] pointer p_dev_rec is actually used several times... This is a Coverity false-positive, i.e. a fake issue.
4887 */
4888 p_dev_rec = btm_find_dev (p_cb->pairing_bda);
4889 #if (BT_USE_TRACES == TRUE && SMP_INCLUDED == TRUE)
4890 BTM_TRACE_EVENT ("btm_sec_pairing_timeout() State: %s Flags: %u\n",
4891 btm_pair_state_descr(p_cb->pairing_state), p_cb->pairing_flags);
4892 #endif ///BT_USE_TRACES == TRUE && SMP_INCLUDED == TRUE
4893 switch (p_cb->pairing_state) {
4894 case BTM_PAIR_STATE_WAIT_PIN_REQ:
4895 btm_sec_bond_cancel_complete();
4896 break;
4897
4898 case BTM_PAIR_STATE_WAIT_LOCAL_PIN:
4899 if ( (btm_cb.pairing_flags & BTM_PAIR_FLAGS_PRE_FETCH_PIN) == 0) {
4900 btsnd_hcic_pin_code_neg_reply (p_cb->pairing_bda);
4901 }
4902 btm_sec_change_pairing_state (BTM_PAIR_STATE_IDLE);
4903 /* We need to notify the UI that no longer need the PIN */
4904 if (btm_cb.api.p_auth_complete_callback) {
4905 if (p_dev_rec == NULL) {
4906 name[0] = 0;
4907 (*btm_cb.api.p_auth_complete_callback) (p_cb->pairing_bda,
4908 NULL,
4909 name, HCI_ERR_CONNECTION_TOUT);
4910 } else {
4911 (*btm_cb.api.p_auth_complete_callback) (p_dev_rec->bd_addr,
4912 p_dev_rec->dev_class,
4913 p_dev_rec->sec_bd_name, HCI_ERR_CONNECTION_TOUT);
4914 }
4915 }
4916 break;
4917
4918 case BTM_PAIR_STATE_WAIT_NUMERIC_CONFIRM:
4919 btsnd_hcic_user_conf_reply (p_cb->pairing_bda, FALSE);
4920 /* btm_sec_change_pairing_state (BTM_PAIR_STATE_IDLE); */
4921 break;
4922
4923 #if (BT_SSP_INCLUDED == TRUE)
4924 case BTM_PAIR_STATE_KEY_ENTRY:
4925 btsnd_hcic_user_passkey_neg_reply(p_cb->pairing_bda);
4926 /* btm_sec_change_pairing_state (BTM_PAIR_STATE_IDLE); */
4927 break;
4928 #endif /* !BTM_IO_CAP_NONE */
4929
4930 #if BTM_OOB_INCLUDED == TRUE
4931 case BTM_PAIR_STATE_WAIT_LOCAL_IOCAPS:
4932 if (btm_cb.pairing_flags & BTM_PAIR_FLAGS_WE_STARTED_DD) {
4933 auth_req |= BTM_AUTH_DD_BOND;
4934 }
4935
4936 btsnd_hcic_io_cap_req_reply (p_cb->pairing_bda, btm_cb.devcb.loc_io_caps,
4937 BTM_OOB_NONE, auth_req);
4938 btm_sec_change_pairing_state (BTM_PAIR_STATE_IDLE);
4939 break;
4940
4941 case BTM_PAIR_STATE_WAIT_LOCAL_OOB_RSP:
4942 btsnd_hcic_rem_oob_neg_reply (p_cb->pairing_bda);
4943 btm_sec_change_pairing_state (BTM_PAIR_STATE_IDLE);
4944 break;
4945 #endif /* BTM_OOB_INCLUDED */
4946
4947 case BTM_PAIR_STATE_WAIT_DISCONNECT:
4948 /* simple pairing failed. Started a 1-sec timer at simple pairing complete.
4949 * now it's time to tear down the ACL link*/
4950 if (p_dev_rec == NULL) {
4951 BTM_TRACE_ERROR ("btm_sec_pairing_timeout() BTM_PAIR_STATE_WAIT_DISCONNECT unknown BDA: %08x%04x\n",
4952 (p_cb->pairing_bda[0] << 24) + (p_cb->pairing_bda[1] << 16) + (p_cb->pairing_bda[2] << 8) + p_cb->pairing_bda[3],
4953 (p_cb->pairing_bda[4] << 8) + p_cb->pairing_bda[5]);
4954 break;
4955 }
4956 btm_sec_send_hci_disconnect (p_dev_rec, HCI_ERR_AUTH_FAILURE, p_dev_rec->hci_handle);
4957 btm_sec_change_pairing_state (BTM_PAIR_STATE_IDLE);
4958 break;
4959
4960 case BTM_PAIR_STATE_WAIT_AUTH_COMPLETE:
4961 case BTM_PAIR_STATE_GET_REM_NAME:
4962 /* We need to notify the UI that timeout has happened while waiting for authentication*/
4963 btm_sec_change_pairing_state (BTM_PAIR_STATE_IDLE);
4964 if (btm_cb.api.p_auth_complete_callback) {
4965 if (p_dev_rec == NULL) {
4966 name[0] = 0;
4967 (*btm_cb.api.p_auth_complete_callback) (p_cb->pairing_bda,
4968 NULL,
4969 name, HCI_ERR_CONNECTION_TOUT);
4970 } else {
4971 (*btm_cb.api.p_auth_complete_callback) (p_dev_rec->bd_addr,
4972 p_dev_rec->dev_class,
4973 p_dev_rec->sec_bd_name, HCI_ERR_CONNECTION_TOUT);
4974 }
4975 }
4976 break;
4977
4978 default:
4979 #if (BT_USE_TRACES == TRUE && SMP_INCLUDED == TRUE)
4980 BTM_TRACE_WARNING ("btm_sec_pairing_timeout() not processed state: %s\n", btm_pair_state_descr(btm_cb.pairing_state));
4981 #endif ///BT_USE_TRACES == TRUE && SMP_INCLUDED == TRUE
4982 btm_sec_change_pairing_state (BTM_PAIR_STATE_IDLE);
4983 break;
4984 }
4985 }
4986
4987 #if (CLASSIC_BT_INCLUDED == TRUE)
4988 /*******************************************************************************
4989 **
4990 ** Function btm_sec_pin_code_request
4991 **
4992 ** Description This function is called when controller requests PIN code
4993 **
4994 ** Returns Pointer to the record or NULL
4995 **
4996 *******************************************************************************/
btm_sec_pin_code_request(UINT8 * p_bda)4997 void btm_sec_pin_code_request (UINT8 *p_bda)
4998 {
4999 tBTM_SEC_DEV_REC *p_dev_rec;
5000 tBTM_CB *p_cb = &btm_cb;
5001
5002 #ifdef PORCHE_PAIRING_CONFLICT
5003 UINT8 default_pin_code_len = 4;
5004 PIN_CODE default_pin_code = {0x30, 0x30, 0x30, 0x30};
5005 #endif
5006 #if (BT_USE_TRACES == TRUE && SMP_INCLUDED == TRUE)
5007 BTM_TRACE_EVENT ("btm_sec_pin_code_request() State: %s, BDA:%04x%08x\n",
5008 btm_pair_state_descr(btm_cb.pairing_state),
5009 (p_bda[0] << 8) + p_bda[1], (p_bda[2] << 24) + (p_bda[3] << 16) + (p_bda[4] << 8) + p_bda[5] );
5010 #endif ///BT_USE_TRACES == TRUE && SMP_INCLUDED == TRUE
5011 if (btm_cb.pairing_state != BTM_PAIR_STATE_IDLE) {
5012 if ( (memcmp (p_bda, btm_cb.pairing_bda, BD_ADDR_LEN) == 0) &&
5013 (btm_cb.pairing_state == BTM_PAIR_STATE_WAIT_AUTH_COMPLETE) ) {
5014 /* fake this out - porshe carkit issue - */
5015 // btm_cb.pairing_state = BTM_PAIR_STATE_IDLE;
5016 if (! btm_cb.pin_code_len_saved) {
5017 btsnd_hcic_pin_code_neg_reply (p_bda);
5018 return;
5019 } else {
5020 btsnd_hcic_pin_code_req_reply (p_bda, btm_cb.pin_code_len_saved, p_cb->pin_code);
5021 return;
5022 }
5023 } else if ((btm_cb.pairing_state != BTM_PAIR_STATE_WAIT_PIN_REQ)
5024 || memcmp (p_bda, btm_cb.pairing_bda, BD_ADDR_LEN) != 0) {
5025 #if (BT_USE_TRACES == TRUE && SMP_INCLUDED == TRUE)
5026 BTM_TRACE_WARNING ("btm_sec_pin_code_request() rejected - state: %s\n",
5027 btm_pair_state_descr(btm_cb.pairing_state));
5028 #endif ///BT_USE_TRACES == TRUE && SMP_INCLUDED == TRUE
5029 #ifdef PORCHE_PAIRING_CONFLICT
5030 /* reply pin code again due to counter in_rand when local initiates pairing */
5031 BTM_TRACE_EVENT ("btm_sec_pin_code_request from remote dev. for local initiated pairing\n");
5032 if (! btm_cb.pin_code_len_saved) {
5033 btm_sec_change_pairing_state (BTM_PAIR_STATE_WAIT_AUTH_COMPLETE);
5034 btsnd_hcic_pin_code_req_reply (p_bda, default_pin_code_len, default_pin_code);
5035 } else {
5036 btm_sec_change_pairing_state (BTM_PAIR_STATE_WAIT_AUTH_COMPLETE);
5037 btsnd_hcic_pin_code_req_reply (p_bda, btm_cb.pin_code_len_saved, p_cb->pin_code);
5038 }
5039 #else
5040 btsnd_hcic_pin_code_neg_reply (p_bda);
5041 #endif
5042 return;
5043 }
5044 }
5045
5046 p_dev_rec = btm_find_or_alloc_dev (p_bda);
5047 /* received PIN code request. must be non-sm4 */
5048 p_dev_rec->sm4 = BTM_SM4_KNOWN;
5049
5050 if (btm_cb.pairing_state == BTM_PAIR_STATE_IDLE) {
5051 memcpy (btm_cb.pairing_bda, p_bda, BD_ADDR_LEN);
5052
5053 btm_cb.pairing_flags = BTM_PAIR_FLAGS_PEER_STARTED_DD;
5054 /* Make sure we reset the trusted mask to help against attacks */
5055 BTM_SEC_CLR_TRUSTED_DEVICE(p_dev_rec->trusted_mask);
5056 }
5057
5058 if (!p_cb->pairing_disabled && (p_cb->cfg.pin_type == HCI_PIN_TYPE_FIXED)) {
5059 BTM_TRACE_EVENT ("btm_sec_pin_code_request fixed pin replying\n");
5060 btm_sec_change_pairing_state (BTM_PAIR_STATE_WAIT_AUTH_COMPLETE);
5061 btsnd_hcic_pin_code_req_reply (p_bda, p_cb->cfg.pin_code_len, p_cb->cfg.pin_code);
5062 return;
5063 }
5064
5065 /* Use the connecting device's CoD for the connection */
5066 if ( (!memcmp (p_bda, p_cb->connecting_bda, BD_ADDR_LEN))
5067 && (p_cb->connecting_dc[0] || p_cb->connecting_dc[1] || p_cb->connecting_dc[2]) ) {
5068 memcpy (p_dev_rec->dev_class, p_cb->connecting_dc, DEV_CLASS_LEN);
5069 }
5070
5071 /* We could have started connection after asking user for the PIN code */
5072 if (btm_cb.pin_code_len != 0) {
5073 BTM_TRACE_EVENT ("btm_sec_pin_code_request bonding sending reply\n");
5074 btsnd_hcic_pin_code_req_reply (p_bda, btm_cb.pin_code_len, p_cb->pin_code);
5075
5076 #ifdef PORCHE_PAIRING_CONFLICT
5077 btm_cb.pin_code_len_saved = btm_cb.pin_code_len;
5078 #endif
5079
5080 /* Mark that we forwarded received from the user PIN code */
5081 btm_cb.pin_code_len = 0;
5082
5083 /* We can change mode back right away, that other connection being established */
5084 /* is not forced to be secure - found a FW issue, so we can not do this
5085 btm_restore_mode(); */
5086
5087 btm_sec_change_pairing_state (BTM_PAIR_STATE_WAIT_AUTH_COMPLETE);
5088 }
5089
5090 /* If pairing disabled OR (no PIN callback and not bonding) */
5091 /* OR we could not allocate entry in the database reject pairing request */
5092 else if (p_cb->pairing_disabled
5093 || (p_cb->api.p_pin_callback == NULL)
5094
5095 /* OR Microsoft keyboard can for some reason try to establish connection */
5096 /* the only thing we can do here is to shut it up. Normally we will be originator */
5097 /* for keyboard bonding */
5098 || (!p_dev_rec->is_originator
5099 && ((p_dev_rec->dev_class[1] & BTM_COD_MAJOR_CLASS_MASK) == BTM_COD_MAJOR_PERIPHERAL)
5100 && (p_dev_rec->dev_class[2] & BTM_COD_MINOR_KEYBOARD)) ) {
5101 BTM_TRACE_WARNING("btm_sec_pin_code_request(): Pairing disabled:%d; PIN callback:%p, Dev Rec:%p!\n",
5102 p_cb->pairing_disabled, p_cb->api.p_pin_callback, p_dev_rec);
5103
5104 btsnd_hcic_pin_code_neg_reply (p_bda);
5105 }
5106 /* Notify upper layer of PIN request and start expiration timer */
5107 else {
5108 btm_cb.pin_code_len_saved = 0;
5109 btm_sec_change_pairing_state (BTM_PAIR_STATE_WAIT_LOCAL_PIN);
5110 /* Pin code request can not come at the same time as connection request */
5111 memcpy (p_cb->connecting_bda, p_bda, BD_ADDR_LEN);
5112 memcpy (p_cb->connecting_dc, p_dev_rec->dev_class, DEV_CLASS_LEN);
5113
5114 BTM_TRACE_EVENT ("btm_sec_pin_code_request going for callback\n");
5115 btm_cb.pairing_flags |= BTM_PAIR_FLAGS_PIN_REQD;
5116 if (p_cb->api.p_pin_callback) {
5117 (*p_cb->api.p_pin_callback) (p_bda, p_dev_rec->dev_class, p_dev_rec->sec_bd_name,
5118 (p_dev_rec->p_cur_service == NULL) ? FALSE
5119 : (p_dev_rec->p_cur_service->security_flags
5120 & BTM_SEC_IN_MIN_16_DIGIT_PIN));
5121 }
5122 }
5123 return;
5124 }
5125 #endif ///CLASSIC_BT_INCLUDED == TRUE
5126 #endif ///SMP_INCLUDED == TRUE
5127
5128
5129 /*******************************************************************************
5130 **
5131 ** Function btm_sec_update_clock_offset
5132 **
5133 ** Description This function is called to update clock offset
5134 **
5135 ** Returns void
5136 **
5137 *******************************************************************************/
btm_sec_update_clock_offset(UINT16 handle,UINT16 clock_offset)5138 void btm_sec_update_clock_offset (UINT16 handle, UINT16 clock_offset)
5139 {
5140 tBTM_SEC_DEV_REC *p_dev_rec;
5141 tBTM_INQ_INFO *p_inq_info;
5142
5143 if ((p_dev_rec = btm_find_dev_by_handle (handle)) == NULL) {
5144 return;
5145 }
5146
5147 p_dev_rec->clock_offset = clock_offset | BTM_CLOCK_OFFSET_VALID;
5148
5149 if ((p_inq_info = BTM_InqDbRead(p_dev_rec->bd_addr)) == NULL) {
5150 return;
5151 }
5152
5153 p_inq_info->results.clock_offset = clock_offset | BTM_CLOCK_OFFSET_VALID;
5154 }
5155
5156
5157 /******************************************************************
5158 ** S T A T I C F U N C T I O N S
5159 *******************************************************************/
5160
5161 /*******************************************************************************
5162 **
5163 ** Function btm_sec_execute_procedure
5164 **
5165 ** Description This function is called to start required security
5166 ** procedure. There is a case when multiplexing protocol
5167 ** calls this function on the originating side, connection to
5168 ** the peer will not be established. This function in this
5169 ** case performs only authorization.
5170 **
5171 ** Returns BTM_SUCCESS - permission is granted
5172 ** BTM_CMD_STARTED - in process
5173 ** BTM_NO_RESOURCES - permission declined
5174 **
5175 *******************************************************************************/
5176 #if (SMP_INCLUDED == TRUE)
btm_sec_execute_procedure(tBTM_SEC_DEV_REC * p_dev_rec)5177 static tBTM_STATUS btm_sec_execute_procedure (tBTM_SEC_DEV_REC *p_dev_rec)
5178 {
5179 BTM_TRACE_EVENT ("btm_sec_execute_procedure: Required:0x%x Flags:0x%x State:%d\n",
5180 p_dev_rec->security_required, p_dev_rec->sec_flags, p_dev_rec->sec_state);
5181
5182 /* There is a chance that we are getting name. Wait until done. */
5183 if (p_dev_rec->sec_state != 0) {
5184 return (BTM_CMD_STARTED);
5185 }
5186
5187 /* If any security is required, get the name first */
5188 if (!(p_dev_rec->sec_flags & BTM_SEC_NAME_KNOWN)
5189 && (p_dev_rec->hci_handle != BTM_SEC_INVALID_HANDLE)) {
5190 BTM_TRACE_EVENT ("Security Manager: Start get name\n");
5191 if (!btm_sec_start_get_name (p_dev_rec)) {
5192 return (BTM_NO_RESOURCES);
5193 }
5194 return (BTM_CMD_STARTED);
5195 }
5196
5197 /* If connection is not authenticated and authentication is required */
5198 /* start authentication and return PENDING to the caller */
5199 if ((((!(p_dev_rec->sec_flags & BTM_SEC_AUTHENTICATED))
5200 && (( p_dev_rec->is_originator && (p_dev_rec->security_required & BTM_SEC_OUT_AUTHENTICATE))
5201 || (!p_dev_rec->is_originator && (p_dev_rec->security_required & BTM_SEC_IN_AUTHENTICATE))))
5202 || (!(p_dev_rec->sec_flags & BTM_SEC_16_DIGIT_PIN_AUTHED)
5203 && (!p_dev_rec->is_originator
5204 && (p_dev_rec->security_required & BTM_SEC_IN_MIN_16_DIGIT_PIN))))
5205 && (p_dev_rec->hci_handle != BTM_SEC_INVALID_HANDLE)) {
5206 /*
5207 * We rely on BTM_SEC_16_DIGIT_PIN_AUTHED being set if MITM is in use,
5208 * as 16 DIGIT is only needed if MITM is not used. Unfortunately, the
5209 * BTM_SEC_AUTHENTICATED is used for both MITM and non-MITM
5210 * authenticated connections, hence we cannot distinguish here.
5211 */
5212
5213 #if (L2CAP_UCD_INCLUDED == TRUE)
5214 /* if incoming UCD packet, discard it */
5215 if ( !p_dev_rec->is_originator && (p_dev_rec->is_ucd == TRUE )) {
5216 return (BTM_FAILED_ON_SECURITY);
5217 }
5218 #endif
5219
5220 BTM_TRACE_EVENT ("Security Manager: Start authentication\n");
5221
5222 /*
5223 * If we do have a link-key, but we end up here because we need an
5224 * upgrade, then clear the link-key known and authenticated flag before
5225 * restarting authentication.
5226 * WARNING: If the controller has link-key, it is optional and
5227 * recommended for the controller to send a Link_Key_Request.
5228 * In case we need an upgrade, the only alternative would be to delete
5229 * the existing link-key. That could lead to very bad user experience
5230 * or even IOP issues, if a reconnect causes a new connection that
5231 * requires an upgrade.
5232 */
5233 if ((p_dev_rec->sec_flags & BTM_SEC_LINK_KEY_KNOWN)
5234 && (!(p_dev_rec->sec_flags & BTM_SEC_16_DIGIT_PIN_AUTHED)
5235 && (!p_dev_rec->is_originator && (p_dev_rec->security_required
5236 & BTM_SEC_IN_MIN_16_DIGIT_PIN)))) {
5237 p_dev_rec->sec_flags &= ~(BTM_SEC_LINK_KEY_KNOWN | BTM_SEC_LINK_KEY_AUTHED
5238 | BTM_SEC_AUTHENTICATED);
5239 }
5240
5241 if (!btm_sec_start_authentication (p_dev_rec)) {
5242 return (BTM_NO_RESOURCES);
5243 }
5244 return (BTM_CMD_STARTED);
5245 }
5246
5247 /* If connection is not encrypted and encryption is required */
5248 /* start encryption and return PENDING to the caller */
5249 if (!(p_dev_rec->sec_flags & BTM_SEC_ENCRYPTED)
5250 && (( p_dev_rec->is_originator && (p_dev_rec->security_required & BTM_SEC_OUT_ENCRYPT))
5251 || (!p_dev_rec->is_originator && (p_dev_rec->security_required & BTM_SEC_IN_ENCRYPT)))
5252 && (p_dev_rec->hci_handle != BTM_SEC_INVALID_HANDLE)) {
5253 #if (L2CAP_UCD_INCLUDED == TRUE)
5254 /* if incoming UCD packet, discard it */
5255 if ( !p_dev_rec->is_originator && (p_dev_rec->is_ucd == TRUE )) {
5256 return (BTM_FAILED_ON_SECURITY);
5257 }
5258 #endif
5259
5260 BTM_TRACE_EVENT ("Security Manager: Start encryption\n");
5261
5262 if (!btm_sec_start_encryption (p_dev_rec)) {
5263 return (BTM_NO_RESOURCES);
5264 }
5265 return (BTM_CMD_STARTED);
5266 }
5267
5268 if ((p_dev_rec->security_required & BTM_SEC_MODE4_LEVEL4) &&
5269 (p_dev_rec->link_key_type != BTM_LKEY_TYPE_AUTH_COMB_P_256)) {
5270 BTM_TRACE_EVENT("%s: Security Manager: SC only service, but link key type is 0x%02x -"
5271 "security failure\n", __FUNCTION__, p_dev_rec->link_key_type);
5272 return (BTM_FAILED_ON_SECURITY);
5273 }
5274
5275 /* If connection is not authorized and authorization is required */
5276 /* start authorization and return PENDING to the caller */
5277 if (!(p_dev_rec->sec_flags & BTM_SEC_AUTHORIZED)
5278 && (( p_dev_rec->is_originator && (p_dev_rec->security_required & BTM_SEC_OUT_AUTHORIZE))
5279 || (!p_dev_rec->is_originator && (p_dev_rec->security_required & BTM_SEC_IN_AUTHORIZE)))) {
5280 BTM_TRACE_EVENT ("service id:%d, is trusted:%d\n",
5281 p_dev_rec->p_cur_service->service_id,
5282 (BTM_SEC_IS_SERVICE_TRUSTED(p_dev_rec->trusted_mask,
5283 p_dev_rec->p_cur_service->service_id)));
5284 if ((btm_sec_are_all_trusted(p_dev_rec->trusted_mask) == FALSE) &&
5285 (p_dev_rec->p_cur_service->service_id < BTM_SEC_MAX_SERVICES) &&
5286 (BTM_SEC_IS_SERVICE_TRUSTED(p_dev_rec->trusted_mask,
5287 p_dev_rec->p_cur_service->service_id) == FALSE)) {
5288 BTM_TRACE_EVENT ("Security Manager: Start authorization\n");
5289 return (btm_sec_start_authorization (p_dev_rec));
5290 }
5291 }
5292
5293 /* All required security procedures already established */
5294 p_dev_rec->security_required &= ~(BTM_SEC_OUT_AUTHORIZE | BTM_SEC_IN_AUTHORIZE |
5295 BTM_SEC_OUT_AUTHENTICATE | BTM_SEC_IN_AUTHENTICATE |
5296 BTM_SEC_OUT_ENCRYPT | BTM_SEC_IN_ENCRYPT |
5297 BTM_SEC_FORCE_MASTER | BTM_SEC_ATTEMPT_MASTER |
5298 BTM_SEC_FORCE_SLAVE | BTM_SEC_ATTEMPT_SLAVE);
5299
5300 BTM_TRACE_EVENT ("Security Manager: trusted:0x%04x%04x\n", p_dev_rec->trusted_mask[1], p_dev_rec->trusted_mask[0]);
5301 BTM_TRACE_EVENT ("Security Manager: access granted\n");
5302
5303 return (BTM_SUCCESS);
5304 }
5305
5306 /*******************************************************************************
5307 **
5308 ** Function btm_sec_start_get_name
5309 **
5310 ** Description This function is called to start get name procedure
5311 **
5312 ** Returns TRUE if started
5313 **
5314 *******************************************************************************/
btm_sec_start_get_name(tBTM_SEC_DEV_REC * p_dev_rec)5315 static BOOLEAN btm_sec_start_get_name (tBTM_SEC_DEV_REC *p_dev_rec)
5316 {
5317 UINT8 tempstate = p_dev_rec->sec_state;
5318
5319 p_dev_rec->sec_state = BTM_SEC_STATE_GETTING_NAME;
5320
5321 /* Device should be connected, no need to provide correct page params */
5322 /* 0 and NULL are as timeout and callback params because they are not used in security get name case */
5323 if ((btm_initiate_rem_name (p_dev_rec->bd_addr, NULL, BTM_RMT_NAME_SEC,
5324 0, NULL)) != BTM_CMD_STARTED) {
5325 p_dev_rec->sec_state = tempstate;
5326 return (FALSE);
5327 }
5328
5329 return (TRUE);
5330 }
5331
5332 /*******************************************************************************
5333 **
5334 ** Function btm_sec_start_authentication
5335 **
5336 ** Description This function is called to start authentication
5337 **
5338 ** Returns TRUE if started
5339 **
5340 *******************************************************************************/
btm_sec_start_authentication(tBTM_SEC_DEV_REC * p_dev_rec)5341 static BOOLEAN btm_sec_start_authentication (tBTM_SEC_DEV_REC *p_dev_rec)
5342 {
5343 p_dev_rec->sec_state = BTM_SEC_STATE_AUTHENTICATING;
5344
5345 return (btsnd_hcic_auth_request (p_dev_rec->hci_handle));
5346 }
5347
5348 /*******************************************************************************
5349 **
5350 ** Function btm_sec_start_encryption
5351 **
5352 ** Description This function is called to start encryption
5353 **
5354 ** Returns TRUE if started
5355 **
5356 *******************************************************************************/
btm_sec_start_encryption(tBTM_SEC_DEV_REC * p_dev_rec)5357 static BOOLEAN btm_sec_start_encryption (tBTM_SEC_DEV_REC *p_dev_rec)
5358 {
5359 if (!btsnd_hcic_set_conn_encrypt (p_dev_rec->hci_handle, TRUE)) {
5360 return (FALSE);
5361 }
5362
5363 p_dev_rec->sec_state = BTM_SEC_STATE_ENCRYPTING;
5364 return (TRUE);
5365 }
5366
5367
5368 /*******************************************************************************
5369 **
5370 ** Function btm_sec_start_authorization
5371 **
5372 ** Description This function is called to start authorization
5373 **
5374 ** Returns TRUE if started
5375 **
5376 *******************************************************************************/
btm_sec_start_authorization(tBTM_SEC_DEV_REC * p_dev_rec)5377 static UINT8 btm_sec_start_authorization (tBTM_SEC_DEV_REC *p_dev_rec)
5378 {
5379 UINT8 result;
5380 UINT8 *p_service_name = NULL;
5381 UINT8 service_id;
5382
5383 if ((p_dev_rec->sec_flags & BTM_SEC_NAME_KNOWN)
5384 || (p_dev_rec->hci_handle == BTM_SEC_INVALID_HANDLE)) {
5385 if (!btm_cb.api.p_authorize_callback) {
5386 return (BTM_MODE_UNSUPPORTED);
5387 }
5388
5389 if (p_dev_rec->p_cur_service) {
5390 #if BTM_SEC_SERVICE_NAME_LEN > 0
5391 if (p_dev_rec->is_originator) {
5392 p_service_name = p_dev_rec->p_cur_service->orig_service_name;
5393 } else {
5394 p_service_name = p_dev_rec->p_cur_service->term_service_name;
5395 }
5396 #endif
5397 service_id = p_dev_rec->p_cur_service->service_id;
5398 } else {
5399 service_id = 0;
5400 }
5401
5402 /* Send authorization request if not already sent during this service connection */
5403 if (p_dev_rec->last_author_service_id == BTM_SEC_NO_LAST_SERVICE_ID
5404 || p_dev_rec->last_author_service_id != service_id) {
5405 p_dev_rec->sec_state = BTM_SEC_STATE_AUTHORIZING;
5406 result = (*btm_cb.api.p_authorize_callback) (p_dev_rec->bd_addr,
5407 p_dev_rec->dev_class,
5408 p_dev_rec->sec_bd_name,
5409 p_service_name,
5410 service_id,
5411 p_dev_rec->is_originator);
5412 }
5413
5414 else { /* Already authorized once for this L2CAP bringup */
5415 BTM_TRACE_DEBUG ("btm_sec_start_authorization: (Ignoring extra Authorization prompt for service %d)\n", service_id);
5416 return (BTM_SUCCESS);
5417 }
5418
5419 if (result == BTM_SUCCESS) {
5420 p_dev_rec->sec_flags |= BTM_SEC_AUTHORIZED;
5421
5422 /* Save the currently authorized service in case we are asked again by another multiplexer layer */
5423 if (!p_dev_rec->is_originator) {
5424 p_dev_rec->last_author_service_id = service_id;
5425 }
5426
5427 p_dev_rec->sec_state = BTM_SEC_STATE_IDLE;
5428 }
5429 return (result);
5430 }
5431 btm_sec_start_get_name (p_dev_rec);
5432 return (BTM_CMD_STARTED);
5433 }
5434 #endif ///SMP_INCLUDED == TRUE
5435
5436 /*******************************************************************************
5437 **
5438 ** Function btm_sec_are_all_trusted
5439 **
5440 ** Description This function is called check if all services are trusted
5441 **
5442 ** Returns TRUE if all are trusted, otherwise FALSE
5443 **
5444 *******************************************************************************/
btm_sec_are_all_trusted(UINT32 p_mask[])5445 BOOLEAN btm_sec_are_all_trusted(UINT32 p_mask[])
5446 {
5447 UINT32 trusted_inx;
5448 for (trusted_inx = 0; trusted_inx < BTM_SEC_SERVICE_ARRAY_SIZE; trusted_inx++) {
5449 if (p_mask[trusted_inx] != BTM_SEC_TRUST_ALL) {
5450 return (FALSE);
5451 }
5452 }
5453
5454 return (TRUE);
5455 }
5456
5457 /*******************************************************************************
5458 **
5459 ** Function btm_sec_find_first_serv
5460 **
5461 ** Description Look for the first record in the service database
5462 ** with specified PSM
5463 **
5464 ** Returns Pointer to the record or NULL
5465 **
5466 *******************************************************************************/
5467 #if (SMP_INCLUDED == TRUE)
btm_sec_find_first_serv(CONNECTION_TYPE conn_type,UINT16 psm)5468 tBTM_SEC_SERV_REC *btm_sec_find_first_serv (CONNECTION_TYPE conn_type, UINT16 psm)
5469 {
5470 tBTM_SEC_SERV_REC *p_serv_rec = &btm_cb.sec_serv_rec[0];
5471 int i;
5472 BOOLEAN is_originator;
5473
5474 #if (L2CAP_UCD_INCLUDED == TRUE)
5475
5476 if ( conn_type & CONNECTION_TYPE_ORIG_MASK ) {
5477 is_originator = TRUE;
5478 } else {
5479 is_originator = FALSE;
5480 }
5481 #else
5482 is_originator = conn_type;
5483 #endif
5484
5485 if (is_originator && btm_cb.p_out_serv && btm_cb.p_out_serv->psm == psm) {
5486 /* If this is outgoing connection and the PSM matches p_out_serv,
5487 * use it as the current service */
5488 return btm_cb.p_out_serv;
5489 }
5490
5491 /* otherwise, just find the first record with the specified PSM */
5492 for (i = 0; i < BTM_SEC_MAX_SERVICE_RECORDS; i++, p_serv_rec++) {
5493 if ( (p_serv_rec->security_flags & BTM_SEC_IN_USE) && (p_serv_rec->psm == psm) ) {
5494 return (p_serv_rec);
5495 }
5496 }
5497 return (NULL);
5498 }
5499
5500
5501 /*******************************************************************************
5502 **
5503 ** Function btm_sec_find_next_serv
5504 **
5505 ** Description Look for the next record in the service database
5506 ** with specified PSM
5507 **
5508 ** Returns Pointer to the record or NULL
5509 **
5510 *******************************************************************************/
btm_sec_find_next_serv(tBTM_SEC_SERV_REC * p_cur)5511 static tBTM_SEC_SERV_REC *btm_sec_find_next_serv (tBTM_SEC_SERV_REC *p_cur)
5512 {
5513 tBTM_SEC_SERV_REC *p_serv_rec = &btm_cb.sec_serv_rec[0];
5514 int i;
5515
5516 for (i = 0; i < BTM_SEC_MAX_SERVICE_RECORDS; i++, p_serv_rec++) {
5517 if ((p_serv_rec->security_flags & BTM_SEC_IN_USE)
5518 && (p_serv_rec->psm == p_cur->psm) ) {
5519 if (p_cur != p_serv_rec) {
5520 return (p_serv_rec);
5521 }
5522 }
5523 }
5524 return (NULL);
5525 }
5526
5527 /*******************************************************************************
5528 **
5529 ** Function btm_sec_find_mx_serv
5530 **
5531 ** Description Look for the record in the service database with specified
5532 ** PSM and multiplexor channel information
5533 **
5534 ** Returns Pointer to the record or NULL
5535 **
5536 *******************************************************************************/
btm_sec_find_mx_serv(UINT8 is_originator,UINT16 psm,UINT32 mx_proto_id,UINT32 mx_chan_id)5537 static tBTM_SEC_SERV_REC *btm_sec_find_mx_serv (UINT8 is_originator, UINT16 psm,
5538 UINT32 mx_proto_id, UINT32 mx_chan_id)
5539 {
5540 tBTM_SEC_SERV_REC *p_out_serv = btm_cb.p_out_serv;
5541 tBTM_SEC_SERV_REC *p_serv_rec = &btm_cb.sec_serv_rec[0];
5542 int i;
5543
5544 BTM_TRACE_DEBUG ("%s()\n", __func__);
5545 if (is_originator && p_out_serv && p_out_serv->psm == psm
5546 && p_out_serv->mx_proto_id == mx_proto_id
5547 && p_out_serv->orig_mx_chan_id == mx_chan_id) {
5548 /* If this is outgoing connection and the parameters match p_out_serv,
5549 * use it as the current service */
5550 return btm_cb.p_out_serv;
5551 }
5552
5553 /* otherwise, the old way */
5554 for (i = 0; i < BTM_SEC_MAX_SERVICE_RECORDS; i++, p_serv_rec++) {
5555 if ((p_serv_rec->security_flags & BTM_SEC_IN_USE)
5556 && (p_serv_rec->psm == psm)
5557 && (p_serv_rec->mx_proto_id == mx_proto_id)
5558 && (( is_originator && (p_serv_rec->orig_mx_chan_id == mx_chan_id))
5559 || (!is_originator && (p_serv_rec->term_mx_chan_id == mx_chan_id)))) {
5560 return (p_serv_rec);
5561 }
5562 }
5563 return (NULL);
5564 }
5565 #endif ///SMP_INCLUDED == TRUE
5566
5567 /*******************************************************************************
5568 **
5569 ** Function btm_sec_collision_timeout
5570 **
5571 ** Description Encryption could not start because of the collision
5572 ** try to do it again
5573 **
5574 ** Returns Pointer to the TLE struct
5575 **
5576 *******************************************************************************/
5577 #if (SMP_INCLUDED == TRUE)
btm_sec_collision_timeout(TIMER_LIST_ENT * p_tle)5578 static void btm_sec_collision_timeout (TIMER_LIST_ENT *p_tle)
5579 {
5580 UNUSED(p_tle);
5581
5582 BTM_TRACE_EVENT ("%s()\n", __func__);
5583 btm_cb.sec_collision_tle.param = 0;
5584
5585 tBTM_STATUS status = btm_sec_execute_procedure (btm_cb.p_collided_dev_rec);
5586
5587 /* If result is pending reply from the user or from the device is pending */
5588 if (status != BTM_CMD_STARTED) {
5589 /* There is no next procedure or start of procedure failed, notify the waiting layer */
5590 btm_sec_dev_rec_cback_event (btm_cb.p_collided_dev_rec, status, FALSE);
5591 }
5592 }
5593
5594 /*******************************************************************************
5595 **
5596 ** Function btm_send_link_key_notif
5597 **
5598 ** Description This function is called when controller requests link key
5599 **
5600 ** Returns Pointer to the record or NULL
5601 **
5602 *******************************************************************************/
btm_send_link_key_notif(tBTM_SEC_DEV_REC * p_dev_rec)5603 static void btm_send_link_key_notif (tBTM_SEC_DEV_REC *p_dev_rec)
5604 {
5605 if (btm_cb.api.p_link_key_callback) {
5606 (*btm_cb.api.p_link_key_callback) (p_dev_rec->bd_addr, p_dev_rec->dev_class,
5607 p_dev_rec->sec_bd_name, p_dev_rec->link_key,
5608 p_dev_rec->link_key_type,
5609 p_dev_rec->remote_supports_secure_connections);
5610
5611 }
5612 }
5613 #endif ///SMP_INCLUDED == TRUE
5614
5615 /*******************************************************************************
5616 **
5617 ** Function BTM_ReadTrustedMask
5618 **
5619 ** Description Get trusted mask for the peer device
5620 **
5621 ** Parameters: bd_addr - Address of the device
5622 **
5623 ** Returns NULL, if the device record is not found.
5624 ** otherwise, the trusted mask
5625 **
5626 *******************************************************************************/
BTM_ReadTrustedMask(BD_ADDR bd_addr)5627 UINT32 *BTM_ReadTrustedMask (BD_ADDR bd_addr)
5628 {
5629 tBTM_SEC_DEV_REC *p_dev_rec = btm_find_dev (bd_addr);
5630 if (p_dev_rec != NULL) {
5631 return (p_dev_rec->trusted_mask);
5632 }
5633 return NULL;
5634 }
5635
5636 /*******************************************************************************
5637 **
5638 ** Function btm_restore_mode
5639 **
5640 ** Description This function returns the security mode to previous setting
5641 ** if it was changed during bonding.
5642 **
5643 **
5644 ** Parameters: void
5645 **
5646 *******************************************************************************/
5647 #if (SMP_INCLUDED == TRUE)
btm_restore_mode(void)5648 static void btm_restore_mode(void)
5649 {
5650 if (btm_cb.security_mode_changed) {
5651 btm_cb.security_mode_changed = FALSE;
5652 BTM_TRACE_DEBUG("%s() Auth enable -> %d\n", __func__, (btm_cb.security_mode == BTM_SEC_MODE_LINK));
5653 btsnd_hcic_write_auth_enable ((UINT8)(btm_cb.security_mode == BTM_SEC_MODE_LINK));
5654 }
5655
5656 #if (CLASSIC_BT_INCLUDED == TRUE)
5657 if (btm_cb.pin_type_changed) {
5658 btm_cb.pin_type_changed = FALSE;
5659 btsnd_hcic_write_pin_type (btm_cb.cfg.pin_type);
5660 }
5661 #endif ///CLASSIC_BT_INCLUDED == TRUE
5662 }
5663 #endif ///SMP_INCLUDED == TRUE
5664
5665 /*******************************************************************************
5666 **
5667 ** Function btm_sec_find_dev_by_sec_state
5668 **
5669 ** Description Look for the record in the device database for the device
5670 ** which is being authenticated or encrypted
5671 **
5672 ** Returns Pointer to the record or NULL
5673 **
5674 *******************************************************************************/
btm_sec_find_dev_by_sec_state(UINT8 state)5675 tBTM_SEC_DEV_REC *btm_sec_find_dev_by_sec_state (UINT8 state)
5676 {
5677 #if (SMP_INCLUDED == TRUE)
5678 tBTM_SEC_DEV_REC *p_dev_rec = NULL;
5679 list_node_t *p_node = NULL;
5680 for (p_node = list_begin(btm_cb.p_sec_dev_rec_list); p_node; p_node = list_next(p_node)) {
5681 p_dev_rec = list_node(p_node);
5682 if ((p_dev_rec->sec_flags & BTM_SEC_IN_USE)
5683 && (p_dev_rec->sec_state == state)) {
5684 return (p_dev_rec);
5685 }
5686 }
5687 #endif ///SMP_INCLUDED == TRUE
5688 return (NULL);
5689 }
5690 /*******************************************************************************
5691 **
5692 ** Function btm_sec_change_pairing_state
5693 **
5694 ** Description This function is called to change pairing state
5695 **
5696 *******************************************************************************/
5697 #if (SMP_INCLUDED == TRUE)
btm_sec_change_pairing_state(tBTM_PAIRING_STATE new_state)5698 static void btm_sec_change_pairing_state (tBTM_PAIRING_STATE new_state)
5699 {
5700 tBTM_PAIRING_STATE old_state = btm_cb.pairing_state;
5701 #if (BT_USE_TRACES == TRUE && SMP_INCLUDED == TRUE)
5702 BTM_TRACE_EVENT ("%s() Old: %s\n", __func__, btm_pair_state_descr(btm_cb.pairing_state));
5703 BTM_TRACE_EVENT ("%s() New: %s pairing_flags:0x%x\n\n", __func__,
5704 btm_pair_state_descr(new_state), btm_cb.pairing_flags);
5705 #endif ///BT_USE_TRACES == TRUE && SMP_INCLUDED == TRUE
5706
5707 btm_cb.pairing_state = new_state;
5708
5709 if (new_state == BTM_PAIR_STATE_IDLE) {
5710 btu_stop_timer (&btm_cb.pairing_tle);
5711
5712 btm_cb.pairing_flags = 0;
5713 #if (CLASSIC_BT_INCLUDED == TRUE)
5714 btm_cb.pin_code_len = 0;
5715 #endif ///CLASSIC_BT_INCLUDED == TRUE
5716
5717 /* Make sure the the lcb shows we are not bonding */
5718 l2cu_update_lcb_4_bonding (btm_cb.pairing_bda, FALSE);
5719
5720 btm_restore_mode();
5721 btm_sec_check_pending_reqs();
5722 btm_inq_clear_ssp();
5723
5724 memset (btm_cb.pairing_bda, 0xFF, BD_ADDR_LEN);
5725 } else {
5726 /* If transitionng out of idle, mark the lcb as bonding */
5727 if (old_state == BTM_PAIR_STATE_IDLE) {
5728 l2cu_update_lcb_4_bonding (btm_cb.pairing_bda, TRUE);
5729 }
5730
5731 btm_cb.pairing_tle.param = (TIMER_PARAM_TYPE)btm_sec_pairing_timeout;
5732
5733 btu_start_timer (&btm_cb.pairing_tle, BTU_TTYPE_USER_FUNC, BTM_SEC_TIMEOUT_VALUE);
5734 }
5735 }
5736 #endif ///SMP_INCLUDED == TRUE
5737
5738
5739 /*******************************************************************************
5740 **
5741 ** Function btm_pair_state_descr
5742 **
5743 ** Description Return state description for tracing
5744 **
5745 *******************************************************************************/
5746 #if (BT_USE_TRACES == TRUE && SMP_INCLUDED == TRUE)
btm_pair_state_descr(tBTM_PAIRING_STATE state)5747 static char *btm_pair_state_descr (tBTM_PAIRING_STATE state)
5748 {
5749 #if (BT_TRACE_VERBOSE == TRUE)
5750 switch (state) {
5751 case BTM_PAIR_STATE_IDLE: return ("IDLE");
5752 case BTM_PAIR_STATE_GET_REM_NAME: return ("GET_REM_NAME");
5753 case BTM_PAIR_STATE_WAIT_PIN_REQ: return ("WAIT_PIN_REQ");
5754 case BTM_PAIR_STATE_WAIT_LOCAL_PIN: return ("WAIT_LOCAL_PIN");
5755 case BTM_PAIR_STATE_WAIT_NUMERIC_CONFIRM: return ("WAIT_NUM_CONFIRM");
5756 case BTM_PAIR_STATE_KEY_ENTRY: return ("KEY_ENTRY");
5757 case BTM_PAIR_STATE_WAIT_LOCAL_OOB_RSP: return ("WAIT_LOCAL_OOB_RSP");
5758 case BTM_PAIR_STATE_WAIT_LOCAL_IOCAPS: return ("WAIT_LOCAL_IOCAPS");
5759 case BTM_PAIR_STATE_INCOMING_SSP: return ("INCOMING_SSP");
5760 case BTM_PAIR_STATE_WAIT_AUTH_COMPLETE: return ("WAIT_AUTH_COMPLETE");
5761 case BTM_PAIR_STATE_WAIT_DISCONNECT: return ("WAIT_DISCONNECT");
5762 }
5763
5764 return ("???");
5765 #else
5766 sprintf(btm_cb.state_temp_buffer, "%d", state);
5767
5768 return (btm_cb.state_temp_buffer);
5769 #endif
5770 }
5771 #endif
5772
5773 /*******************************************************************************
5774 **
5775 ** Function btm_sec_dev_rec_cback_event
5776 **
5777 ** Description This function calls the callback function with the given
5778 ** result and clear the callback function.
5779 **
5780 ** Parameters: void
5781 **
5782 *******************************************************************************/
btm_sec_dev_rec_cback_event(tBTM_SEC_DEV_REC * p_dev_rec,UINT8 res,BOOLEAN is_le_transport)5783 void btm_sec_dev_rec_cback_event (tBTM_SEC_DEV_REC *p_dev_rec, UINT8 res, BOOLEAN is_le_transport)
5784 {
5785 tBTM_SEC_CALLBACK *p_callback;
5786
5787 if (p_dev_rec && p_dev_rec->p_callback) {
5788 p_callback = p_dev_rec->p_callback;
5789 p_dev_rec->p_callback = NULL;
5790
5791 #if BLE_INCLUDED == TRUE
5792 if (is_le_transport) {
5793 (*p_callback) (p_dev_rec->ble.pseudo_addr, BT_TRANSPORT_LE, p_dev_rec->p_ref_data, res);
5794 } else
5795 #endif
5796 {
5797 (*p_callback) (p_dev_rec->bd_addr, BT_TRANSPORT_BR_EDR, p_dev_rec->p_ref_data, res);
5798 }
5799 }
5800 #if (SMP_INCLUDED == TRUE)
5801 btm_sec_check_pending_reqs();
5802 #endif ///SMP_INCLUDED == TRUE
5803 }
5804
5805 /*******************************************************************************
5806 **
5807 ** Function btm_sec_queue_mx_request
5808 **
5809 ** Description Return state description for tracing
5810 **
5811 *******************************************************************************/
5812 #if (SMP_INCLUDED == TRUE)
btm_sec_queue_mx_request(BD_ADDR bd_addr,UINT16 psm,BOOLEAN is_orig,UINT32 mx_proto_id,UINT32 mx_chan_id,tBTM_SEC_CALLBACK * p_callback,void * p_ref_data)5813 static BOOLEAN btm_sec_queue_mx_request (BD_ADDR bd_addr, UINT16 psm, BOOLEAN is_orig,
5814 UINT32 mx_proto_id, UINT32 mx_chan_id,
5815 tBTM_SEC_CALLBACK *p_callback, void *p_ref_data)
5816 {
5817 tBTM_SEC_QUEUE_ENTRY *p_e = (tBTM_SEC_QUEUE_ENTRY *)osi_malloc (sizeof(tBTM_SEC_QUEUE_ENTRY));
5818
5819 if (p_e) {
5820 p_e->psm = psm;
5821 p_e->is_orig = is_orig;
5822 p_e->p_callback = p_callback;
5823 p_e->p_ref_data = p_ref_data;
5824 p_e->mx_proto_id = mx_proto_id;
5825 p_e->mx_chan_id = mx_chan_id;
5826 p_e->transport = BT_TRANSPORT_BR_EDR;
5827
5828 memcpy (p_e->bd_addr, bd_addr, BD_ADDR_LEN);
5829
5830 BTM_TRACE_EVENT ("%s() PSM: 0x%04x Is_Orig: %u mx_proto_id: %u mx_chan_id: %u\n",
5831 __func__, psm, is_orig, mx_proto_id, mx_chan_id);
5832
5833 fixed_queue_enqueue(btm_cb.sec_pending_q, p_e, FIXED_QUEUE_MAX_TIMEOUT);
5834
5835 return (TRUE);
5836 }
5837
5838 return (FALSE);
5839 }
btm_sec_check_prefetch_pin(tBTM_SEC_DEV_REC * p_dev_rec)5840 static BOOLEAN btm_sec_check_prefetch_pin (tBTM_SEC_DEV_REC *p_dev_rec)
5841 {
5842 BOOLEAN rv = FALSE;
5843 #if (CLASSIC_BT_INCLUDED == TRUE)
5844 UINT8 major = (UINT8)(p_dev_rec->dev_class[1] & BTM_COD_MAJOR_CLASS_MASK);
5845 UINT8 minor = (UINT8)(p_dev_rec->dev_class[2] & BTM_COD_MINOR_CLASS_MASK);
5846 rv = TRUE;
5847
5848 if ((major == BTM_COD_MAJOR_AUDIO)
5849 && ((minor == BTM_COD_MINOR_CONFM_HANDSFREE) || (minor == BTM_COD_MINOR_CAR_AUDIO)) ) {
5850 BTM_TRACE_EVENT ("%s() Skipping pre-fetch PIN for carkit COD Major: 0x%02x Minor: 0x%02x\n",
5851 __func__, major, minor);
5852
5853 if (btm_cb.security_mode_changed == FALSE) {
5854 btm_cb.security_mode_changed = TRUE;
5855 #ifdef APPL_AUTH_WRITE_EXCEPTION
5856 if (!(APPL_AUTH_WRITE_EXCEPTION)(p_dev_rec->bd_addr))
5857 #endif
5858 {
5859 btsnd_hcic_write_auth_enable (TRUE);
5860 }
5861 }
5862 } else {
5863 btm_sec_change_pairing_state (BTM_PAIR_STATE_WAIT_LOCAL_PIN);
5864
5865 /* If we got a PIN, use that, else try to get one */
5866 if (btm_cb.pin_code_len) {
5867 BTM_PINCodeReply (p_dev_rec->bd_addr, BTM_SUCCESS, btm_cb.pin_code_len, btm_cb.pin_code, p_dev_rec->trusted_mask);
5868 } else {
5869 /* pin was not supplied - pre-fetch pin code now */
5870 if (btm_cb.api.p_pin_callback && ((btm_cb.pairing_flags & BTM_PAIR_FLAGS_PIN_REQD) == 0)) {
5871 BTM_TRACE_DEBUG("%s() PIN code callback called\n", __func__);
5872 if (btm_bda_to_acl(p_dev_rec->bd_addr, BT_TRANSPORT_BR_EDR) == NULL) {
5873 btm_cb.pairing_flags |= BTM_PAIR_FLAGS_PIN_REQD;
5874 }
5875 (btm_cb.api.p_pin_callback) (p_dev_rec->bd_addr, p_dev_rec->dev_class,
5876 p_dev_rec->sec_bd_name, (p_dev_rec->p_cur_service == NULL) ? FALSE
5877 : (p_dev_rec->p_cur_service->security_flags
5878 & BTM_SEC_IN_MIN_16_DIGIT_PIN));
5879 }
5880 }
5881
5882 rv = TRUE;
5883 }
5884 #endif ///CLASSIC_BT_INCLUDED == TRUE
5885 #
5886 return rv;
5887 }
5888
5889 /*******************************************************************************
5890 **
5891 ** Function btm_sec_auth_payload_tout
5892 **
5893 ** Description Processes the HCI Autheniticated Payload Timeout Event
5894 ** indicating that a packet containing a valid MIC on the
5895 ** connection handle was not received within the programmed
5896 ** timeout value. (Spec Default is 30 secs, but can be
5897 ** changed via the BTM_SecSetAuthPayloadTimeout() function.
5898 **
5899 *******************************************************************************/
btm_sec_auth_payload_tout(UINT8 * p,UINT16 hci_evt_len)5900 void btm_sec_auth_payload_tout (UINT8 *p, UINT16 hci_evt_len)
5901 {
5902 UINT16 handle;
5903
5904 STREAM_TO_UINT16 (handle, p);
5905 handle = HCID_GET_HANDLE (handle);
5906
5907 /* Will be exposed to upper layers in the future if/when determined necessary */
5908 BTM_TRACE_ERROR ("%s on handle 0x%02x\n", __func__, handle);
5909 }
5910
5911 /*******************************************************************************
5912 **
5913 ** Function btm_sec_queue_encrypt_request
5914 **
5915 ** Description encqueue encryption request when device has active security
5916 ** process pending.
5917 **
5918 *******************************************************************************/
btm_sec_queue_encrypt_request(BD_ADDR bd_addr,tBT_TRANSPORT transport,tBTM_SEC_CALLBACK * p_callback,void * p_ref_data)5919 static BOOLEAN btm_sec_queue_encrypt_request (BD_ADDR bd_addr, tBT_TRANSPORT transport,
5920 tBTM_SEC_CALLBACK *p_callback, void *p_ref_data)
5921 {
5922 tBTM_SEC_QUEUE_ENTRY *p_e;
5923 p_e = (tBTM_SEC_QUEUE_ENTRY *)osi_malloc(sizeof(tBTM_SEC_QUEUE_ENTRY) + 1);
5924
5925 if (p_e) {
5926 p_e->psm = 0; /* if PSM 0, encryption request */
5927 p_e->p_callback = p_callback;
5928 p_e->p_ref_data = (void *)(p_e + 1);
5929 *(UINT8 *)p_e->p_ref_data = *(UINT8 *)(p_ref_data);
5930 p_e->transport = transport;
5931 memcpy(p_e->bd_addr, bd_addr, BD_ADDR_LEN);
5932 fixed_queue_enqueue(btm_cb.sec_pending_q, p_e, FIXED_QUEUE_MAX_TIMEOUT);
5933 return TRUE;
5934 }
5935
5936 return FALSE;
5937 }
5938
5939 /*******************************************************************************
5940 **
5941 ** Function btm_sec_set_peer_sec_caps
5942 **
5943 ** Description This function is called to set sm4 and rmt_sec_caps fields
5944 ** based on the available peer device features.
5945 **
5946 ** Returns void
5947 **
5948 *******************************************************************************/
btm_sec_set_peer_sec_caps(tACL_CONN * p_acl_cb,tBTM_SEC_DEV_REC * p_dev_rec)5949 void btm_sec_set_peer_sec_caps(tACL_CONN *p_acl_cb, tBTM_SEC_DEV_REC *p_dev_rec)
5950 {
5951 BD_ADDR rem_bd_addr;
5952 UINT8 *p_rem_bd_addr;
5953
5954 if ((btm_cb.security_mode == BTM_SEC_MODE_SP ||
5955 btm_cb.security_mode == BTM_SEC_MODE_SP_DEBUG ||
5956 btm_cb.security_mode == BTM_SEC_MODE_SC) &&
5957 HCI_SSP_HOST_SUPPORTED(p_acl_cb->peer_lmp_features[HCI_EXT_FEATURES_PAGE_1])) {
5958 p_dev_rec->sm4 = BTM_SM4_TRUE;
5959 p_dev_rec->remote_supports_secure_connections =
5960 (HCI_SC_HOST_SUPPORTED(p_acl_cb->peer_lmp_features[HCI_EXT_FEATURES_PAGE_1]));
5961 } else {
5962 p_dev_rec->sm4 = BTM_SM4_KNOWN;
5963 p_dev_rec->remote_supports_secure_connections = FALSE;
5964 }
5965
5966 BTM_TRACE_API("%s: sm4: 0x%02x, rmt_support_for_secure_connections %d\n", __FUNCTION__,
5967 p_dev_rec->sm4, p_dev_rec->remote_supports_secure_connections);
5968
5969 /* Store previous state of remote device to check if peer device downgraded
5970 * it's secure connection state. */
5971 #if (CLASSIC_BT_INCLUDED == TRUE)
5972 if (p_dev_rec->remote_supports_secure_connections >= p_dev_rec->remote_secure_connection_previous_state) {
5973 p_dev_rec->remote_secure_connection_previous_state = p_dev_rec->remote_supports_secure_connections;
5974 } else {
5975 BTM_TRACE_ERROR("Remote Device downgraded security from SC, deleting Link Key");
5976
5977 /* Mark in ACL packet that secure connection is downgraded. */
5978 p_acl_cb->sc_downgrade = 1;
5979 p_dev_rec->remote_secure_connection_previous_state = 0;
5980
5981 /* As peer device downgraded it's security, peer device is a suspicious
5982 * device. Hence remove pairing information by removing link key
5983 * information. */
5984 memset(p_dev_rec->link_key, 0, LINK_KEY_LEN);
5985 p_dev_rec->sec_flags &= ~(BTM_SEC_AUTHORIZED | BTM_SEC_AUTHENTICATED
5986 | BTM_SEC_ENCRYPTED | BTM_SEC_NAME_KNOWN
5987 | BTM_SEC_LINK_KEY_KNOWN | BTM_SEC_LINK_KEY_AUTHED
5988 | BTM_SEC_ROLE_SWITCHED | BTM_SEC_16_DIGIT_PIN_AUTHED);
5989 return;
5990 }
5991 #endif
5992
5993 if (p_dev_rec->remote_features_needed) {
5994 BTM_TRACE_EVENT("%s: Now device in SC Only mode, waiting for peer remote features!\n",
5995 __FUNCTION__);
5996 p_rem_bd_addr = (UINT8 *) rem_bd_addr;
5997 BDADDR_TO_STREAM(p_rem_bd_addr, p_dev_rec->bd_addr);
5998 p_rem_bd_addr = (UINT8 *) rem_bd_addr;
5999 btm_io_capabilities_req(p_rem_bd_addr);
6000 p_dev_rec->remote_features_needed = FALSE;
6001 }
6002 }
6003
6004 /*******************************************************************************
6005 **
6006 ** Function btm_sec_is_serv_level0
6007 **
6008 ** Description This function is called to check if the service corresponding
6009 ** to PSM is security mode 4 level 0 service.
6010 **
6011 ** Returns TRUE if the service is security mode 4 level 0 service
6012 **
6013 *******************************************************************************/
btm_sec_is_serv_level0(UINT16 psm)6014 static BOOLEAN btm_sec_is_serv_level0(UINT16 psm)
6015 {
6016 if (psm == BT_PSM_SDP) {
6017 BTM_TRACE_DEBUG("%s: PSM: 0x%04x -> mode 4 level 0 service\n", __FUNCTION__, psm);
6018 return TRUE;
6019 }
6020 return FALSE;
6021 }
6022
6023 /*******************************************************************************
6024 **
6025 ** Function btm_sec_check_pending_enc_req
6026 **
6027 ** Description This function is called to send pending encryption callback if
6028 ** waiting
6029 **
6030 ** Returns void
6031 **
6032 *******************************************************************************/
btm_sec_check_pending_enc_req(tBTM_SEC_DEV_REC * p_dev_rec,tBT_TRANSPORT transport,UINT8 encr_enable)6033 static void btm_sec_check_pending_enc_req (tBTM_SEC_DEV_REC *p_dev_rec, tBT_TRANSPORT transport,
6034 UINT8 encr_enable)
6035 {
6036 if (fixed_queue_is_empty(btm_cb.sec_pending_q)) {
6037 return;
6038 }
6039
6040 UINT8 res = encr_enable ? BTM_SUCCESS : BTM_ERR_PROCESSING;
6041 list_t *list = fixed_queue_get_list(btm_cb.sec_pending_q);
6042 for (const list_node_t *node = list_begin(list); node != list_end(list); ) {
6043 tBTM_SEC_QUEUE_ENTRY *p_e = (tBTM_SEC_QUEUE_ENTRY *)list_node(node);
6044 node = list_next(node);
6045
6046 if (memcmp(p_e->bd_addr, p_dev_rec->bd_addr, BD_ADDR_LEN) == 0 && p_e->psm == 0
6047 #if BLE_INCLUDED == TRUE
6048 && p_e->transport == transport
6049 #endif
6050 ) {
6051 #if BLE_INCLUDED == TRUE
6052 UINT8 sec_act = *(UINT8 *)(p_e->p_ref_data);
6053 #endif
6054
6055 if (encr_enable == 0 || transport == BT_TRANSPORT_BR_EDR
6056 #if BLE_INCLUDED == TRUE
6057 || (sec_act == BTM_BLE_SEC_ENCRYPT || sec_act == BTM_BLE_SEC_ENCRYPT_NO_MITM)
6058 || (sec_act == BTM_BLE_SEC_ENCRYPT_MITM && p_dev_rec->sec_flags
6059 & BTM_SEC_LE_AUTHENTICATED)
6060 #endif
6061 ) {
6062 if (p_e->p_callback) {
6063 (*p_e->p_callback) (p_dev_rec->bd_addr, transport, p_e->p_ref_data, res);
6064 }
6065
6066 fixed_queue_try_remove_from_queue(btm_cb.sec_pending_q, (void *)p_e);
6067 }
6068 }
6069 }
6070 }
6071 #endif ///SMP_INCLUDED == TRUE
6072
6073 /*******************************************************************************
6074 **
6075 ** Function btm_sec_set_serv_level4_flags
6076 **
6077 ** Description This function is called to set security mode 4 level 4 flags.
6078 **
6079 ** Returns service security requirements updated to include secure
6080 ** connections only mode.
6081 **
6082 *******************************************************************************/
6083 #if (SMP_INCLUDED == TRUE)
btm_sec_set_serv_level4_flags(UINT16 cur_security,BOOLEAN is_originator)6084 static UINT16 btm_sec_set_serv_level4_flags(UINT16 cur_security, BOOLEAN is_originator)
6085 {
6086 UINT16 sec_level4_flags = is_originator ? BTM_SEC_OUT_LEVEL4_FLAGS : BTM_SEC_IN_LEVEL4_FLAGS;
6087
6088 return cur_security | sec_level4_flags;
6089 }
6090 #endif ///SMP_INCLUDED == TRUE
6091
6092 /*******************************************************************************
6093 **
6094 ** Function btm_sec_clear_ble_keys
6095 **
6096 ** Description This function is called to clear out the BLE keys.
6097 ** Typically when devices are removed in BTM_SecDeleteDevice,
6098 ** or when a new BT Link key is generated.
6099 **
6100 ** Returns void
6101 **
6102 *******************************************************************************/
6103 #if (BLE_INCLUDED == TRUE)
btm_sec_clear_ble_keys(tBTM_SEC_DEV_REC * p_dev_rec)6104 void btm_sec_clear_ble_keys (tBTM_SEC_DEV_REC *p_dev_rec)
6105 {
6106
6107 BTM_TRACE_DEBUG ("%s() Clearing BLE Keys\n", __func__);
6108 #if (SMP_INCLUDED== TRUE)
6109 p_dev_rec->ble.key_type = BTM_LE_KEY_NONE;
6110 memset (&p_dev_rec->ble.keys, 0, sizeof(tBTM_SEC_BLE_KEYS));
6111
6112 #if (BLE_PRIVACY_SPT == TRUE)
6113 btm_ble_resolving_list_remove_dev(p_dev_rec);
6114 #endif
6115 #endif
6116 }
6117 #endif ///BLE_INCLUDED == TRUE
6118 /*******************************************************************************
6119 **
6120 ** Function btm_sec_is_a_bonded_dev
6121 **
6122 ** Description Is the specified device is a bonded device
6123 **
6124 ** Returns TRUE - dev is bonded
6125 **
6126 *******************************************************************************/
btm_sec_is_a_bonded_dev(BD_ADDR bda)6127 BOOLEAN btm_sec_is_a_bonded_dev (BD_ADDR bda)
6128 {
6129
6130 tBTM_SEC_DEV_REC *p_dev_rec = btm_find_dev (bda);
6131 BOOLEAN is_bonded = FALSE;
6132
6133 if (p_dev_rec &&
6134 #if (SMP_INCLUDED == TRUE && BLE_INCLUDED == TRUE)
6135 ((p_dev_rec->ble.key_type && (p_dev_rec->sec_flags & BTM_SEC_LE_LINK_KEY_KNOWN)) ||
6136 #else
6137 (
6138 #endif
6139 (p_dev_rec->sec_flags & BTM_SEC_LINK_KEY_KNOWN))) {
6140 is_bonded = TRUE;
6141 }
6142 BTM_TRACE_DEBUG ("%s() is_bonded=%d\n", __func__, is_bonded);
6143 return (is_bonded);
6144 }
6145
6146 /*******************************************************************************
6147 **
6148 ** Function btm_sec_is_le_capable_dev
6149 **
6150 ** Description Is the specified device is dual mode or LE only device
6151 **
6152 ** Returns TRUE - dev is a dual mode
6153 **
6154 *******************************************************************************/
btm_sec_is_le_capable_dev(BD_ADDR bda)6155 BOOLEAN btm_sec_is_le_capable_dev (BD_ADDR bda)
6156 {
6157 BOOLEAN le_capable = FALSE;
6158
6159 #if (BLE_INCLUDED== TRUE)
6160 tBTM_SEC_DEV_REC *p_dev_rec = btm_find_dev (bda);
6161 if (p_dev_rec && (p_dev_rec->device_type & BT_DEVICE_TYPE_BLE) == BT_DEVICE_TYPE_BLE) {
6162 le_capable = TRUE;
6163 }
6164 #endif
6165 return le_capable;
6166 }
6167
6168 /*******************************************************************************
6169 **
6170 ** Function btm_sec_find_bonded_dev
6171 **
6172 ** Description Find a bonded device starting from the specified index
6173 **
6174 ** Returns TRUE - found a bonded device
6175 **
6176 *******************************************************************************/
6177 #if (BLE_INCLUDED == TRUE)
btm_sec_find_bonded_dev(UINT8 start_idx,UINT16 * p_found_handle,tBTM_SEC_DEV_REC ** p_rec)6178 BOOLEAN btm_sec_find_bonded_dev (UINT8 start_idx, UINT16 *p_found_handle, tBTM_SEC_DEV_REC **p_rec)
6179 {
6180 BOOLEAN found = FALSE;
6181
6182 #if (SMP_INCLUDED== TRUE)
6183 tBTM_SEC_DEV_REC *p_dev_rec;
6184 list_node_t *p_node = NULL;
6185 for (p_node = list_begin(btm_cb.p_sec_dev_rec_list); p_node; p_node = list_next(p_node)) {
6186 p_dev_rec = list_node(p_node);
6187 if (p_dev_rec->ble.key_type || (p_dev_rec->sec_flags & BTM_SEC_LINK_KEY_KNOWN)) {
6188 *p_found_handle = p_dev_rec->hci_handle;
6189 *p_rec = p_dev_rec;
6190 break;
6191 }
6192 }
6193 BTM_TRACE_DEBUG ("%s() found=%d\n", __func__, found);
6194 #endif
6195 return (found);
6196 }
6197 #endif ///BLE_INCLUDED == TRUE
6198 /*******************************************************************************
6199 **
6200 ** Function btm_sec_use_smp_br_chnl
6201 **
6202 ** Description The function checks if SMP BR connection can be used with
6203 ** the peer.
6204 ** Is called when authentication for dedicated bonding is
6205 ** successfully completed.
6206 **
6207 ** Returns TRUE - if SMP BR connection can be used (the link key is
6208 ** generated from P-256 and the peer supports Security
6209 ** Manager over BR).
6210 **
6211 *******************************************************************************/
6212 #if (SMP_INCLUDED == TRUE)
btm_sec_use_smp_br_chnl(tBTM_SEC_DEV_REC * p_dev_rec)6213 static BOOLEAN btm_sec_use_smp_br_chnl(tBTM_SEC_DEV_REC *p_dev_rec)
6214 {
6215 UINT32 ext_feat;
6216 UINT8 chnl_mask[L2CAP_FIXED_CHNL_ARRAY_SIZE];
6217
6218 BTM_TRACE_DEBUG ("%s() link_key_type = 0x%x\n", __func__,
6219 p_dev_rec->link_key_type);
6220
6221 if ((p_dev_rec->link_key_type != BTM_LKEY_TYPE_UNAUTH_COMB_P_256) &&
6222 (p_dev_rec->link_key_type != BTM_LKEY_TYPE_AUTH_COMB_P_256)) {
6223 return FALSE;
6224 }
6225
6226 if (!L2CA_GetPeerFeatures (p_dev_rec->bd_addr, &ext_feat, chnl_mask)) {
6227 return FALSE;
6228 }
6229
6230 if (!(chnl_mask[0] & L2CAP_FIXED_CHNL_SMP_BR_BIT)) {
6231 return FALSE;
6232 }
6233
6234 return TRUE;
6235 }
6236
6237 /*******************************************************************************
6238 **
6239 ** Function btm_sec_is_master
6240 **
6241 ** Description The function checks if the device is BR/EDR master after
6242 ** pairing is completed.
6243 **
6244 ** Returns TRUE - if the device is master.
6245 **
6246 *******************************************************************************/
btm_sec_is_master(tBTM_SEC_DEV_REC * p_dev_rec)6247 static BOOLEAN btm_sec_is_master(tBTM_SEC_DEV_REC *p_dev_rec)
6248 {
6249 tACL_CONN *p = btm_bda_to_acl(p_dev_rec->bd_addr, BT_TRANSPORT_BR_EDR);
6250 return (p && (p->link_role == BTM_ROLE_MASTER));
6251 }
6252
6253 #if (CLASSIC_BT_INCLUDED == TRUE)
6254 /*******************************************************************************
6255 **
6256 ** Function btm_sec_legacy_authentication_mutual
6257 **
6258 ** Description This function is called when legacy authentication is used
6259 ** and only remote device has completed the authentication
6260 **
6261 ** Returns TRUE if aunthentication command sent successfully
6262 **
6263 *******************************************************************************/
btm_sec_legacy_authentication_mutual(tBTM_SEC_DEV_REC * p_dev_rec)6264 BOOLEAN btm_sec_legacy_authentication_mutual (tBTM_SEC_DEV_REC *p_dev_rec)
6265 {
6266 return (btm_sec_start_authentication (p_dev_rec));
6267 }
6268
6269 /*******************************************************************************
6270 **
6271 ** Function btm_sec_update_legacy_auth_state
6272 **
6273 ** Description This function updates the legacy authentication state
6274 **
6275 ** Returns void
6276 **
6277 *******************************************************************************/
btm_sec_update_legacy_auth_state(tACL_CONN * p_acl_cb,UINT8 legacy_auth_state)6278 void btm_sec_update_legacy_auth_state(tACL_CONN *p_acl_cb, UINT8 legacy_auth_state)
6279 {
6280 if (p_acl_cb) {
6281 tBTM_SEC_DEV_REC *p_dev_rec = btm_find_dev_by_handle (p_acl_cb->hci_handle);
6282 if (p_dev_rec) {
6283 if ((BTM_BothEndsSupportSecureConnections(p_dev_rec->bd_addr) == 0) &&
6284 (legacy_auth_state != BTM_ACL_LEGACY_AUTH_NONE)) {
6285 p_acl_cb->legacy_auth_state |= legacy_auth_state;
6286 } else {
6287 p_acl_cb->legacy_auth_state = BTM_ACL_LEGACY_AUTH_NONE;
6288 }
6289 }
6290 }
6291 }
6292
6293 /*******************************************************************************
6294 **
6295 ** Function btm_sec_handle_remote_legacy_auth_cmp
6296 **
6297 ** Description This function updates the legacy authneticaiton state
6298 ** to indicate that remote device has completed the authentication
6299 **
6300 ** Returns void
6301 **
6302 *******************************************************************************/
btm_sec_handle_remote_legacy_auth_cmp(UINT16 handle)6303 void btm_sec_handle_remote_legacy_auth_cmp(UINT16 handle)
6304 {
6305 tBTM_SEC_DEV_REC *p_dev_rec = btm_find_dev_by_handle (handle);
6306 tACL_CONN *p_acl_cb = btm_bda_to_acl(p_dev_rec->bd_addr, BT_TRANSPORT_BR_EDR);
6307 btm_sec_update_legacy_auth_state(p_acl_cb, BTM_ACL_LEGACY_AUTH_REMOTE);
6308 }
6309 #endif /// (CLASSIC_BT_INCLUDED == TRUE)
6310 #endif ///SMP_INCLUDED == TRUE
6311
6312 /******************************************************************************
6313 **
6314 ** Function btm_sec_dev_authorization
6315 **
6316 ** Description This function is used to authorize a specified device(BLE)
6317 **
6318 ******************************************************************************
6319 */
6320 #if (BLE_INCLUDED == TRUE)
btm_sec_dev_authorization(BD_ADDR bd_addr,BOOLEAN authorized)6321 BOOLEAN btm_sec_dev_authorization(BD_ADDR bd_addr, BOOLEAN authorized)
6322 {
6323 #if (SMP_INCLUDED == TRUE)
6324 UINT8 sec_flag = 0;
6325 tBTM_SEC_DEV_REC *p_dev_rec = btm_find_dev(bd_addr);
6326 if (p_dev_rec) {
6327 sec_flag = (UINT8)(p_dev_rec->sec_flags >> 8);
6328 if (!(sec_flag & BTM_SEC_LINK_KEY_AUTHED)) {
6329 BTM_TRACE_ERROR("Authorized should after successful Authentication(MITM protection)\n");
6330 return FALSE;
6331 }
6332
6333 if (authorized) {
6334 p_dev_rec->sec_flags |= BTM_SEC_LE_AUTHORIZATION;
6335 } else {
6336 p_dev_rec->sec_flags &= ~(BTM_SEC_LE_AUTHORIZATION);
6337 }
6338 } else {
6339 BTM_TRACE_ERROR("%s, can't find device\n", __func__);
6340 return FALSE;
6341 }
6342 return TRUE;
6343 #endif ///SMP_INCLUDED == TRUE
6344 return FALSE;
6345 }
6346 #endif /// BLE_INCLUDE == TRUE
6347
